Home / google / osv-scanner
Repository Analysis

google/osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev

1.2 Likely human-written View on GitHub
1.2
Adjusted Score
1.2
Raw Score
100%
Time Factor
2026-05-29
Last Push
10,383
Stars
Go
Language
149,136
Lines of Code
549
Files
162
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 0HIGH 0MEDIUM 10LOW 152

Pattern Findings

162 matches across 10 categories. Click a row to expand file-level details.

Over-Commented Block116 hits · 114 pts
SeverityFileLineSnippet
LOWexit_code_redirect.sh1#!/bin/bash
LOW…urce/testdata/locks-requirements/requirements.prod.txt1django==2.2.24
LOW…scalibrenricher/govulncheck/source/govulncheck_test.go1// Copyright 2025 Google LLC
LOW…rnal/scalibrenricher/govulncheck/source/govulncheck.go1// Copyright 2025 Google LLC
LOWinternal/scalibrenricher/govulncheck/source/result.go21 // FixedVersion is the module version where the vulnerability was
LOWinternal/scalibrenricher/govulncheck/source/result.go41 // Symbol.
LOWinternal/scalibrenricher/govulncheck/source/result.go61 // Package is the import path.
LOWinternal/clients/clientimpl/osvmatcher/osvmatcher.go21)
LOWinternal/testlogger/handler.go141
LOWinternal/output/sarif.go161func stripGitHubWorkspace(path string) string {
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zutil.h21
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zutil.h41typedef unsigned short ush;
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zutil.h61#define ERR_RETURN(strm,err) \
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zutil.h101# include <alloc.h>
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zutil.h121# define OS_CODE 4
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zutil.h141# define OS_CODE 7
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zutil.h161#ifdef _BEOS_
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zutil.h201#ifndef OS_CODE
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zutil.h221#if defined(STDC) && !defined(HAVE_MEMCPY) && !defined(NO_MEMCPY)
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zutil.h241#ifdef ZLIB_DEBUG
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/crc32.c81# else
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/crc32.c801 crc0 = crc_braid_table[0][word0 & 0xff];
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zutil.c61#endif
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zutil.c81#endif
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zutil.c101# ifdef NO_snprintf
LOW…filesystem/vendored/testdata/thirdparty/zlib/deflate.h41
LOW…filesystem/vendored/testdata/thirdparty/zlib/deflate.h341# define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c)
LOW…/filesystem/vendored/testdata/thirdparty/zlib/gzguts.h1/* gzguts.h -- zlib internal header definitions for gz* operations
LOW…/filesystem/vendored/testdata/thirdparty/zlib/gzguts.h21#include "zlib.h"
LOW…/filesystem/vendored/testdata/thirdparty/zlib/gzguts.h41#if defined(_WIN32)
LOW…/filesystem/vendored/testdata/thirdparty/zlib/gzguts.h61
LOW…/filesystem/vendored/testdata/thirdparty/zlib/gzguts.h81# define NO_vsnprintf
LOW…/filesystem/vendored/testdata/thirdparty/zlib/gzguts.h121 extern voidp malloc(uInt size);
LOW…ct/filesystem/vendored/testdata/thirdparty/zlib/zlib.h161 reports. After compression, total_in holds the total size of the
LOW…ct/filesystem/vendored/testdata/thirdparty/zlib/zlib.h181#define Z_STREAM_ERROR (-2)
LOW…ct/filesystem/vendored/testdata/thirdparty/zlib/zlib.h1861 ZEXTERN z_off64_t ZEXPORT gztell64(gzFile);
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/gzlib.c1/* gzlib.c -- zlib functions common to reading and writing gzip files
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h21# define _dist_code z__dist_code
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h41# define crc32_combine_gen z_crc32_combine_gen
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h61# define deflateTune z_deflateTune
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h81# define gzgetc_ z_gzgetc_
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h101# define gzvprintf z_gzvprintf
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h121# define inflateReset2 z_inflateReset2
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h141# define zlibVersion z_zlibVersion
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h161# define voidp z_voidp
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h181# ifndef WIN32
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h201# define UNALIGNED_OK
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h221# define STDC
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h241#endif
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h301#endif
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h321# ifdef _MSC_VER
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h341 */
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h361# endif
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h381# define ZEXPORTVA __declspec(dllimport)
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h421#else
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h441 typedef unsigned long z_crc_t;
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h461# endif
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h481# ifdef __WATCOMC__
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h501
LOW…t/filesystem/vendored/testdata/thirdparty/zlib/zconf.h521# define z_off_t long
56 more matches not shown…
Hyper-Verbose Identifiers21 hits · 21 pts
SeverityFileLineSnippet
LOWinternal/output/html/script.js166function showAndHideParentSections() {
LOWscripts/report_uncleaned_snapshots.py23def report_lack_of_snapshot_cleaning(directory):
LOWscripts/generators/generate-debian-versions.py30def is_unsupported_comparison(line):
LOWscripts/generators/generate-debian-versions.py46def extract_packages_with_versions(osvs):
LOWscripts/generators/generate-debian-versions.py186def generate_version_compares(versions):
LOWscripts/generators/generate-debian-versions.py200def generate_package_compares(packages):
LOWscripts/generators/generate-redhat-versions.py34def is_unsupported_comparison(line):
LOWscripts/generators/generate-redhat-versions.py50def extract_packages_with_versions(osvs):
LOWscripts/generators/generate-redhat-versions.py229def generate_version_compares(versions):
LOWscripts/generators/generate-redhat-versions.py243def generate_package_compares(packages):
LOWscripts/generators/generate-alpine-versions.py34def is_unsupported_comparison(line):
LOWscripts/generators/generate-alpine-versions.py50def extract_packages_with_versions(osvs):
LOWscripts/generators/generate-alpine-versions.py229def generate_version_compares(versions):
LOWscripts/generators/generate-alpine-versions.py243def generate_package_compares(packages):
LOWscripts/generators/generate-pypi-versions.py23def is_unsupported_comparison(line):
LOWscripts/generators/generate-pypi-versions.py39def extract_packages_with_versions(osvs):
LOWscripts/generators/generate-pypi-versions.py108def generate_version_compares(versions):
LOWscripts/generators/generate-pypi-versions.py122def generate_package_compares(packages):
LOWscripts/generators/generate-rubygems-versions.rb36def extract_packages_with_versions(osvs)
LOWscripts/generators/generate-rubygems-versions.rb101def generate_version_compares(versions)
LOWscripts/generators/generate-rubygems-versions.rb119def generate_package_compares(packages)
Decorative Section Separators4 hits · 12 pts
SeverityFileLineSnippet
MEDIUM…ystem/vendored/testdata/thirdparty/zlib/CMakeLists.txt86#============================================================================
MEDIUM…ystem/vendored/testdata/thirdparty/zlib/CMakeLists.txt88#============================================================================
MEDIUM…ystem/vendored/testdata/thirdparty/zlib/CMakeLists.txt193#============================================================================
MEDIUM…ystem/vendored/testdata/thirdparty/zlib/CMakeLists.txt195#============================================================================
Self-Referential Comments4 hits · 12 pts
SeverityFileLineSnippet
MEDIUM…system/vendored/testdata/thirdparty/zlib/os400/make.sh164# Create the OS/400 library if it does not exist.
MEDIUM…system/vendored/testdata/thirdparty/zlib/os400/make.sh172# Create the DOCS source file if it does not exist.
MEDIUM…system/vendored/testdata/thirdparty/zlib/os400/make.sh194# Create the OS/400 source program file for the C header files.
MEDIUM…system/vendored/testdata/thirdparty/zlib/os400/make.sh205# Create the IFS directory for the C header files.
Deep Nesting7 hits · 7 pts
SeverityFileLineSnippet
LOWscripts/report_uncleaned_snapshots.py12
LOWscripts/examples/auto_guided_remediation.py75
LOWscripts/generators/generate-debian-versions.py76
LOWscripts/generators/generate-redhat-versions.py50
LOWscripts/generators/generate-redhat-versions.py87
LOWscripts/generators/generate-alpine-versions.py114
LOWscripts/generators/generate-pypi-versions.py39
AI Slop Vocabulary2 hits · 6 pts
SeverityFileLineSnippet
MEDIUMinternal/config/manager.go45 // Figure out a more robust way to load config from non files
MEDIUM.github/workflows/goreleaser-nightly.yml50 # Essentially do a snapshot release, but still push the docker images
Verbosity Indicators2 hits · 3 pts
SeverityFileLineSnippet
LOWcmd/osv-scanner/mcp/integration_test.go62 // Step 1: Scan for vulnerabilities
LOWcmd/osv-scanner/mcp/integration_test.go92 // Step 2: Get details for the found vulnerability
Fake / Example Data3 hits · 3 pts
SeverityFileLineSnippet
LOWinternal/thirdparty/xml/atom_test.go14 Author: Person{Name: "John Doe"},
LOWinternal/thirdparty/xml/marshal_test.go534 contentsAttr = "lorem ipsum"
LOWinternal/thirdparty/xml/marshal_test.go1059 ExpectXML: `<dummy name="Sarah" age="12">lorem ipsum</dummy>`,
Slop Phrases2 hits · 3 pts
SeverityFileLineSnippet
LOWscripts/generators/generate-debian-versions.py13# "--compare-versions" option; also make sure to consider the version of dpkg being
LOWscripts/generators/generate-redhat-versions.py13# supports evaluating Lua expressions (most versions do); also make sure to consider
Redundant / Tautological Comments1 hit · 2 pts
SeverityFileLineSnippet
LOW…system/vendored/testdata/thirdparty/zlib/os400/make.sh66# Set LINK to "YES" if the module has been compiled.