Skip to content

Commit

Permalink
Update gcp/appengine/blog/content/posts/introducing-broad-c-c++-suppo…
Browse files Browse the repository at this point in the history 
…rt/index.md
  • Loading branch information
Hayley Denbraver authored Nov 5, 2023
1 parent 172ec0b commit 6ff3ddf
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion gcp/appengine/blog/content/posts/introducing-broad-c-c++-support/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ Fortunately both cpp-httplib and ffmpeg have fixes for these vulnerabilities and

Vendored dependencies are included in a project by simply copying the code into the repository. Git commit information is not retained, so we need another way to determine whether a vulnerability is present. In these cases, OSV-Scanner uses the [determineversion API](https://google.github.io/osv.dev/post-v1-determineversion/) to estimate each dependency’s version (and associated commit), and match it to any known vulnerabilities.

When we [released the API](https://osv.dev/blog/posts/using-the-determineversion-api/) in July, its use was limited to vulnerabilities found by [OSS-Fuzz](https://google.github.io/oss-fuzz/). Not all C/C++ projects are part of OSS-Fuzz, nor are all vulnerabilities for a given dependency found by OSS-Fuzz, so users could not find all the vulnerabilities associated with their project. With the addition of the commit level vulnerability data from the NVD, this gap has been significantly narrowed. **The determineversion API, and the associated OSV-Scanner functionality, can now be used for the majority of vendored C/C++ dependencies.**
When we [released the API](https://osv.dev/blog/posts/using-the-determineversion-api/) in July, its use was limited to vulnerabilities found by [OSS-Fuzz](https://google.github.io/oss-fuzz/). Not all C/C++ projects are part of OSS-Fuzz, nor are all vulnerabilities for a given dependency found by OSS-Fuzz, so users may not find all the vulnerabilities associated with their project. With the addition of the commit level vulnerability data from the NVD, this gap has been significantly narrowed. **The determineversion API, and the associated OSV-Scanner functionality, can now be used for the majority of vendored C/C++ dependencies.**

Let’s consider the [OpenCV](https://github.com/opencv/opencv) project, which uses vendored dependencies. Working from commit `e9e6b1e22c1a966a81aca1217b16a51fe7311b3b`, OSV-Scanner is able to find a number of vulnerabilities from the vendored dependencies including:

Expand Down

0 comments on commit 6ff3ddf

Please sign in to comment.