From d5979a8b8869d6997dbb07b8ba4be8f561563e02 Mon Sep 17 00:00:00 2001 From: Lukasz Raczylo Date: Sun, 4 Jan 2026 17:29:26 +0000 Subject: [PATCH] fix: skip scanning Go module metadata files (.mod, .info) Go module metadata files (.mod and .info) are not actual packages and should not be scanned for vulnerabilities. Only .zip files contain the actual module code. Changes: - Added .mod and .info suffix checks to isMetadataEntry filter - These files are now excluded from database storage - Scanner won't attempt to scan them during rescan cycles This fixes OSV scanner 404 errors for metadata files like: - github.com/mattn/go-isatty/@v/v0.0.20.mod - github.com/clipperhouse/stringish/@v/v0.1.1.info Resolves: OSV API errors "The current request is not defined by this API" for Go module metadata files --- pkg/cache/cache.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/pkg/cache/cache.go b/pkg/cache/cache.go index beb7b84..09c595e 100644 --- a/pkg/cache/cache.go +++ b/pkg/cache/cache.go @@ -8,6 +8,7 @@ import ( "io" "os" "path/filepath" + "strings" "sync" "time" @@ -234,7 +235,9 @@ func (m *Manager) getOrFetch(ctx context.Context, registry, name, version string } // Skip security scan wait for metadata entries (index pages, lists, etc.) - isMetadataEntry := version == "list" || version == "page" || version == "latest" || version == "metadata" + // Also skip Go module metadata files (.mod, .info) + isMetadataEntry := version == "list" || version == "page" || version == "latest" || version == "metadata" || + strings.HasSuffix(name, ".mod") || strings.HasSuffix(name, ".info") // Wait briefly for initial scan to complete if scanner is enabled // This prevents serving vulnerable packages on first request @@ -410,7 +413,9 @@ func (m *Manager) store(ctx context.Context, registry, name, version string, dat } // Save metadata (skip metadata entries like index pages, lists, etc.) - isMetadataEntry := version == "list" || version == "page" || version == "latest" || version == "metadata" + // Also skip Go module metadata files (.mod, .info) - they're not scannable packages + isMetadataEntry := version == "list" || version == "page" || version == "latest" || version == "metadata" || + strings.HasSuffix(name, ".mod") || strings.HasSuffix(name, ".info") if !isMetadataEntry { if err := m.metadata.SavePackage(ctx, pkg); err != nil { // Clean up storage if metadata save fails