offline scan for C++ dependencies from Github project version

[cybops35]

Hello osv team,

First, i want to thank you to have merged in the release 2.2.3 the Feature #2209: Add support for resolving git packages that have a version specified.
which was linked to my previous issue #2014: Offline scan for custom lockfile (C/C++ project from git project) skipped.

But I still don't manage to have results in offline mode for C++ dependencies from Github projects.

I use this script mirror.sh to create my osv-scanner local database:

#!/bin/sh

set -x

#Checking if the variable is set
if [ -n "$OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY" ];then
    echo "Downloading vulnerabilities databases in: $OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY"
else
    echo "Variable OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY is not set"
    exit 1
fi

# Download all-ecosystems recent changes
gsutil cp gs://osv-vulnerabilities/modified_id.csv "$OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY/osv-scanner/"

# Per-ecosystem downloads database + recent changes
for eco in $(gsutil cat gs://osv-vulnerabilities/ecosystems.txt); do
    mkdir -p "$OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY/osv-scanner/$eco"
    gsutil cp gs://osv-vulnerabilities/$eco/all.zip "$OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY/osv-scanner/$eco/"
    gsutil cp gs://osv-vulnerabilities/$eco/modified_id.csv "$OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY/osv-scanner/$eco/"
done

I test with this file osv-scanner-custom.json:

{
  "results": [
    {
      "packages": [
        {
          "package": {
            "name": "github.com/openssl/openssl",
            "commit": "45fda76bc1b9fd74d10e85e0ce9b65a12dcc58b0",
            "version": "openssl-3.2.3"
          }
        }
      ]
    }
  ]
}

• I get results when I run the scan with internet connection:

docker run --rm -ti \
    --network=host \
    --volume /home/user/osv-scanner-custom.json:/osv/inputs/osv-scanner-custom.json \
    custom/osv-scanner:2.2.3 \
        osv-scanner scan source \
            --call-analysis=all \
            --recursive "/osv/inputs"

Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 2 packages
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 857.6µs elapsed, 857.7µs wall time
Total 2 packages affected by 11 known vulnerabilities (0 Critical, 2 High, 7 Medium, 0 Low, 2 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.


╭────────────────────────────────┬──────┬───────────┬───────────────────┬───────────────────┬───────────────┬──────────── ≈
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE           │ VERSION           │ FIXED VERSION │ SOURCE      ≈
├────────────────────────────────┼──────┼───────────┼───────────────────┴───────────────────┼───────────────┼──────────── ≈
│ https://osv.dev/CVE-2024-12797 │ 6.3  │ GIT       │  github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/ ≈
│ https://osv.dev/CVE-2024-13176 │ 4.1  │ GIT       │  github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/ ≈
│ https://osv.dev/CVE-2024-9143  │ 4.3  │ GIT       │  github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/ ≈
│ https://osv.dev/CVE-2025-9230  │ 7.5  │ GIT       │  github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/ ≈
│ https://osv.dev/CVE-2025-9231  │ 6.5  │ GIT       │  github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/ ≈
│ https://osv.dev/CVE-2025-9232  │ 5.9  │ GIT       │  github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/ ≈
╰────────────────────────────────┴──────┴───────────┴───────────────────────────────────────┴───────────────┴──────────── ≈

• But not when I run the same scan but using only the mirrored database without internet connection

docker run --rm -ti \
    --network=none \
    --volume $OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY/osv-scanner:/osv/databases/osv-scanner \
    --env OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY="/osv/databases" \
    --volume /home/user/osv-scanner-custom.json:/osv/inputs/osv-scanner-custom.json \
    custom/osv-scanner:2.2.3 \
        osv-scanner scan source \
            --offline \
            --call-analysis=all \
            --recursive "/osv/inputs"

Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 2 packages
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 704µs elapsed, 704µs wall time
Loaded GIT local db from /osv/databases/osv-scanner/GIT/all.zip
No issues found

• Even with up-to-date GIT osv-scanner local database

docker run --rm -ti \
    --network=none \
    --volume $OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY/osv-scanner:/osv/databases/osv-scanner \
    custom/osv-scanner:2.2.3 \
       ls -la /osv/databases/osv-scanner/GIT

drwxr-xr-x 1 www-data 1000         4 Oct 20 08:42 .
drwxr-xr-x 1 www-data 1000        47 Oct 20 08:41 ..
-rw-r--r-- 1 www-data 1000 141149989 Oct 20 08:42 all.zip
-rw-r--r-- 1 www-data 1000   3259592 Oct 20 08:42 modified_id.csv

[another-rex]

Hmm... this should work. E.g. https://api.osv.dev/v1/vulns/CVE-2025-9230 has openssl-3.2.3 as an affected version.

@G-Rath Can you have a look into this?

[G-Rath]

it's because you've omitted the protocol from the package.name - it should be https://github.com/openssl/openssl

[cybops35]

OK thank for the protocol :) now it works but not for all Git projects. I tried osv-scanner, in online mode, on some Github project which should have tag affected by CVE. When osv-scanner found some results, I tried it in offline mode too to compare results, and sometimes I get same results but not always. Is it normal ?

To give you more context, my osv-scanner image is build on top of a debian:12 image (on which I have many things like python/go/rust/gcc ...)

FROM golang:1.25.0-alpine3.21 AS builder

# Build the project osv-scanner
ARG OSV_VERSION='From build-arg'
WORKDIR /src
ENV GOPATH="/src"
RUN apk add --no-cache git \
  && git config --global --add safe.directory '*' \
  && git clone -b ${OSV_VERSION} https://github.com/google/osv-scanner.git ./ \
  && go mod download \
  && go build -o osv-scanner ./cmd/osv-scanner/
ENV PATH="$PATH:/src"

# add Software Composition Analysis Library
RUN go install github.com/google/osv-scalibr/binary/scalibr@latest

# add OSV-Reporter
RUN go install github.com/google/osv-scanner/v2/cmd/osv-reporter@latest


FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS final

# Install runtime dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
    coreutils \
    curl \
    jq \
    wget \
    && rm -rf /var/lib/apt/lists/*

# Copy osv binaries
COPY --from=builder /src/osv-scanner /usr/local/bin/osv-scanner
COPY --from=builder /src/bin/scalibr /usr/local/bin/scalibr

# Copy cache
ENV GOCACHE='/root/.cache/go-build'
COPY --from=builder /root/.cache/go-build /root/.cache/go-build

# Install gsutil
RUN python3 -m pip install --break-system-packages gsutil
ENV PATH="$PATH:/root/.local/bin"

# Add scripts (with proper permissions)
COPY --chmod=775 mirror.sh /osv/mirror.sh
ENV OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY='/osv/databases'

# Default command
ENTRYPOINT []
CMD ["/usr/local/bin/osv-scanner"]

And here my tests results:

Same results:

openssl/openssl

• input

{
  "results": [
    {
      "packages": [
        {
          "package": {
            "name": "https://github.com/openssl/openssl",
            "commit": "45fda76bc1b9fd74d10e85e0ce9b65a12dcc58b0",
            "version": "openssl-3.2.3"
          }
        }
      ]
    }
  ]
}

• online

Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 1 package
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 304µs elapsed, 304.1µs wall time
Loaded GIT local db from /osv/databases/osv-scanner/GIT/all.zip
Total 1 package affected by 6 known vulnerabilities (0 Critical, 1 High, 5 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.


╭────────────────────────────────┬──────┬───────────┬───────────────────────┬───────────────────────┬───────────────┬────────────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE               │ VERSION               │ FIXED VERSION │ SOURCE                             │
├────────────────────────────────┼──────┼───────────┼───────────────────────┴───────────────────────┼───────────────┼────────────────────────────────────┤
│ https://osv.dev/CVE-2024-12797 │ 6.3  │ GIT       │  https://github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-13176 │ 4.1  │ GIT       │  https://github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-9143  │ 4.3  │ GIT       │  https://github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-9230  │ 7.5  │ GIT       │  https://github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-9231  │ 6.5  │ GIT       │  https://github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-9232  │ 5.9  │ GIT       │  https://github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/osv-scanner-custom.json │
╰────────────────────────────────┴──────┴───────────┴─────────────────────────────────────────────────────┴───────────────┴────────────────────────────────────╯

• offline:

docker run --rm -ti --network=none --volume /tmp/mirror/osv-scanner:/osv/databases/osv-scanner --env OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY="/osv/databases" --volume /home/user/Documents/update-av/osv-scanner/osv-scanner-custom.json:/osv/inputs/osv-scanner-custom.json custom/osv-scanner:v2.2.3 osv-scanner scan source --offline --call-analysis=all --recursive "/osv/inputs"
Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 1 package
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 304µs elapsed, 304.1µs wall time
Loaded GIT local db from /osv/databases/osv-scanner/GIT/all.zip
Total 1 package affected by 6 known vulnerabilities (0 Critical, 1 High, 5 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.


╭────────────────────────────────┬──────┬───────────┬───────────────────────┬───────────────────────┬───────────────┬────────────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE               │ VERSION               │ FIXED VERSION │ SOURCE                             │
├────────────────────────────────┼──────┼───────────┼───────────────────────┴───────────────────────┼───────────────┼────────────────────────────────────┤
│ https://osv.dev/CVE-2024-12797 │ 6.3  │ GIT       │  https://github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-13176 │ 4.1  │ GIT       │  https://github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-9143  │ 4.3  │ GIT       │  https://github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-9230  │ 7.5  │ GIT       │  https://github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-9231  │ 6.5  │ GIT       │  https://github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-9232  │ 5.9  │ GIT       │  https://github.com/openssl/openssl@45fda76b  │ --            │ osv/inputs/osv-scanner-custom.json │
╰────────────────────────────────┴──────┴───────────┴─────────────────────────────────────────────────────┴───────────────┴────────────────────────────────────╯

tensorflow/tensorflow

• input

{
  "results": [
    {
      "packages": [
        {
          "package": {
            "name": "https://github.com/tensorflow/tensorflow",
            "commit": "6550e4bd80223cdb8be6c3afd1f81e86a4d433c3",
            "version": "v2.18.0"
          }
        }
      ]
    }
  ]
}

• online

docker run --rm -ti --network=host --volume /home/user/Documents/update-av/osv-scanner/osv-scanner-custom.json:/osv/inputs/osv-scanner-custom.json custom/osv-scanner:v2.2.3 osv-scanner scan source --call-analysis=all --recursive "/osv/inputs"
Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 1 package
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 374.6µs elapsed, 374.7µs wall time
Total 1 package affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.


╭────────────────────────────────┬──────┬───────────┬──────────────────────────┬──────────────────────────┬───────────────┬────────────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE                  │ VERSION                  │ FIXED VERSION │ SOURCE                             │
├────────────────────────────────┼──────┼───────────┼──────────────────────────┴──────────────────────────┼───────────────┼────────────────────────────────────┤
│ https://osv.dev/CVE-2025-55556 │ 6.5  │ GIT       │  https://github.com/tensorflow/tensorflow@6550e4bd  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-55559 │ 7.5  │ GIT       │  https://github.com/tensorflow/tensorflow@6550e4bd  │ --            │ osv/inputs/osv-scanner-custom.json │
╰────────────────────────────────┴──────┴───────────┴─────────────────────────────────────────────────────┴───────────────┴────────────────────────────────────╯

• offline

Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 1 package
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 282.5µs elapsed, 282.5µs wall time
Loaded GIT local db from /osv/databases/osv-scanner/GIT/all.zip
Total 1 package affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.


╭────────────────────────────────┬──────┬───────────┬──────────────────────────┬──────────────────────────┬───────────────┬────────────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE                  │ VERSION                  │ FIXED VERSION │ SOURCE                             │
├────────────────────────────────┼──────┼───────────┼──────────────────────────┴──────────────────────────┼───────────────┼────────────────────────────────────┤
│ https://osv.dev/CVE-2025-55556 │ 6.5  │ GIT       │  https://github.com/tensorflow/tensorflow@6550e4bd  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-55559 │ 7.5  │ GIT       │  https://github.com/tensorflow/tensorflow@6550e4bd  │ --            │ osv/inputs/osv-scanner-custom.json │
╰────────────────────────────────┴──────┴───────────┴─────────────────────────────────────────────────────┴───────────────┴────────────────────────────────────╯

yhirose/cpp-httplib

• input

{
  "results": [
    {
      "packages": [
        {
          "package": {
            "name": "https://github.com/yhirose/cpp-httplib",
            "commit": "37798003220c997c4a6dc30d35e76d478b53a6e2",
            "version": "v0.18.5"
          }
        }
      ]
    }
  ]
}

• online

docker run --rm -ti --network=host --volume /home/user/Documents/update-av/osv-scanner/osv-scanner-custom.json:/osv/inputs/osv-scanner-custom.json custom/osv-scanner:v2.2.3 osv-scanner scan source --call-analysis=all --recursive "/osv/inputs"
Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 1 package
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 346.891µs elapsed, 347.091µs wall time
Total 1 package affected by 4 known vulnerabilities (0 Critical, 3 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.


╭────────────────────────────────┬──────┬───────────┬─────────────────────────┬─────────────────────────┬───────────────┬────────────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE                 │ VERSION                 │ FIXED VERSION │ SOURCE                             │
├────────────────────────────────┼──────┼───────────┼─────────────────────────┴─────────────────────────┼───────────────┼────────────────────────────────────┤
│ https://osv.dev/CVE-2025-46728 │ 7.5  │ GIT       │  https://github.com/yhirose/cpp-httplib@37798003  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-52887 │ 7.5  │ GIT       │  https://github.com/yhirose/cpp-httplib@37798003  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-53628 │ 6.3  │ GIT       │  https://github.com/yhirose/cpp-httplib@37798003  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-53629 │ 7.5  │ GIT       │  https://github.com/yhirose/cpp-httplib@37798003  │ --            │ osv/inputs/osv-scanner-custom.json │
╰────────────────────────────────┴──────┴───────────┴───────────────────────────────────────────────────┴───────────────┴────────────────────────────────────╯

• offline

docker run --rm -ti --network=none --volume /tmp/mirror/osv-scanner:/osv/databases/osv-scanner --env OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY="/osv/databases" --volume /home/user/Documents/update-av/osv-scanner/osv-scanner-custom.json:/osv/inputs/osv-scanner-custom.json custom/osv-scanner:v2.2.3 osv-scanner scan source --offline --call-analysis=all --recursive "/osv/inputs"
Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 1 package
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 378.691µs elapsed, 378.791µs wall time
Loaded GIT local db from /osv/databases/osv-scanner/GIT/all.zip
Total 1 package affected by 4 known vulnerabilities (0 Critical, 3 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.


╭────────────────────────────────┬──────┬───────────┬─────────────────────────┬─────────────────────────┬───────────────┬────────────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE                 │ VERSION                 │ FIXED VERSION │ SOURCE                             │
├────────────────────────────────┼──────┼───────────┼─────────────────────────┴─────────────────────────┼───────────────┼────────────────────────────────────┤
│ https://osv.dev/CVE-2025-46728 │ 7.5  │ GIT       │  https://github.com/yhirose/cpp-httplib@37798003  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-52887 │ 7.5  │ GIT       │  https://github.com/yhirose/cpp-httplib@37798003  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-53628 │ 6.3  │ GIT       │  https://github.com/yhirose/cpp-httplib@37798003  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-53629 │ 7.5  │ GIT       │  https://github.com/yhirose/cpp-httplib@37798003  │ --            │ osv/inputs/osv-scanner-custom.json │
╰────────────────────────────────┴──────┴───────────┴───────────────────────────────────────────────────┴───────────────┴────────────────────────────────────╯

libarchive/libarchive

• input

{
  "results": [
    {
      "packages": [
        {
          "package": {
            "name": "https://github.com/libarchive/libarchive",
            "commit": "0c21691b177fac5f4cceca2a1ff2ddfa5d60f51c",
            "version": "v3.7.1"
          }
        }
      ]
    }
  ]
}

• online

docker run --rm -ti --network=host --volume /home/user/Documents/update-av/osv-scanner/osv-scanner-custom.json:/osv/inputs/osv-scanner-custom.json custom/osv-scanner:v2.2.3 osv-scanner scan source --call-analysis=all --recursive "/osv/inputs"
Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 1 package
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 373.896µs elapsed, 373.996µs wall time
Total 1 package affected by 13 known vulnerabilities (1 Critical, 6 High, 6 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.


╭────────────────────────────────┬──────┬───────────┬──────────────────────────┬──────────────────────────┬───────────────┬────────────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE                  │ VERSION                  │ FIXED VERSION │ SOURCE                             │
├────────────────────────────────┼──────┼───────────┼──────────────────────────┴──────────────────────────┼───────────────┼────────────────────────────────────┤
│ https://osv.dev/CVE-2024-26256 │ 7.8  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-37407 │ 9.1  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-48615 │ 7.5  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-48957 │ 7.8  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-48958 │ 7.8  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-57970 │ 4.0  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-1632  │ 5.5  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-25724 │ 7.8  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-5914  │ 7.3  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-5915  │ 6.6  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-5916  │ 5.6  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-5917  │ 5.0  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-5918  │ 6.6  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
╰────────────────────────────────┴──────┴───────────┴─────────────────────────────────────────────────────┴───────────────┴────────────────────────────────────╯

• offline

docker run --rm -ti --network=none --volume /tmp/mirror/osv-scanner:/osv/databases/osv-scanner --env OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY="/osv/databases" --volume /home/user/Documents/update-av/osv-scanner/osv-scanner-custom.json:/osv/inputs/osv-scanner-custom.json custom/osv-scanner:v2.2.3 osv-scanner scan source --offline --call-analysis=all --recursive "/osv/inputs"
Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 1 package
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 319.597µs elapsed, 319.697µs wall time
Loaded GIT local db from /osv/databases/osv-scanner/GIT/all.zip
Total 1 package affected by 13 known vulnerabilities (1 Critical, 6 High, 6 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.


╭────────────────────────────────┬──────┬───────────┬──────────────────────────┬──────────────────────────┬───────────────┬────────────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE                  │ VERSION                  │ FIXED VERSION │ SOURCE                             │
├────────────────────────────────┼──────┼───────────┼──────────────────────────┴──────────────────────────┼───────────────┼────────────────────────────────────┤
│ https://osv.dev/CVE-2024-26256 │ 7.8  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-37407 │ 9.1  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-48615 │ 7.5  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-48957 │ 7.8  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-48958 │ 7.8  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-57970 │ 4.0  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-1632  │ 5.5  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-25724 │ 7.8  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-5914  │ 7.3  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-5915  │ 6.6  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-5916  │ 5.6  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-5917  │ 5.0  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-5918  │ 6.6  │ GIT       │  https://github.com/libarchive/libarchive@0c21691b  │ --            │ osv/inputs/osv-scanner-custom.json │
╰────────────────────────────────┴──────┴───────────┴─────────────────────────────────────────────────────┴───────────────┴────────────────────────────────────╯

Different results

apache/orc

• input

{
  "results": [
    {
      "packages": [
        {
          "package": {
            "name": "https://github.com/apache/orc",
            "commit": "17b30e96476be70b8773b2b807bab857fd3ceb39",
            "version": "v3.19.0"
          }
        }
      ]
    }
  ]
}

• online

docker run --rm -ti --network=host --volume /home/user/Documents/update-av/osv-scanner/osv-scanner-custom.json:/osv/inputs/osv-scanner-custom.json custom/osv-scanner:v2.2.3 osv-scanner scan source --call-analysis=all --recursive "/osv/inputs"
Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 1 package
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 352.596µs elapsed, 352.596µs wall time
Total 1 package affected by 6 known vulnerabilities (1 Critical, 3 High, 2 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.


╭────────────────────────────────┬──────┬───────────┬────────────────────┬─────────────────────┬───────────────┬────────────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE            │ VERSION             │ FIXED VERSION │ SOURCE                             │
├────────────────────────────────┼──────┼───────────┼────────────────────┴─────────────────────┼───────────────┼────────────────────────────────────┤
│ https://osv.dev/CVE-2021-22569 │ 5.5  │ GIT       │  https://github.com/apache/orc@17b30e96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2022-3509  │ 7.5  │ GIT       │  https://github.com/apache/orc@17b30e96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2022-3510  │ 7.5  │ GIT       │  https://github.com/apache/orc@17b30e96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-2410  │ 9.8  │ GIT       │  https://github.com/apache/orc@17b30e96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-7254  │ 7.5  │ GIT       │  https://github.com/apache/orc@17b30e96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-4565  │ 5.3  │ GIT       │  https://github.com/apache/orc@17b30e96  │ --            │ osv/inputs/osv-scanner-custom.json │
╰────────────────────────────────┴──────┴───────────┴──────────────────────────────────────────┴───────────────┴────────────────────────────────────╯

• offline

docker run --rm -ti --network=none --volume /tmp/mirror/osv-scanner:/osv/databases/osv-scanner --env OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY="/osv/databases" --volume /home/user/Documents/update-av/osv-scanner/osv-scanner-custom.json:/osv/inputs/osv-scanner-custom.json custom/osv-scanner:v2.2.3 osv-scanner scan source --offline --call-analysis=all --recursive "/osv/inputs"
Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 1 package
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 329.196µs elapsed, 329.196µs wall time
Loaded GIT local db from /osv/databases/osv-scanner/GIT/all.zip
No issues found

boostorg/boost

{
  "results": [
    {
      "packages": [
        {
          "package": {
            "name": "https://github.com/boostorg/boost",
            "commit": "1a9dda41fbfb0dfbec17ab6afeba8138265395f7",
            "version": "boost-1.67.0"
          }
        }
      ]
    }
  ]
}

• online

docker run --rm -ti --network=host --volume /home/user/Documents/update-av/osv-scanner/osv-scanner-custom.json:/osv/inputs/osv-scanner-custom.json custom/osv-scanner:v2.2.3 osv-scanner scan source --call-analysis=all --recursive "/osv/inputs"
Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 1 package
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 392.689µs elapsed, 392.689µs wall time
Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.


╭──────────────────────────────┬──────┬───────────┬──────────────────────┬───────────────────────┬───────────────┬────────────────────────────────────╮
│ OSV URL                      │ CVSS │ ECOSYSTEM │ PACKAGE              │ VERSION               │ FIXED VERSION │ SOURCE                             │
├──────────────────────────────┼──────┼───────────┼──────────────────────┴───────────────────────┼───────────────┼────────────────────────────────────┤
│ https://osv.dev/OSV-2018-389 │      │ GIT       │  https://github.com/boostorg/boost@1a9dda41  │ --            │ osv/inputs/osv-scanner-custom.json │
╰──────────────────────────────┴──────┴───────────┴──────────────────────────────────────────────┴───────────────┴────────────────────────────────────╯

• offline

docker run --rm -ti --network=none --volume /tmp/mirror/osv-scanner:/osv/databases/osv-scanner --env OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY="/osv/databases" --volume /home/user/Documents/update-av/osv-scanner/osv-scanner-custom.json:/osv/inputs/osv-scanner-custom.json custom/osv-scanner:v2.2.3 osv-scanner scan source --offline --call-analysis=all --recursive "/osv/inputs"
Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 1 package
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 320.197µs elapsed, 320.397µs wall time
Loaded GIT local db from /osv/databases/osv-scanner/GIT/all.zip
No issues found

Exiv2/exiv2

• input

{
  "results": [
    {
      "packages": [
        {
          "package": {
            "name": "https://github.com/Exiv2/exiv2",
            "commit": "931a40a746f5678dcc4625b06a2eb25fa4f00b34",
            "version": "v0.28.0"
          }
        }
      ]
    }
  ]
}

• online

docker run --rm -ti --network=host --volume /home/user/Documents/update-av/osv-scanner/osv-scanner-custom.json:/osv/inputs/osv-scanner-custom.json custom/osv-scanner:v2.2.3 osv-scanner scan source --call-analysis=all --recursive "/osv/inputs"
Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 1 package
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 351.291µs elapsed, 351.391µs wall time
Total 1 package affected by 9 known vulnerabilities (0 Critical, 1 High, 4 Medium, 2 Low, 2 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.


╭────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬───────────────┬────────────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE             │ VERSION             │ FIXED VERSION │ SOURCE                             │
├────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼───────────────┼────────────────────────────────────┤
│ https://osv.dev/CVE-2023-44398 │ 8.8  │ GIT       │  https://github.com/Exiv2/exiv2@931a40a7  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/PYSEC-2023-233 │      │           │                                           │               │                                    │
│ https://osv.dev/CVE-2024-24826 │ 5.5  │ GIT       │  https://github.com/Exiv2/exiv2@931a40a7  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-25112 │ 5.5  │ GIT       │  https://github.com/Exiv2/exiv2@931a40a7  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-39695 │ 5.3  │ GIT       │  https://github.com/Exiv2/exiv2@931a40a7  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-26623 │ 5.3  │ GIT       │  https://github.com/Exiv2/exiv2@931a40a7  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-54080 │ 1.8  │ GIT       │  https://github.com/Exiv2/exiv2@931a40a7  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2025-55304 │ 1.8  │ GIT       │  https://github.com/Exiv2/exiv2@931a40a7  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/OSV-2023-1161  │      │ GIT       │  https://github.com/Exiv2/exiv2@931a40a7  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/OSV-2024-340   │      │ GIT       │  https://github.com/Exiv2/exiv2@931a40a7  │ --            │ osv/inputs/osv-scanner-custom.json │
╰────────────────────────────────┴──────┴───────────┴───────────────────────────────────────────┴───────────────┴────────────────────────────────────╯

• online

docker run --rm -ti --network=none --volume /tmp/mirror/osv-scanner:/osv/databases/osv-scanner --env OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY="/osv/databases" --volume /home/user/Documents/update-av/osv-scanner/osv-scanner-custom.json:/osv/inputs/osv-scanner-custom.json custom/osv-scanner:v2.2.3 osv-scanner scan source --offline --call-analysis=all --recursive "/osv/inputs"
Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 1 package
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 351.698µs elapsed, 351.798µs wall time
Loaded GIT local db from /osv/databases/osv-scanner/GIT/all.zip
Total 1 package affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.


╭───────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬───────────────┬────────────────────────────────────╮
│ OSV URL                       │ CVSS │ ECOSYSTEM │ PACKAGE             │ VERSION             │ FIXED VERSION │ SOURCE                             │
├───────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼───────────────┼────────────────────────────────────┤
│ https://osv.dev/OSV-2023-1161 │      │ GIT       │  https://github.com/Exiv2/exiv2@931a40a7  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/OSV-2024-340  │      │ GIT       │  https://github.com/Exiv2/exiv2@931a40a7  │ --            │ osv/inputs/osv-scanner-custom.json │
╰───────────────────────────────┴──────┴───────────┴───────────────────────────────────────────┴───────────────┴────────────────────────────────────╯

wolfSSL/wolfssl

• input

{
  "results": [
    {
      "packages": [
        {
          "package": {
            "name": "https://github.com/wolfSSL/wolfssl",
            "commit": "50fbdb961fd8c2d8123064e567ae8ec44167732d",
            "version": "v4.1.0-stable"
          }
        }
      ]
    }
  ]
}

• online

docker run --rm -ti --network=host --volume /home/user/Documents/update-av/osv-scanner/osv-scanner-custom.json:/osv/inputs/osv-scanner-custom.json custom/osv-scanner:v2.2.3 osv-scanner scan source --call-analysis=all --recursive "/osv/inputs"
Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 1 package
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 321.2µs elapsed, 321.3µs wall time
Total 1 package affected by 37 known vulnerabilities (6 Critical, 14 High, 17 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.


╭────────────────────────────────┬──────┬───────────┬───────────────────────┬───────────────────────┬───────────────┬────────────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE               │ VERSION               │ FIXED VERSION │ SOURCE                             │
├────────────────────────────────┼──────┼───────────┼───────────────────────┴───────────────────────┼───────────────┼────────────────────────────────────┤
│ https://osv.dev/CVE-2019-14317 │ 5.3  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2019-15651 │ 9.8  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2019-16748 │ 9.8  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2019-18840 │ 7.5  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2019-19960 │ 5.3  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2019-19962 │ 7.5  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2019-19963 │ 5.3  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2020-11713 │ 7.5  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2020-11735 │ 5.3  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2020-12457 │ 7.5  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2020-15309 │ 7.0  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2020-24585 │ 5.3  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2020-24613 │ 6.8  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2020-36177 │ 9.8  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2021-24116 │ 4.9  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2021-3336  │ 8.1  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2021-37155 │ 9.8  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2021-38597 │ 5.9  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2021-44718 │ 5.9  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2022-25638 │ 6.5  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2022-25640 │ 7.5  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2022-34293 │ 7.5  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2022-38152 │ 7.5  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2022-38153 │ 5.9  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2022-39173 │ 7.5  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2022-42905 │ 9.1  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2022-42961 │ 5.3  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2023-3724  │ 8.8  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2023-6935  │ 5.9  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2023-6936  │ 9.1  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2023-6937  │ 5.3  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-1543  │ 5.5  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-1544  │ 4.1  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-1545  │ 8.8  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-2881  │ 8.8  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-5288  │ 5.9  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
│ https://osv.dev/CVE-2024-5991  │ 7.5  │ GIT       │  https://github.com/wolfSSL/wolfssl@50fbdb96  │ --            │ osv/inputs/osv-scanner-custom.json │
╰────────────────────────────────┴──────┴───────────┴───────────────────────────────────────────────┴───────────────┴────────────────────────────────────╯

• offline:

docker run --rm -ti --network=none --volume /tmp/mirror/osv-scanner:/osv/databases/osv-scanner --env OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY="/osv/databases" --volume /home/user/Documents/update-av/osv-scanner/osv-scanner-custom.json:/osv/inputs/osv-scanner-custom.json custom/osv-scanner:v2.2.3 osv-scanner scan source --offline --call-analysis=all --recursive "/osv/inputs"
Scanning dir /osv/inputs
Starting filesystem walk for root: /
Scanned /osv/inputs/osv-scanner-custom.json file and found 1 package
End status: 1 dirs visited, 2 inodes visited, 1 Extract calls, 312.5µs elapsed, 312.6µs wall time
Loaded GIT local db from /osv/databases/osv-scanner/GIT/all.zip
No issues found

[G-Rath]

Generally I'd say differences in results will be either due to data quality or offline limitations, because the implementation on the scanner side is very straightforward so it should be very obvious if we've got bugs there (not saying it's not possible).

The "offline limitations" path I think should usually be straightforward for you to guess if that's the issue at least in 80% of cases because those are mainly around forks and commits / branches.

That leaves "data quality", which requires looking at the underlying advisories and I think is what is happening here - so digging into your results:

apache/orc

The difference here is because you look to have mixed up your repo and commit - the repo https://github.com/apache/orc does not have apache/orc@17b30e9 but that is a commit in protocolbuffers/protobuf@17b30e9 which is what the online api is resolving:

[
  ["CVE-2021-22569", "https://github.com/protocolbuffers/protobuf"],
  ["CVE-2022-3509", "https://github.com/protocolbuffers/protobuf"],
  ["CVE-2022-3510", "https://github.com/protocolbuffers/protobuf"],
  ["CVE-2024-2410", "https://github.com/google/protobuf"],
  ["CVE-2024-2410", "https://github.com/protocolbuffers/protobuf"],
  ["CVE-2024-7254", "https://github.com/google/protobuf"],
  ["CVE-2024-7254", "https://github.com/protocolbuffers/protobuf"],
  ["CVE-2025-4565", "https://github.com/protocolbuffers/protobuf"]
]

boostorg/boost

The difference here is because of the repo though I think this is on our end - https://osv.dev/OSV-2018-389 has https://github.com/boostorg/boost.git as the repo, which does not match your https://github.com/boostorg/boost.

That is technically correct as git clone https://github.com/boostorg/boost.git will work, and I also think technically its valid to have .git at the end of a repo, but I doubt it actually ever comes up in the wild.

It looks like we've current got 11026 advisories with a repo that ends with .git, so having us prune that before comparing might be a good idea - @another-rex what do you think?

Exiv2/exiv2

This looks to be mostly because of differences in casing - the majority of the advisories returned by the api have the repository all lowercase, except for the two that the offline mode is returning which uses the same casing as what you're using.

Technically this is all valid because URLs are case sensitive so e.g. MyRepo, MYREPO, and myrepo can all be unique repos, though though platforms like GitHub might not allow that; and also by extension this particular repo is using the casing you've used so that'd mean all the other advisories need updating.

I'll have to discuss with @another-rex on what we want to do - noting too from my brief hack arounds locally I suspect it'll be surprisingly complex to e.g. strings.ToLower within the scanner, as there's multiple places where we do name checks which are independent of if we're looking at a repo or not.

The last advisory in that result though, PYSEC-2023-233, just simply does not list v0.28.0 as vulnerable (it does use the canonical repo url, so would otherwise be matched in offline mode)

wolfSSL/wolfssl

Same as above - the canonical repository is not all lowercase, but the repo in all the advisories returned by the API are

[another-rex]

It looks like we've current got 11026 advisories with a repo that ends with .git, so having us prune that before comparing might be a good idea - @another-rex what do you think?

yeah good idea, I think we also did some pruning/normalisation of git repo urls on our backend recently (@michaelkedar might know more)

I think we can normalize the case when we compare, even if they could potentially be different repos, I think that is much rarer than the case being inconsistent between records and querying.

[michaelkedar]

The repo normalizing we currently do on the OSV API is this function.

I did write down some of my findings in google/osv.dev#3986

The API doesn't do case normalization currently. I think if we were, we should limit it to specific domains e.g. github.com and gitlab.com seem to be case-insensitive

[G-Rath]

@michaelkedar has that been landed in production yet?

[michaelkedar]

Yeah, that's been in production for a few weeks now

[G-Rath]

... then why do we have so many records with .git? oh right this is happening when the API does its comparing, not as a transformation on advisories.

So then yes the scanner should do the same thing 👍

[cybops35]

Ok then if i use lowercase and remove .git extension it should works every time ? nice :)
Thank you !