diff --git a/.gemini/config.yaml b/.gemini/config.yaml new file mode 100644 index 00000000000..7da42dd22aa --- /dev/null +++ b/.gemini/config.yaml @@ -0,0 +1,11 @@ +have_fun: false +code_review: + disable: false + comment_severity_threshold: MEDIUM + max_review_comments: -1 + pull_request_opened: + help: false + summary: false + code_review: false + include_drafts: true +ignore_patterns: [] diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index ff3966f2a50..9030057d821 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -16,10 +16,10 @@ name: Checks on: push: - branches: [main, v1] + branches: ["main", "v1", "mcp"] pull_request: # The branches below must be a subset of the branches above - branches: [main, v1] + branches: ["main", "v1", "mcp"] workflow_dispatch: concurrency: @@ -42,6 +42,16 @@ jobs: with: persist-credentials: false - run: scripts/report_uncleaned_snapshots.py + filenames: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + - run: | + find . -mindepth 1 ! -regex '.*/[#@A-Za-z0-9._-]*' -print0 \ + | xargs -0 -I{} bash -c \ + 'printf "::error file=%q::This filename contains undesired characters\n" "$1" && false' _ {} format: permissions: contents: read # to fetch code (actions/checkout) @@ -97,7 +107,7 @@ jobs: with: persist-credentials: false - run: scripts/build_test_images.sh - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }} path: cmd/osv-scanner/scan/image/testdata/*.tar @@ -118,7 +128,7 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 + - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }} path: cmd/osv-scanner/scan/image/testdata/ diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ef09244a9e2..f5829f1f558 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -48,7 +48,7 @@ jobs: go-version-file: go.mod # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 + uses: github/codeql-action/init@16140ae1a102900babc80a33c44059580f687047 # v4.30.9 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -59,7 +59,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 + uses: github/codeql-action/autobuild@16140ae1a102900babc80a33c44059580f687047 # v4.30.9 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -73,4 +73,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 + uses: github/codeql-action/analyze@16140ae1a102900babc80a33c44059580f687047 # v4.30.9 diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index c3e3d9871b8..9a66d308d19 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -34,7 +34,7 @@ jobs: go get github.com/google/osv-scalibr@"$latest_commit" echo "latest_scalibr_commit=$latest_commit" >> "$GITHUB_ENV" go mod tidy - - run: go test ./cmd/osv-scanner/ -run 'Test_run$' + - run: go test ./cmd/osv-scanner/ -run 'Test_run$' || true env: TEST_ACCEPTANCE: true UPDATE_SNAPS: always diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml index 5581a20dbec..91a0c3a88d4 100644 --- a/.github/workflows/links.yml +++ b/.github/workflows/links.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - uses: tcort/github-action-markdown-link-check@a800ad5f1c35bf61987946fd31c15726a1c9f2ba # v1.1.0 + - uses: tcort/github-action-markdown-link-check@f3d33029dca1c4a24b87e2df648f9f4604ef6533 # v1.1.1 with: use-quiet-mode: "yes" base-branch: "main" diff --git a/.github/workflows/osv-scanner-unified-action.yml b/.github/workflows/osv-scanner-unified-action.yml index c209e0ff73e..7634f4194f8 100644 --- a/.github/workflows/osv-scanner-unified-action.yml +++ b/.github/workflows/osv-scanner-unified-action.yml @@ -16,11 +16,11 @@ name: OSV-Scanner Scheduled Scan on: pull_request: - branches: ["main", "v1"] + branches: ["main", "v1", "mcp"] schedule: - cron: "12 12 * * 1" push: - branches: ["main", "v1"] + branches: ["main", "v1", "mcp"] # Restrict jobs in this workflow to have no permissions by default; permissions # should be granted per job as needed using a dedicated `permissions` block diff --git a/.github/workflows/prerelease-check.yml b/.github/workflows/prerelease-check.yml index d3595fab4bd..f0978b23bda 100644 --- a/.github/workflows/prerelease-check.yml +++ b/.github/workflows/prerelease-check.yml @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - uses: tcort/github-action-markdown-link-check@a800ad5f1c35bf61987946fd31c15726a1c9f2ba # v1.1.0 + - uses: tcort/github-action-markdown-link-check@f3d33029dca1c4a24b87e2df648f9f4604ef6533 # v1.1.1 with: use-quiet-mode: "yes" base-branch: "main" @@ -95,7 +95,7 @@ jobs: with: persist-credentials: false - run: scripts/build_test_images.sh - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }} path: cmd/osv-scanner/scan/image/testdata/*.tar @@ -117,7 +117,7 @@ jobs: with: persist-credentials: false ref: ${{ inputs.commit }} - - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 + - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }} path: cmd/osv-scanner/scan/image/testdata/ diff --git a/.github/workflows/renovate-validator.yml b/.github/workflows/renovate-validator.yml index 363b6bfd0fa..107787acaad 100644 --- a/.github/workflows/renovate-validator.yml +++ b/.github/workflows/renovate-validator.yml @@ -24,7 +24,7 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Nodes.js - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: latest diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index d8163716ff5..dfb9d92ceea 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -38,7 +38,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif @@ -60,7 +60,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: SARIF file path: results.sarif @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 + uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4.30.9 with: sarif_file: results.sarif diff --git a/.github/workflows/staleness.yml b/.github/workflows/staleness.yml index adb1121bbd3..b28464ff4af 100644 --- a/.github/workflows/staleness.yml +++ b/.github/workflows/staleness.yml @@ -13,7 +13,7 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0 + - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0 with: days-before-stale: 60 days-before-close: 14 diff --git a/.golangci.yaml b/.golangci.yaml index 77e5abc58ec..e91e2c0488b 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -53,6 +53,11 @@ linters: gocritic: disabled-checks: - ifElseChain + govet: + enable-all: true + disable: + - fieldalignment + - shadow nlreturn: block-size: 2 revive: diff --git a/.goreleaser-nightly.yml b/.goreleaser-nightly.yml index 14ba5990bac..aacece590a2 100644 --- a/.goreleaser-nightly.yml +++ b/.goreleaser-nightly.yml @@ -4,6 +4,27 @@ before: hooks: - go mod tidy builds: + - main: ./cmd/osv-scanner/ + id: osv-scanner + binary: osv-scanner + env: + # goreleaser does not work with CGO, it could also complicate + # usage by users in CI/CD systems like Terraform Cloud where + # they are unable to install libraries. + - CGO_ENABLED=0 + - GO111MODULE=on + mod_timestamp: "{{ .CommitTimestamp }}" + flags: + - -trimpath + ldflags: + - "-s -w" + - "-X github.com/google/osv-scanner/v2/internal/version.OSVVersion={{.Version}}.nightly" + - "-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.commit={{.Commit}}" + - "-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.date={{.CommitDate}}" + goos: + - linux + goarch: + - amd64 - main: ./cmd/osv-scanner/ id: osv-scanner-action binary: osv-scanner-action @@ -18,7 +39,7 @@ builds: - -trimpath ldflags: - "-s -w" - - "-X github.com/google/osv-scanner/v2/internal/version.OSVVersion={{.Version}}_GHAction" + - "-X github.com/google/osv-scanner/v2/internal/version.OSVVersion={{.Version}}.nightly_GHAction" - "-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.commit={{.Commit}}" - "-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.date={{.CommitDate}}" goos: @@ -45,6 +66,23 @@ builds: - amd64 dockers: + # Main osv-scanner + - image_templates: + - "ghcr.io/google/osv-scanner:nightly" + dockerfile: goreleaser.dockerfile + use: buildx + build_flag_templates: + - "--pull" + - "--label=org.opencontainers.image.title=osv-scanner" + - "--label=org.opencontainers.image.description=Vulnerability scanner written in Go which uses the data provided by https://osv.dev" + - "--label=org.opencontainers.image.licenses=Apache License 2.0" + - "--label=org.opencontainers.image.created={{.Date}}" + - "--label=org.opencontainers.image.name={{.ProjectName}}" + - "--label=org.opencontainers.image.revision={{.FullCommit}}" + - "--label=org.opencontainers.image.version={{.Version}}" + - "--label=org.opencontainers.image.source={{.GitURL}}" + - "--label=org.opencontainers.image.url={{.GitURL}}" + - "--platform=linux/amd64" # Github Action - image_templates: - "ghcr.io/google/osv-scanner-action:nightly" diff --git a/CHANGELOG.md b/CHANGELOG.md index d049eecfbfe..33b87a11aee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,17 @@ +# v2.2.4 + +### Features: + +- [Feature #2256](https://github.com/google/osv-scanner/pull/2256) Add experimental OSV-Scanner MCP server. (`osv-scanner experimental-mcp`) +- [Feature #2284](https://github.com/google/osv-scanner/pull/2284) Update `osv-scalibr` integration, replacing `baseimagematch` with the base image enricher. +- [Feature #2216](https://github.com/google/osv-scanner/pull/2216) Warn when vulnerabilities specified in the ignore config are not found during a scan (fixes \#2206). + +### Fixes: + +- [Bug #2305](https://github.com/google/osv-scanner/pull/2305) Ignore common protocols and `.git` suffix when checking if an advisory affects a git repository (fixes \#2291). +- [Bug #2300](https://github.com/google/osv-scanner/pull/2300) Ensure the global logger is used in `cmdlogger` and `osv-scalibr` when set (fixes \#2081). +- [Bug #2295](https://github.com/google/osv-scanner/pull/2295) Fix Go stdlib license result matching (fixes \#2191). + # v2.2.3 ### Features: diff --git a/Dockerfile b/Dockerfile index 6bbbcb3d45d..c7d52696049 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.25.1-alpine3.21@sha256:331bde41663c297cba0f5abf37e929be644f3cbd84bf45f49b0df9d774f4d912 AS builder +FROM golang:1.25.3-alpine3.21@sha256:0c9f3e09a50a6c11714dbc37a6134fd0c474690030ed07d23a61755afd3a812f AS builder WORKDIR /src COPY ./go.mod ./go.sum ./ @@ -21,7 +21,7 @@ RUN go mod download COPY ./ ./ RUN go build -o osv-scanner ./cmd/osv-scanner/ -FROM alpine:3.22@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1 +FROM alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 RUN apk --no-cache add ca-certificates git && \ git config --global --add safe.directory '*' diff --git a/action.dockerfile b/action.dockerfile index 6d119c7fc7f..97a491368d9 100644 --- a/action.dockerfile +++ b/action.dockerfile @@ -13,7 +13,7 @@ # limitations under the License. # WARNING, this workflow is for legacy purposes. To view the current workflow see: https://github.com/google/osv-scanner-action -FROM golang:1.25.1-alpine3.21@sha256:331bde41663c297cba0f5abf37e929be644f3cbd84bf45f49b0df9d774f4d912 +FROM golang:1.25.3-alpine3.21@sha256:0c9f3e09a50a6c11714dbc37a6134fd0c474690030ed07d23a61755afd3a812f RUN mkdir /src WORKDIR /src @@ -26,7 +26,7 @@ COPY ./ /src/ RUN go build -o osv-scanner ./cmd/osv-scanner/ RUN go build -o osv-reporter ./cmd/osv-reporter/ -FROM alpine:3.22@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1 +FROM alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 RUN apk --no-cache add \ ca-certificates \ git \ diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index f6722d917ce..e08b08ab859 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -23,8 +23,8 @@ OPTIONS: --- [Test_run/version - 1] -osv-scanner version: 2.2.3 -osv-scalibr version: 0.3.4 +osv-scanner version: 2.2.4 +osv-scalibr version: 0.3.6 commit: n/a built at: n/a @@ -50,7 +50,6 @@ Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the [Test_run_SubCommands/with_no_subcommand - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml No issues found --- @@ -62,7 +61,6 @@ No issues found [Test_run_SubCommands/with_scan_subcommand - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml No issues found --- diff --git a/cmd/osv-scanner/fix/testdata/in-place-npm/osv-scanner.toml b/cmd/osv-scanner/fix/testdata/in-place-npm/osv-scanner.toml index 79526718035..dfafb8fb5fe 100644 --- a/cmd/osv-scanner/fix/testdata/in-place-npm/osv-scanner.toml +++ b/cmd/osv-scanner/fix/testdata/in-place-npm/osv-scanner.toml @@ -1,35 +1,2 @@ [[PackageOverrides]] -name = "chownr" -ecosystem = "npm" ignore = true -reason = "This is an intentionally vulnerable test project" - -[[PackageOverrides]] -name = "concat-stream" -ecosystem = "npm" -ignore = true -reason = "This is an intentionally vulnerable test project" - -[[PackageOverrides]] -name = "hosted-git-info" -ecosystem = "npm" -ignore = true -reason = "This is an intentionally vulnerable test project" - -[[PackageOverrides]] -name = "request" -ecosystem = "npm" -ignore = true -reason = "This is an intentionally vulnerable test project" - -[[PackageOverrides]] -name = "semver" -ecosystem = "npm" -ignore = true -reason = "This is an intentionally vulnerable test project" - -[[PackageOverrides]] -name = "tough-cookie" -ecosystem = "npm" -ignore = true -reason = "This is an intentionally vulnerable test project" diff --git a/cmd/osv-scanner/fix/testdata/override-maven/osv-scanner.toml b/cmd/osv-scanner/fix/testdata/override-maven/osv-scanner.toml index db72d685c13..dfafb8fb5fe 100644 --- a/cmd/osv-scanner/fix/testdata/override-maven/osv-scanner.toml +++ b/cmd/osv-scanner/fix/testdata/override-maven/osv-scanner.toml @@ -1,23 +1,2 @@ [[PackageOverrides]] -name = "commons-io:commons-io" -ecosystem = "Maven" ignore = true -reason = "This is an intentionally vulnerable test project" - -[[PackageOverrides]] -name = "org.apache.httpcomponents:httpclient" -ecosystem = "Maven" -ignore = true -reason = "This is an intentionally vulnerable test project" - -[[PackageOverrides]] -name = "org.codehaus.plexus:plexus-utils" -ecosystem = "Maven" -ignore = true -reason = "This is an intentionally vulnerable test project" - -[[PackageOverrides]] -name = "org.jsoup:jsoup" -ecosystem = "Maven" -ignore = true -reason = "This is an intentionally vulnerable test project" diff --git a/cmd/osv-scanner/fix/testmain_test.go b/cmd/osv-scanner/fix/testmain_test.go index 9b5fb30d122..6fa779ad065 100644 --- a/cmd/osv-scanner/fix/testmain_test.go +++ b/cmd/osv-scanner/fix/testmain_test.go @@ -7,11 +7,14 @@ import ( "github.com/google/osv-scanner/v2/cmd/osv-scanner/fix" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" + "github.com/google/osv-scanner/v2/internal/config" "github.com/google/osv-scanner/v2/internal/testlogger" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { + config.OSVScannerConfigName = "osv-scanner-test.toml" + slog.SetDefault(slog.New(testlogger.New())) testcmd.CommandsUnderTest = []cmd.CommandBuilder{fix.Command} m.Run() diff --git a/cmd/osv-scanner/internal/cmd/run.go b/cmd/osv-scanner/internal/cmd/run.go index a74a1bf9072..de958179525 100644 --- a/cmd/osv-scanner/internal/cmd/run.go +++ b/cmd/osv-scanner/internal/cmd/run.go @@ -5,7 +5,7 @@ import ( "errors" "io" "log/slog" - "strings" + "os" "testing" scalibr "github.com/google/osv-scalibr/version" @@ -24,15 +24,13 @@ var ( type CommandBuilder = func(stdout, stderr io.Writer) *cli.Command func Run(args []string, stdout, stderr io.Writer, commands []CommandBuilder) int { - // get rid of the extraneous space in the subcommand help template, as otherwise - // our snapshots will fail because it will be trailing and removed by editors + // urfave/cli uses a global for its help flag which makes it possible for a nil + // pointer dereference if running in a parallel setting, which our test suite + // does, so this is used to hide the help flag so the global won't be used + // unless a particular env variable is set // - // todo: remove this once https://github.com/urfave/cli/pull/2140 has been released - cli.SubcommandHelpTemplate = strings.ReplaceAll( - cli.SubcommandHelpTemplate, - "{{if .VisibleCommands}} [command [command options]] {{end}}", - "{{if .VisibleCommands}} [command [command options]]{{end}}", - ) + // see https://github.com/urfave/cli/issues/2176 + shouldHideHelp := testing.Testing() && os.Getenv("TEST_SHOW_HELP") != "true" // --- Setup Logger --- logHandler := cmdlogger.New(stdout, stderr) @@ -61,7 +59,10 @@ func Run(args []string, stdout, stderr io.Writer, commands []CommandBuilder) int cmds := make([]*cli.Command, 0, len(commands)) for _, cmd := range commands { - cmds = append(cmds, cmd(stdout, stderr)) + c := cmd(stdout, stderr) + c.HideHelp = shouldHideHelp + + cmds = append(cmds, c) } app := &cli.Command{ @@ -69,6 +70,7 @@ func Run(args []string, stdout, stderr io.Writer, commands []CommandBuilder) int Version: version.OSVVersion, Usage: "scans various mediums for dependencies and checks them against the OSV database", Suggest: true, + HideHelp: shouldHideHelp, Writer: stdout, ErrWriter: stderr, DefaultCommand: "scan", diff --git a/cmd/osv-scanner/main.go b/cmd/osv-scanner/main.go index f3cf03dd3b0..b65d85e1769 100644 --- a/cmd/osv-scanner/main.go +++ b/cmd/osv-scanner/main.go @@ -5,6 +5,7 @@ import ( "github.com/google/osv-scanner/v2/cmd/osv-scanner/fix" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd" + "github.com/google/osv-scanner/v2/cmd/osv-scanner/mcp" "github.com/google/osv-scanner/v2/cmd/osv-scanner/scan" "github.com/google/osv-scanner/v2/cmd/osv-scanner/update" ) @@ -15,6 +16,7 @@ func main() { scan.Command, fix.Command, update.Command, + mcp.Command, }), ) } diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go index e3a91e1ebca..3d384beec06 100644 --- a/cmd/osv-scanner/main_test.go +++ b/cmd/osv-scanner/main_test.go @@ -9,6 +9,8 @@ import ( //nolint:paralleltest func Test_run(t *testing.T) { + t.Setenv("TEST_SHOW_HELP", "true") + tests := []testcmd.Case{ { Name: "", diff --git a/cmd/osv-scanner/mcp/command.go b/cmd/osv-scanner/mcp/command.go new file mode 100644 index 00000000000..e1a15562439 --- /dev/null +++ b/cmd/osv-scanner/mcp/command.go @@ -0,0 +1,222 @@ +// Package mcp implements the `mcp` command for osv-scanner. +package mcp + +import ( + "context" + _ "embed" + "errors" + "fmt" + "io" + "strings" + "sync" + "time" + + "net/http" + + "github.com/google/osv-scanner/v2/internal/cmdlogger" + "github.com/google/osv-scanner/v2/internal/output" + "github.com/google/osv-scanner/v2/internal/version" + "github.com/google/osv-scanner/v2/pkg/osvscanner" + "github.com/jedib0t/go-pretty/v6/text" + "github.com/modelcontextprotocol/go-sdk/mcp" + "github.com/ossf/osv-schema/bindings/go/osvschema" + "github.com/urfave/cli/v3" + "osv.dev/bindings/go/osvdev" +) + +// vulnCacheMap is a cache of vulnerability details that have been retrieved from the OSV API during normal scanning. +// This avoids unnecessary double queries to the osv.dev API. +// vulnCacheMap: map[string]*osvschema.Vulnerability +var vulnCacheMap = sync.Map{} + +// Command is the entry point for the `mcp` subcommand. +func Command(_, _ io.Writer) *cli.Command { + return &cli.Command{ + Name: "experimental-mcp", + Usage: "Run osv-scanner as an MCP service (experimental)", + Description: "Run osv-scanner as an MCP service, speaking the MCP protocol over stdin/stdout.", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "sse", + DefaultText: "localhost:8080", + Value: "localhost:8080", + Usage: "The listening address for the SSE server, e.g. localhost:8080", + }, + }, + Action: action, + } +} + +// scanVulnerableDependenciesInput is the input for the scan_vulnerable_dependencies tool. +type scanVulnerableDependenciesInput struct { + Paths []string `json:"paths" jsonschema:"A list of absolute or relative path to a file or directory to scan."` + IgnoreGlobPatterns []string `json:"ignore_glob_patterns" jsonschema:"A list of glob patterns to ignore when scanning."` + Recursive bool `json:"recursive" jsonschema:"Scans directory recursively"` +} + +func action(ctx context.Context, cmd *cli.Command) error { + s := mcp.NewServer(&mcp.Implementation{ + Name: "OSV-Scanner", Version: version.OSVVersion, + }, nil) + + mcp.AddTool(s, &mcp.Tool{ + Name: "scan_vulnerable_dependencies", + Description: "Scans a source directory for vulnerable dependencies." + + " Walks the given directory and uses osv.dev to query for vulnerabilities matching the found dependencies." + + " Use this tool to check that the user's project is not depending on known vulnerable code.", + }, handleScan) + + // TODO(another-rex): Ideally both of the following tools would be resources, but gemini-cli does not support those yet. + mcp.AddTool(s, &mcp.Tool{ + Name: "get_vulnerability_details", + Description: "Retrieves the full JSON details for a given vulnerability ID.", + }, handleVulnIDRetrieval) + + mcp.AddTool(s, &mcp.Tool{ + Name: "ignore_vulnerability", + Description: "Provides instructions for writing a config file to exclude vulnerabilities from the scan report.", + }, handleIgnoreVulnerability) + + s.AddPrompt(&mcp.Prompt{ + Name: "scan_deps", + Description: "Scans your project dependencies for known vulnerabilities.", + }, handleScanDepsPrompt) + + // Provide two options, sse on a network port, or stdio. + if cmd.IsSet("sse") { + sseAddr := cmd.String("sse") + cmdlogger.Infof("Starting SSE server on %s", sseAddr) + handler := mcp.NewSSEHandler(func(_ *http.Request) *mcp.Server { + return s + }, nil) + srv := &http.Server{ + Addr: sseAddr, + Handler: handler, + ReadTimeout: 30 * time.Second, + WriteTimeout: 30 * time.Second, + IdleTimeout: 120 * time.Second, + } + if err := srv.ListenAndServe(); err != nil { + cmdlogger.Errorf("mcp error: %s", err) + return err + } + } else { + cmdlogger.SendEverythingToStderr() + cmdlogger.Infof("Starting MCP server on stdio") + if err := s.Run(ctx, &mcp.StdioTransport{}); err != nil { + cmdlogger.Errorf("mcp error: %s", err) + return err + } + } + + return nil +} + +func handleScan(_ context.Context, _ *mcp.CallToolRequest, input *scanVulnerableDependenciesInput) (*mcp.CallToolResult, any, error) { + statsCollector := fileOpenedLogger{} + + action := osvscanner.ScannerActions{ + DirectoryPaths: input.Paths, + ScanLicensesSummary: false, + ExperimentalScannerActions: osvscanner.ExperimentalScannerActions{ + StatsCollector: &statsCollector, + }, + CallAnalysisStates: map[string]bool{ + "go": true, + }, + Recursive: input.Recursive, + } + + //nolint:contextcheck // passing the context in would be a breaking change + scanResults, err := osvscanner.DoScan(action) + if err != nil && !errors.Is(err, osvscanner.ErrVulnerabilitiesFound) { + return nil, nil, fmt.Errorf("failed to run scanner: %w", err) + } + + for _, vuln := range scanResults.Flatten() { + vulnCacheMap.Store(vuln.Vulnerability.ID, &vuln.Vulnerability) + } + + if err == nil { + return &mcp.CallToolResult{ + Content: []mcp.Content{ + &mcp.TextContent{Text: "No issues found"}, + }, + }, nil, nil + } + + buf := strings.Builder{} + + for _, s := range statsCollector.collectedLines { + buf.WriteString(s + "\n") + } + + text.DisableColors() + output.PrintVerticalResults(&scanResults, &buf, false) + + return &mcp.CallToolResult{ + Content: []mcp.Content{ + &mcp.TextContent{Text: buf.String()}, + }, + }, nil, nil +} + +// getVulnerabilityDetailsInput is the input for the get_vulnerability_details tool. +type getVulnerabilityDetailsInput struct { + VulnID string `json:"vuln_id" jsonschema:"The OSV vulnerability ID to retrieve details for."` +} + +func handleVulnIDRetrieval(ctx context.Context, _ *mcp.CallToolRequest, input *getVulnerabilityDetailsInput) (*mcp.CallToolResult, *osvschema.Vulnerability, error) { + vulnAny, found := vulnCacheMap.Load(input.VulnID) + vuln := vulnAny.(*osvschema.Vulnerability) + if !found { + var err error + vuln, err = osvdev.DefaultClient().GetVulnByID(ctx, input.VulnID) + if err != nil { + return nil, nil, fmt.Errorf("vulnerability with ID %s not found: %w", input.VulnID, err) + } + + vulnCacheMap.Store(input.VulnID, vuln) + } + + return &mcp.CallToolResult{}, vuln, nil +} + +// ignoreVulnerabilityInput is a placeholder to enable the tool call, +// as it seems like go-sdk mcp does not support a tool call with no arguments. +type ignoreVulnerabilityInput struct { + // Extra field is needed as a placeholder to prevent the llm from erroring when calling the tool + Verbose bool `json:"verbose" jsonschema:"ignore this parameter"` +} + +//go:embed configuration-instructions.md +var configInstructions string + +// handleIgnoreVulnerability does not perform any actual actions, but instead provides the instructions of how +// to write an ignore file to the LLM using this tool, so that it can correctly write the ignore file. +func handleIgnoreVulnerability(_ context.Context, _ *mcp.CallToolRequest, _ *ignoreVulnerabilityInput) (*mcp.CallToolResult, any, error) { + return &mcp.CallToolResult{ + Content: []mcp.Content{ + &mcp.TextContent{Text: configInstructions}, + }, + }, nil, nil +} + +// scanDepsPrompt is the prompt that is sent to the AI model when the scan_deps prompt is requested. +// +//go:embed scan-deps-prompt.md +var scanDepsPrompt string + +func handleScanDepsPrompt(_ context.Context, _ *mcp.GetPromptRequest) (*mcp.GetPromptResult, error) { + return &mcp.GetPromptResult{ + Description: "Dependency vulnerability analysis", + Messages: []*mcp.PromptMessage{ + { + Role: "assistant", + Content: &mcp.TextContent{ + Text: scanDepsPrompt, + }, + }, + }, + }, nil +} diff --git a/cmd/osv-scanner/mcp/configuration-instructions.md b/cmd/osv-scanner/mcp/configuration-instructions.md new file mode 100644 index 00000000000..2ed7ca9e4fc --- /dev/null +++ b/cmd/osv-scanner/mcp/configuration-instructions.md @@ -0,0 +1,43 @@ +--- +layout: page +permalink: /configuration/ +nav_order: 5 +--- + +# Configuration + +To configure scanning, place an osv-scanner.toml file in the scanned file's directory. This does not propagate to child directories. + +**Example:** + +``` +/Cargo.lock +/osv-scanner.toml (1) +/child-dir/go.mod +/child-dir/osv-scanner.toml (2) +/child-dir/nested-dir/package-lock.json +``` + +`osv-scanner.toml (1)` will only apply to `Cargo.lock`, `osv-scanner.toml (2)` will only apply to `go.mod`, and no config will apply to `package-lock.json`. + +To override `osv-scanner.toml` files, pass the `--config=/path/to/config.toml` flag with the path to the configuration you want to apply instead, this will apply `config.toml` to all files parsed, and ignore `osv-scanner.toml` in all directories. + +## Ignore vulnerabilities by ID + +To ignore a vulnerability, enter the ID under the `IgnoreVulns` key. Optionally, add an expiry date or reason. + +### Example + +```toml +[[IgnoredVulns]] +id = "GO-2022-0968" +# ignoreUntil = 2022-11-09 # Optional exception expiry date +reason = "No ssh servers are connected to or hosted in Go lang" + +[[IgnoredVulns]] +id = "GO-2022-1059" +# ignoreUntil = 2022-11-09 # Optional exception expiry date +reason = "No external http servers are written in Go lang." +``` + +Ignoring a vulnerability will also ignore vulnerabilities that are considered aliases of that vulnerability. diff --git a/cmd/osv-scanner/mcp/scan-deps-prompt.md b/cmd/osv-scanner/mcp/scan-deps-prompt.md new file mode 100644 index 00000000000..1a39b924f49 --- /dev/null +++ b/cmd/osv-scanner/mcp/scan-deps-prompt.md @@ -0,0 +1,19 @@ +You are a highly skilled senior security analyst. +Your primary task is to conduct a security audit of the vulnerabilities in the dependencies of this project. +Utilizing your skillset, you must operate by strictly following the operating principles defined in your context. + +**Step 1: Perform initial scan** + +Use the scan_vulnerable_dependencies with recursive on the project, always use the absolute path. +This will return a report of all the relevant lockfiles and all vulnerable dependencies in those files. + +**Step 2: Analyse the report** + +Go through the report and determine the relevant project lockfiles (ignoring lockfiles in test directories), +and prioritise which vulnerability to fix based on the description and severity. +If more information is needed about a vulnerability, use get_vulnerability_details. + +**Step 3: Prioritisation** + +Give advice on which vulnerabilities to prioritise fixing, and general advice on how to go about fixing +them by updating. Don't try to automatically update for the user without input. diff --git a/cmd/osv-scanner/mcp/stats.go b/cmd/osv-scanner/mcp/stats.go new file mode 100644 index 00000000000..e8e579f25b2 --- /dev/null +++ b/cmd/osv-scanner/mcp/stats.go @@ -0,0 +1,33 @@ +package mcp + +import ( + "fmt" + "path/filepath" + + "github.com/google/osv-scalibr/stats" + "github.com/google/osv-scanner/v2/internal/output" +) + +type fileOpenedLogger struct { + stats.NoopCollector + + collectedLines []string +} + +var _ stats.Collector = &fileOpenedLogger{} + +func (c *fileOpenedLogger) AfterExtractorRun(_ string, extractorstats *stats.AfterExtractorStats) { + if extractorstats.Error != nil { // Don't log scanned if error occurred + return + } + + pkgsFound := len(extractorstats.Inventory.Packages) + + c.collectedLines = append(c.collectedLines, + fmt.Sprintf( + "Scanned %s file and found %d %s", + filepath.Join(extractorstats.Root, extractorstats.Path), + pkgsFound, + output.Form(pkgsFound, "package", "packages"), + )) +} diff --git a/cmd/osv-scanner/scan/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/__snapshots__/command_test.snap index fda0b6f1efa..906cd10945b 100755 --- a/cmd/osv-scanner/scan/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/__snapshots__/command_test.snap @@ -14,7 +14,6 @@ No issues found [TestCommand_SubCommands/with_no_subcommand - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml No issues found --- @@ -26,7 +25,6 @@ No issues found [TestCommand_SubCommands/with_scan_subcommand - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml No issues found --- diff --git a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap index 724c48fae93..82c60a3d35f 100755 --- a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap @@ -31,7 +31,7 @@ Saving docker image ("alpine:3.18.9") to temporary file... Scanning image "alpine:3.18.9" Container Scanning Result (Alpine Linux v3.18): -Total 2 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem. +Total 2 packages affected by 3 known vulnerabilities (0 Critical, 1 High, 2 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 3 vulnerabilities can be fixed. @@ -185,7 +185,7 @@ HTML output available at: /report.html Scanning local image tarball "./testdata/test-alpine.tar" Container Scanning Result (Alpine Linux v3.18): -Total 5 packages affected by 65 known vulnerabilities (5 Critical, 31 High, 21 Medium, 0 Low, 8 Unknown) from 1 ecosystem. +Total 5 packages affected by 65 known vulnerabilities (6 Critical, 33 High, 26 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 65 vulnerabilities can be fixed. @@ -222,6 +222,7 @@ Package Ubuntu:20.04/glibc/2.31-0ubuntu9.17 has been filtered out because: Just Package Ubuntu:20.04/gcc-10/10.5.0-1ubuntu1~20.04 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/libgcrypt20/1.8.5-5ubuntu1.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/gnutls28/3.6.13-2ubuntu1.12 has been filtered out because: Just want to test only unimportant vulns +Package Ubuntu:20.04/lz4/1.9.2-2ubuntu0.20.04.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns @@ -240,7 +241,7 @@ Package Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just Package Ubuntu:20.04/shadow/1:4.8.1-1ubuntu5.20.04.5 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/perl/5.30.0-9ubuntu0.5 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/tar/1.30+dfsg-7ubuntu0.20.04.4 has been filtered out because: Just want to test only unimportant vulns -Filtered 27 ignored package/s from the scan. +Filtered 28 ignored package/s from the scan. Container Scanning Result (Ubuntu 20.04.6 LTS): Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. @@ -269,6 +270,7 @@ Package Ubuntu:20.04/glibc/2.31-0ubuntu9.17 has been filtered out because: Just Package Ubuntu:20.04/gcc-10/10.5.0-1ubuntu1~20.04 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/libgcrypt20/1.8.5-5ubuntu1.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/gnutls28/3.6.13-2ubuntu1.12 has been filtered out because: Just want to test only unimportant vulns +Package Ubuntu:20.04/lz4/1.9.2-2ubuntu0.20.04.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns @@ -287,7 +289,7 @@ Package Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just Package Ubuntu:20.04/shadow/1:4.8.1-1ubuntu5.20.04.5 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/perl/5.30.0-9ubuntu0.5 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/tar/1.30+dfsg-7ubuntu0.20.04.4 has been filtered out because: Just want to test only unimportant vulns -Filtered 27 ignored package/s from the scan. +Filtered 28 ignored package/s from the scan. Container Scanning Result (Ubuntu 20.04.6 LTS): Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. @@ -315,8 +317,8 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne Scanning local image tarball "./testdata/test-ubuntu.tar" Container Scanning Result (Ubuntu 22.04.5 LTS): -Total 19 packages affected by 37 known vulnerabilities (2 Critical, 11 High, 19 Medium, 4 Low, 1 Unknown) from 1 ecosystem. -18 vulnerabilities can be fixed. +Total 20 packages affected by 39 known vulnerabilities (2 Critical, 12 High, 21 Medium, 3 Low, 1 Unknown) from 1 ecosystem. +19 vulnerabilities can be fixed. Ubuntu:22.04 @@ -336,8 +338,9 @@ Ubuntu:22.04 | libgcrypt20 | 1.9.4-3ubuntu3 | No fix available | 1 | libgcrypt20 | # 4 Layer | ubuntu | | libtasn1-6 | 4.18.0-4build1 | Partial fixes Available | 2 | libtasn1-6 | # 4 Layer | ubuntu | | libzstd | 1.4.8+dfsg-3build1 | No fix available | 1 | libzstd1 | # 4 Layer | ubuntu | +| lz4 | 1.9.3-2build2 | No fix available | 1 | liblz4-1 | # 4 Layer | ubuntu | | ncurses | 6.3-2ubuntu0.1 | No fix available | 2 | libncurses6... (5) | # 4 Layer | ubuntu | -| openssl | 3.0.2-0ubuntu1.18 | Partial fixes Available | 3 | libssl3 | # 4 Layer | ubuntu | +| openssl | 3.0.2-0ubuntu1.18 | Partial fixes Available | 4 | libssl3 | # 4 Layer | ubuntu | | pam | 1.4.0-11ubuntu2.5 | Partial fixes Available | 3 | libpam-modules... (4) | # 4 Layer | ubuntu | | pcre2 | 10.39-3ubuntu0.1 | No fix available | 1 | libpcre2-8-0 | # 4 Layer | ubuntu | | perl | 5.34.0-3ubuntu1.3 | Partial fixes Available | 3 | perl-base | # 4 Layer | ubuntu | @@ -360,8 +363,8 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne Scanning local image tarball "./testdata/test-ubuntu.tar" Container Scanning Result (Ubuntu 22.04.5 LTS): -Total 19 packages affected by 37 known vulnerabilities (2 Critical, 11 High, 19 Medium, 4 Low, 1 Unknown) from 1 ecosystem. -18 vulnerabilities can be fixed. +Total 20 packages affected by 39 known vulnerabilities (2 Critical, 12 High, 21 Medium, 3 Low, 1 Unknown) from 1 ecosystem. +19 vulnerabilities can be fixed. Ubuntu:22.04 @@ -381,8 +384,9 @@ Ubuntu:22.04 | libgcrypt20 | 1.9.4-3ubuntu3 | No fix available | 1 | libgcrypt20 | # 4 Layer | ubuntu | | libtasn1-6 | 4.18.0-4build1 | Partial fixes Available | 2 | libtasn1-6 | # 4 Layer | ubuntu | | libzstd | 1.4.8+dfsg-3build1 | No fix available | 1 | libzstd1 | # 4 Layer | ubuntu | +| lz4 | 1.9.3-2build2 | No fix available | 1 | liblz4-1 | # 4 Layer | ubuntu | | ncurses | 6.3-2ubuntu0.1 | No fix available | 2 | libncurses6... (5) | # 4 Layer | ubuntu | -| openssl | 3.0.2-0ubuntu1.18 | Partial fixes Available | 3 | libssl3 | # 4 Layer | ubuntu | +| openssl | 3.0.2-0ubuntu1.18 | Partial fixes Available | 4 | libssl3 | # 4 Layer | ubuntu | | pam | 1.4.0-11ubuntu2.5 | Partial fixes Available | 3 | libpam-modules... (4) | # 4 Layer | ubuntu | | pcre2 | 10.39-3ubuntu0.1 | No fix available | 1 | libpcre2-8-0 | # 4 Layer | ubuntu | | perl | 5.34.0-3ubuntu1.3 | Partial fixes Available | 3 | perl-base | # 4 Layer | ubuntu | @@ -424,8 +428,8 @@ failed to load image from tarball with path "../../testdata/locks-manyoci-image/ Scanning local image tarball "./testdata/test-java-full.tar" Container Scanning Result (Alpine Linux v3.21): -Total 20 packages affected by 32 known vulnerabilities (3 Critical, 9 High, 12 Medium, 0 Low, 8 Unknown) from 2 ecosystems. -32 vulnerabilities can be fixed. +Total 21 packages affected by 36 known vulnerabilities (3 Critical, 14 High, 18 Medium, 0 Low, 1 Unknown) from 2 ecosystems. +36 vulnerabilities can be fixed. Maven @@ -442,6 +446,7 @@ Maven | io.netty:netty-codec | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- | | io.netty:netty-codec-http | 4.1.100.Final | Fix Available | 2 | # 12 Layer | -- | | io.netty:netty-codec-http2 | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- | +| io.netty:netty-codec-smtp | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- | | io.netty:netty-common | 4.1.100.Final | Fix Available | 2 | # 12 Layer | -- | | io.netty:netty-handler | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- | | org.apache.avro:avro | 1.9.2 | Fix Available | 2 | # 12 Layer | -- | @@ -459,7 +464,7 @@ Alpine:v3.21 | expat | 2.6.4-r0 | Fix Available | 2 | libexpat | # 5 Layer | eclipse-temurin | | libtasn1 | 4.19.0-r2 | Fix Available | 1 | libtasn1 | # 5 Layer | eclipse-temurin | | musl | 1.2.5-r8 | Fix Available | 1 | musl, musl-utils | # 0 Layer | alpine | -| openssl | 3.3.2-r4 | Fix Available | 2 | libcrypto3, libssl3... (3) | # 0 Layer | alpine | +| openssl | 3.3.2-r4 | Fix Available | 5 | libcrypto3, libssl3... (3) | # 0 Layer | alpine | | sqlite | 3.47.1-r0 | Fix Available | 4 | sqlite-libs | # 5 Layer | eclipse-temurin | +----------------+-------------------+---------------+------------+----------------------------+------------------+-----------------+ @@ -477,17 +482,17 @@ Scanning local image tarball "./testdata/test-python-empty.tar" Container Scanning Result (Debian GNU/Linux 10 (buster)): Total 14 packages affected by 24 known vulnerabilities (0 Critical, 6 High, 4 Medium, 0 Low, 14 Unknown) from 2 ecosystems. -22 vulnerabilities can be fixed. +24 vulnerabilities can be fixed. PyPI -+-------------------------------------------------------------------------------------------------------+ -| Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl | -+---------+-------------------+-------------------------+------------+------------------+---------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | -+---------+-------------------+-------------------------+------------+------------------+---------------+ -| pip | 23.0.1 | Partial fixes Available | 2 | # 7 Layer | python | -+---------+-------------------+-------------------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| pip | 23.0.1 | Fix Available | 2 | # 7 Layer | python | ++---------+-------------------+---------------+------------+------------------+---------------+ +------------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/setuptools-58.1.0-py3-none-any.whl | +------------+-------------------+---------------+------------+------------------+---------------+ @@ -495,13 +500,13 @@ PyPI +------------+-------------------+---------------+------------+------------------+---------------+ | setuptools | 58.1.0 | Fix Available | 3 | # 7 Layer | python | +------------+-------------------+---------------+------------+------------------+---------------+ -+-------------------------------------------------------------------------------------------------------+ -| Source:artifact:/usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | -+---------+-------------------+-------------------------+------------+------------------+---------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | -+---------+-------------------+-------------------------+------------+------------------+---------------+ -| pip | 23.0.1 | Partial fixes Available | 2 | # 13 Layer | python | -+---------+-------------------+-------------------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| pip | 23.0.1 | Fix Available | 2 | # 13 Layer | python | ++---------+-------------------+---------------+------------+------------------+---------------+ +------------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA | +------------+-------------------+---------------+------------+------------------+---------------+ @@ -541,17 +546,17 @@ Scanning local image tarball "./testdata/test-python-full.tar" Container Scanning Result (Debian GNU/Linux 10 (buster)): Total 19 packages affected by 42 known vulnerabilities (0 Critical, 13 High, 14 Medium, 0 Low, 15 Unknown) from 2 ecosystems. -40 vulnerabilities can be fixed. +42 vulnerabilities can be fixed. PyPI -+-------------------------------------------------------------------------------------------------------+ -| Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl | -+---------+-------------------+-------------------------+------------+------------------+---------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | -+---------+-------------------+-------------------------+------------+------------------+---------------+ -| pip | 23.0.1 | Partial fixes Available | 2 | # 7 Layer | python | -+---------+-------------------+-------------------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| pip | 23.0.1 | Fix Available | 2 | # 7 Layer | python | ++---------+-------------------+---------------+------------+------------------+---------------+ +------------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/setuptools-58.1.0-py3-none-any.whl | +------------+-------------------+---------------+------------+------------------+---------------+ @@ -580,13 +585,13 @@ PyPI +---------+-------------------+---------------+------------+------------------+---------------+ | idna | 2.7 | Fix Available | 1 | # 17 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ -+-------------------------------------------------------------------------------------------------------+ -| Source:artifact:/usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | -+---------+-------------------+-------------------------+------------+------------------+---------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | -+---------+-------------------+-------------------------+------------+------------------+---------------+ -| pip | 23.0.1 | Partial fixes Available | 2 | # 13 Layer | python | -+---------+-------------------+-------------------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| pip | 23.0.1 | Fix Available | 2 | # 13 Layer | python | ++---------+-------------------+---------------+------------+------------------+---------------+ +----------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/requests-2.20.0.dist-info/METADATA | +----------+-------------------+---------------+------------+------------------+---------------+ @@ -639,8 +644,8 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne Scanning local image tarball "./testdata/test-package-tracing.tar" Container Scanning Result (Alpine Linux v3.20): -Total 8 packages affected by 78 known vulnerabilities (0 Critical, 1 High, 0 Medium, 0 Low, 77 Unknown) from 2 ecosystems. -78 vulnerabilities can be fixed. +Total 8 packages affected by 81 known vulnerabilities (1 Critical, 3 High, 5 Medium, 0 Low, 72 Unknown) from 2 ecosystems. +81 vulnerabilities can be fixed. Go @@ -693,7 +698,7 @@ Alpine:v3.20 | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | musl | 1.2.5-r0 | Fix Available | 1 | musl, musl-utils | # 0 Layer | alpine | -| openssl | 3.3.1-r0 | Fix Available | 5 | libcrypto3, libssl3 | # 0 Layer | alpine | +| openssl | 3.3.1-r0 | Fix Available | 8 | libcrypto3, libssl3 | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. @@ -813,8 +818,8 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne Scanning local image tarball "./testdata/test-node_modules-npm-empty.tar" Container Scanning Result (Alpine Linux v3.19): -Total 2 packages affected by 11 known vulnerabilities (0 Critical, 1 High, 4 Medium, 0 Low, 6 Unknown) from 1 ecosystem. -11 vulnerabilities can be fixed. +Total 2 packages affected by 13 known vulnerabilities (1 Critical, 3 High, 9 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +13 vulnerabilities can be fixed. Alpine:v3.19 @@ -824,7 +829,7 @@ Alpine:v3.19 | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | busybox | 1.36.1-r15 | Fix Available | 4 | busybox... (3) | # 0 Layer | alpine | -| openssl | 3.1.4-r5 | Fix Available | 7 | libcrypto3, libssl3 | # 0 Layer | alpine | +| openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. @@ -840,8 +845,8 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne Scanning local image tarball "./testdata/test-node_modules-npm-full.tar" Container Scanning Result (Alpine Linux v3.19): -Total 4 packages affected by 14 known vulnerabilities (2 Critical, 1 High, 5 Medium, 0 Low, 6 Unknown) from 2 ecosystems. -13 vulnerabilities can be fixed. +Total 4 packages affected by 16 known vulnerabilities (3 Critical, 3 High, 10 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +15 vulnerabilities can be fixed. npm @@ -860,7 +865,7 @@ Alpine:v3.19 | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | busybox | 1.36.1-r15 | Fix Available | 4 | busybox... (3) | # 0 Layer | alpine | -| openssl | 3.1.4-r5 | Fix Available | 7 | libcrypto3, libssl3 | # 0 Layer | alpine | +| openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. @@ -876,8 +881,8 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne Scanning local image tarball "./testdata/test-node_modules-pnpm-empty.tar" Container Scanning Result (Alpine Linux v3.19): -Total 2 packages affected by 11 known vulnerabilities (0 Critical, 1 High, 4 Medium, 0 Low, 6 Unknown) from 1 ecosystem. -11 vulnerabilities can be fixed. +Total 2 packages affected by 13 known vulnerabilities (1 Critical, 3 High, 9 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +13 vulnerabilities can be fixed. Alpine:v3.19 @@ -887,7 +892,7 @@ Alpine:v3.19 | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | busybox | 1.36.1-r15 | Fix Available | 4 | busybox... (3) | # 0 Layer | alpine | -| openssl | 3.1.4-r5 | Fix Available | 7 | libcrypto3, libssl3 | # 0 Layer | alpine | +| openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. @@ -903,8 +908,8 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne Scanning local image tarball "./testdata/test-node_modules-pnpm-full.tar" Container Scanning Result (Alpine Linux v3.19): -Total 2 packages affected by 11 known vulnerabilities (0 Critical, 1 High, 4 Medium, 0 Low, 6 Unknown) from 1 ecosystem. -11 vulnerabilities can be fixed. +Total 2 packages affected by 13 known vulnerabilities (1 Critical, 3 High, 9 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +13 vulnerabilities can be fixed. Alpine:v3.19 @@ -914,7 +919,7 @@ Alpine:v3.19 | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | busybox | 1.36.1-r15 | Fix Available | 4 | busybox... (3) | # 0 Layer | alpine | -| openssl | 3.1.4-r5 | Fix Available | 7 | libcrypto3, libssl3 | # 0 Layer | alpine | +| openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. @@ -930,8 +935,8 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne Scanning local image tarball "./testdata/test-node_modules-yarn-empty.tar" Container Scanning Result (Alpine Linux v3.19): -Total 2 packages affected by 11 known vulnerabilities (0 Critical, 1 High, 4 Medium, 0 Low, 6 Unknown) from 1 ecosystem. -11 vulnerabilities can be fixed. +Total 2 packages affected by 13 known vulnerabilities (1 Critical, 3 High, 9 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +13 vulnerabilities can be fixed. Alpine:v3.19 @@ -941,7 +946,7 @@ Alpine:v3.19 | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | busybox | 1.36.1-r15 | Fix Available | 4 | busybox... (3) | # 0 Layer | alpine | -| openssl | 3.1.4-r5 | Fix Available | 7 | libcrypto3, libssl3 | # 0 Layer | alpine | +| openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. @@ -957,8 +962,8 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne Scanning local image tarball "./testdata/test-node_modules-yarn-full.tar" Container Scanning Result (Alpine Linux v3.19): -Total 2 packages affected by 11 known vulnerabilities (0 Critical, 1 High, 4 Medium, 0 Low, 6 Unknown) from 1 ecosystem. -11 vulnerabilities can be fixed. +Total 2 packages affected by 13 known vulnerabilities (1 Critical, 3 High, 9 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +13 vulnerabilities can be fixed. Alpine:v3.19 @@ -968,7 +973,7 @@ Alpine:v3.19 | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | busybox | 1.36.1-r15 | Fix Available | 4 | busybox... (3) | # 0 Layer | alpine | -| openssl | 3.1.4-r5 | Fix Available | 7 | libcrypto3, libssl3 | # 0 Layer | alpine | +| openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. @@ -1904,9 +1909,12 @@ Scanning local image tarball "./testdata/test-python-full.tar" "ALPINE-CVE-2024-13176", "ALPINE-CVE-2024-5535", "ALPINE-CVE-2024-6119", - "ALPINE-CVE-2024-9143" + "ALPINE-CVE-2024-9143", + "ALPINE-CVE-2025-9230", + "ALPINE-CVE-2025-9231", + "ALPINE-CVE-2025-9232" ], - "groups": 5 + "groups": 8 }, { "package": { @@ -1924,9 +1932,12 @@ Scanning local image tarball "./testdata/test-python-full.tar" "ALPINE-CVE-2024-13176", "ALPINE-CVE-2024-5535", "ALPINE-CVE-2024-6119", - "ALPINE-CVE-2024-9143" + "ALPINE-CVE-2024-9143", + "ALPINE-CVE-2025-9230", + "ALPINE-CVE-2025-9231", + "ALPINE-CVE-2025-9232" ], - "groups": 5 + "groups": 8 }, { "package": { @@ -2319,9 +2330,11 @@ Scanning local image tarball "./testdata/test-alpine-etcshadow.tar" "ALPINE-CVE-2024-4741", "ALPINE-CVE-2024-5535", "ALPINE-CVE-2024-6119", - "ALPINE-CVE-2024-9143" + "ALPINE-CVE-2024-9143", + "ALPINE-CVE-2025-9230", + "ALPINE-CVE-2025-9232" ], - "groups": 7 + "groups": 9 }, { "package": { @@ -2341,9 +2354,11 @@ Scanning local image tarball "./testdata/test-alpine-etcshadow.tar" "ALPINE-CVE-2024-4741", "ALPINE-CVE-2024-5535", "ALPINE-CVE-2024-6119", - "ALPINE-CVE-2024-9143" + "ALPINE-CVE-2024-9143", + "ALPINE-CVE-2025-9230", + "ALPINE-CVE-2025-9232" ], - "groups": 7 + "groups": 9 }, { "package": { @@ -2818,6 +2833,21 @@ Scanning local image tarball "./testdata/test-node_modules-npm-full.tar" ], "groups": 4 }, + { + "package": { + "name": "lz4", + "os_package_name": "liblz4-1", + "version": "1.9.3-2build2", + "ecosystem": "Ubuntu:22.04", + "image_origin_details": { + "index": 4 + } + }, + "vulnerabilities": [ + "UBUNTU-CVE-2025-62813" + ], + "groups": 1 + }, { "package": { "name": "ncurses", @@ -2963,13 +2993,15 @@ Scanning local image tarball "./testdata/test-node_modules-npm-full.tar" } }, "vulnerabilities": [ + "USN-7786-1", "USN-7278-1", "UBUNTU-CVE-2024-13176", "UBUNTU-CVE-2024-41996", "UBUNTU-CVE-2024-9143", - "UBUNTU-CVE-2025-27587" + "UBUNTU-CVE-2025-27587", + "UBUNTU-CVE-2025-9230" ], - "groups": 3 + "groups": 4 }, { "package": { diff --git a/cmd/osv-scanner/scan/image/testdata/java-fixture/app/osv-scanner.toml b/cmd/osv-scanner/scan/image/testdata/java-fixture/app/osv-scanner.toml new file mode 100644 index 00000000000..dfafb8fb5fe --- /dev/null +++ b/cmd/osv-scanner/scan/image/testdata/java-fixture/app/osv-scanner.toml @@ -0,0 +1,2 @@ +[[PackageOverrides]] +ignore = true diff --git a/cmd/osv-scanner/scan/image/testdata/python-fixture/osv-scanner.toml b/cmd/osv-scanner/scan/image/testdata/python-fixture/osv-scanner.toml new file mode 100644 index 00000000000..dfafb8fb5fe --- /dev/null +++ b/cmd/osv-scanner/scan/image/testdata/python-fixture/osv-scanner.toml @@ -0,0 +1,2 @@ +[[PackageOverrides]] +ignore = true diff --git a/cmd/osv-scanner/scan/image/testdata/ubuntu20-04-unimportant-config.toml b/cmd/osv-scanner/scan/image/testdata/ubuntu20-04-unimportant-config.toml index 3a6fa0c7728..7585dd289bb 100644 --- a/cmd/osv-scanner/scan/image/testdata/ubuntu20-04-unimportant-config.toml +++ b/cmd/osv-scanner/scan/image/testdata/ubuntu20-04-unimportant-config.toml @@ -72,3 +72,8 @@ ignore = true name = "tar" reason = "Just want to test only unimportant vulns" ignore = true + +[[PackageOverrides]] +name = "lz4" +reason = "Just want to test only unimportant vulns" +ignore = true diff --git a/cmd/osv-scanner/scan/image/testmain_test.go b/cmd/osv-scanner/scan/image/testmain_test.go index 7f8c4b4c68c..64c5a536625 100644 --- a/cmd/osv-scanner/scan/image/testmain_test.go +++ b/cmd/osv-scanner/scan/image/testmain_test.go @@ -7,11 +7,14 @@ import ( "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/scan/image" + "github.com/google/osv-scanner/v2/internal/config" "github.com/google/osv-scanner/v2/internal/testlogger" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { + config.OSVScannerConfigName = "osv-scanner-test.toml" + slog.SetDefault(slog.New(testlogger.New())) testcmd.CommandsUnderTest = []cmd.CommandBuilder{image.Command} m.Run() diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 06c1d4528cb..442c0f9cc61 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -26,7 +26,7 @@ No issues found [TestCommand/Empty_cyclonedx_1.4_output - 2] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml --- @@ -45,7 +45,7 @@ Loaded filter from: /testdata/locks-many/osv-scanner.toml [TestCommand/Empty_cyclonedx_1.5_output - 2] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml --- @@ -56,7 +56,7 @@ Loaded filter from: /testdata/locks-many/osv-scanner.toml [TestCommand/Empty_gh-annotations_output - 2] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml --- @@ -96,7 +96,7 @@ Loaded filter from: /testdata/locks-many/osv-scanner.toml "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -114,7 +114,7 @@ Loaded filter from: /testdata/locks-many/osv-scanner.toml [TestCommand/Empty_sarif_output - 2] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml --- @@ -155,7 +155,7 @@ Loaded filter from: /testdata/locks-many/osv-scanner.toml [TestCommand/Empty_spdx_2.3_output - 2] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml --- @@ -188,18 +188,37 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi --- +[TestCommand/Go_project_with_an_overridden_go_version_and_licences - 1] +Scanning dir ./testdata/go-project +Scanned /testdata/go-project/go.mod file and found 1 package +Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +0 vulnerabilities can be fixed. + + ++--------------+-------------------------+ +| LICENSE | NO. OF PACKAGE VERSIONS | ++--------------+-------------------------+ +| BSD-3-Clause | 1 | ++--------------+-------------------------+ + +--- + +[TestCommand/Go_project_with_an_overridden_go_version_and_licences - 2] + +--- + [TestCommand/PURL_SBOM_case_sensitivity_(api) - 1] Scanning dir ./testdata/sbom-insecure/alpine.cdx.xml Scanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages Filtered 1 local/unscannable package/s from the scan. -Total 2 packages affected by 3 known vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. +Total 2 packages affected by 3 known vulnerabilities (1 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ -| https://osv.dev/ALPINE-CVE-2025-26519 | | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml | +| https://osv.dev/ALPINE-CVE-2025-26519 | 8.1 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ @@ -215,14 +234,14 @@ Scanning dir ./testdata/sbom-insecure/alpine.cdx.xml Scanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages Filtered 1 local/unscannable package/s from the scan. Loaded Alpine local db from /osv-scanner/Alpine/all.zip -Total 2 packages affected by 7 known vulnerabilities (3 Critical, 3 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. +Total 2 packages affected by 7 known vulnerabilities (3 Critical, 4 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ -| https://osv.dev/ALPINE-CVE-2025-26519 | | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml | +| https://osv.dev/ALPINE-CVE-2025-26519 | 8.1 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2016-9840 | 8.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2016-9841 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2016-9842 | 8.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | @@ -249,7 +268,7 @@ Total 2 packages affected by 7 known vulnerabilities (3 Critical, 3 High, 0 Medi "length": -1, "location": { "index": -1, - "uri": "file:///testdata/locks-many/package-lock.json" + "uri": "file:///testdata/locks-many-with-insecure/package-lock.json" }, "parentIndex": -1, "roles": [] @@ -282,7 +301,7 @@ Total 2 packages affected by 7 known vulnerabilities (3 Critical, 3 High, 0 Medi "physicalLocation": { "artifactLocation": { "index": -1, - "uri": "file:///testdata/locks-many/package-lock.json" + "uri": "file:///testdata/locks-many-with-insecure/package-lock.json" } }, "relationships": [] @@ -326,8 +345,8 @@ Total 2 packages affected by 7 known vulnerabilities (3 Critical, 3 High, 0 Medi "text": "This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time." }, "help": { - "markdown": "**Your dependency is vulnerable to [CVE-2021-23424](https://osv.dev/CVE-2021-23424)**.\n\n## [GHSA-whgm-jr23-g3j9](https://osv.dev/GHSA-whgm-jr23-g3j9)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/testdata/locks-many/package-lock.json | ansi-html | 0.0.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-whgm-jr23-g3j9 | ansi-html | 0.0.8 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/testdata/locks-many/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2021-23424\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", - "text": "**Your dependency is vulnerable to [CVE-2021-23424](https://osv.dev/CVE-2021-23424)**.\n\n## [GHSA-whgm-jr23-g3j9](https://osv.dev/GHSA-whgm-jr23-g3j9)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/testdata/locks-many/package-lock.json | ansi-html | 0.0.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-whgm-jr23-g3j9 | ansi-html | 0.0.8 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/testdata/locks-many/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2021-23424\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + "markdown": "**Your dependency is vulnerable to [CVE-2021-23424](https://osv.dev/CVE-2021-23424)**.\n\n## [GHSA-whgm-jr23-g3j9](https://osv.dev/GHSA-whgm-jr23-g3j9)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/testdata/locks-many-with-insecure/package-lock.json | ansi-html | 0.0.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-whgm-jr23-g3j9 | ansi-html | 0.0.8 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/testdata/locks-many-with-insecure/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2021-23424\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "text": "**Your dependency is vulnerable to [CVE-2021-23424](https://osv.dev/CVE-2021-23424)**.\n\n## [GHSA-whgm-jr23-g3j9](https://osv.dev/GHSA-whgm-jr23-g3j9)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/testdata/locks-many-with-insecure/package-lock.json | ansi-html | 0.0.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-whgm-jr23-g3j9 | ansi-html | 0.0.8 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/testdata/locks-many-with-insecure/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2021-23424\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "CVE-2021-23424", "name": "CVE-2021-23424", @@ -343,7 +362,7 @@ Total 2 packages affected by 7 known vulnerabilities (3 Critical, 3 High, 0 Medi ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -359,23 +378,18 @@ Total 2 packages affected by 7 known vulnerabilities (3 Critical, 3 High, 0 Medi --- [TestCommand/Sarif_with_vulns - 2] -Scanning dir ./testdata/locks-many/package-lock.json -Scanned /testdata/locks-many/package-lock.json file and found 1 package +Scanning dir ./testdata/locks-many-with-insecure/package-lock.json +Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package --- [TestCommand/Scan_locks-many - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package -Scanned /testdata/locks-many/alpine.cdx.xml file and found 15 packages Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package -Filtered 1 local/unscannable package/s from the scan. -Loaded filter from: /testdata/locks-many/osv-scanner.toml -CVE-2025-26519 and 1 alias have been filtered out because: Test manifest file (alpine.cdx.xml) -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 2 vulnerabilities from output +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -402,17 +416,17 @@ Error during extraction: (extracting as php/composerlock) /testdata/loc [TestCommand/config_file_can_be_broad - 1] Scanned /testdata/locks-insecure/osv-scanner-flutter-deps.json file as a osv-scanner and found 3 packages -Scanning dir ./testdata/locks-many +Scanning dir ./testdata/locks-many-with-insecure Scanning dir ./testdata/locks-insecure Scanning dir ./testdata/maven-transitive Scanned /testdata/locks-insecure/bun.lock file and found 2 packages Scanned /testdata/locks-insecure/composer.lock file and found 1 package Scanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages -Scanned /testdata/locks-many/Gemfile.lock file and found 1 package -Scanned /testdata/locks-many/alpine.cdx.xml file and found 15 packages -Scanned /testdata/locks-many/composer.lock file and found 1 package -Scanned /testdata/locks-many/package-lock.json file and found 1 package -Scanned /testdata/locks-many/yarn.lock file and found 1 package +Scanned /testdata/locks-many-with-insecure/Gemfile.lock file and found 1 package +Scanned /testdata/locks-many-with-insecure/alpine.cdx.xml file and found 15 packages +Scanned /testdata/locks-many-with-insecure/composer.lock file and found 1 package +Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package +Scanned /testdata/locks-many-with-insecure/yarn.lock file and found 1 package Scanned /testdata/maven-transitive/pom.xml file and found 3 packages Filtered 1 local/unscannable package/s from the scan. Package npm/ansi-html/0.0.1 has been filtered out because: (no reason given) @@ -439,16 +453,16 @@ overriding license for package Alpine/scanelf/1.3.5-r1 with MIT overriding license for package Packagist/sentry/sdk/2.0.4 with 0BSD overriding license for package Alpine/ssl_client/1.36.1-r27 with MIT overriding license for package Alpine/zlib/1.2.13-r0 with MIT -Total 2 packages affected by 2 known vulnerabilities (1 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 5 ecosystems. +Total 2 packages affected by 2 known vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 5 ecosystems. 1 vulnerability can be fixed. -+---------------------------------------+------+-----------+------------------+----------+---------------+---------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | -+---------------------------------------+------+-----------+------------------+----------+---------------+---------------------------------------+ -| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-insecure/composer.lock | -| https://osv.dev/ALPINE-CVE-2025-26519 | | Alpine | musl | 1.2.3-r4 | -- | testdata/locks-many/alpine.cdx.xml | -+---------------------------------------+------+-----------+------------------+----------+---------------+---------------------------------------+ ++---------------------------------------+------+-----------+------------------+----------+---------------+--------------------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | ++---------------------------------------+------+-----------+------------------+----------+---------------+--------------------------------------------------+ +| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-insecure/composer.lock | +| https://osv.dev/ALPINE-CVE-2025-26519 | 8.1 | Alpine | musl | 1.2.3-r4 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml | ++---------------------------------------+------+-----------+------------------+----------+---------------+--------------------------------------------------+ +---------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +---------+-------------------------+ @@ -465,8 +479,8 @@ Total 2 packages affected by 2 known vulnerabilities (1 Critical, 0 High, 0 Medi | UNKNOWN | | https://chromium.googlesource.com/chromium/src | | testdata/locks-insecure/osv-scanner-flutter-deps.json | | UNKNOWN | | https://github.com/brendan-duncan/archive.git | | testdata/locks-insecure/osv-scanner-flutter-deps.json | | UNKNOWN | | https://github.com/flutter/buildroot.git | | testdata/locks-insecure/osv-scanner-flutter-deps.json | -| UNKNOWN | RubyGems | ast | 2.4.2 | testdata/locks-many/Gemfile.lock | -| 0BSD | Packagist | sentry/sdk | 2.0.4 | testdata/locks-many/composer.lock | +| UNKNOWN | RubyGems | ast | 2.4.2 | testdata/locks-many-with-insecure/Gemfile.lock | +| 0BSD | Packagist | sentry/sdk | 2.0.4 | testdata/locks-many-with-insecure/composer.lock | +-------------------+-----------+------------------------------------------------+---------+-------------------------------------------------------+ --- @@ -486,7 +500,7 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi --- [TestCommand/config_file_is_invalid - 2] -Ignored invalid config file at /testdata/config-invalid/osv-scanner.toml because: toml: line 1: expected '.' or '=', but got '!' instead +Ignored invalid config file at /testdata/config-invalid/osv-scanner-test.toml because: toml: line 1: expected '.' or '=', but got '!' instead --- @@ -504,14 +518,14 @@ unknown keys in config file: RustVersionOverride, PackageOverrides.skip, Package warning: ./testdata/osv-scanner-duplicate-config.toml has multiple ignores for GO-2022-0274 - only the first will be used! Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package -Scanned /testdata/locks-many/alpine.cdx.xml file and found 15 packages Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package -Filtered 1 local/unscannable package/s from the scan. -CVE-2025-26519 and 1 alias have been filtered out because: (no reason given) -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) -Filtered 2 vulnerabilities from output +./testdata/osv-scanner-duplicate-config.toml has unused ignores: + - GO-2022-0274 + - GO-2022-0274 + - GHSA-whgm-jr23-g3j9 + - CVE-2025-26519 No issues found --- @@ -752,7 +766,7 @@ Scanned /testdata/sbom-insecure/only-unimportant.spdx.json file and fou Scanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found 136 packages Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages Filtered 9 local/unscannable package/s from the scan. -Total 26 packages affected by 160 known vulnerabilities (19 Critical, 62 High, 40 Medium, 1 Low, 38 Unknown) from 4 ecosystems. +Total 26 packages affected by 159 known vulnerabilities (20 Critical, 68 High, 48 Medium, 1 Low, 22 Unknown) from 4 ecosystems. 8 vulnerabilities can be fixed. @@ -776,10 +790,10 @@ Total 26 packages affected by 160 known vulnerabilities (19 Critical, 62 High, 4 | https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | 0.0.0-20220412211240-33da011f77ad | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.12-r1 | -- | testdata/sbom-insecure/alpine-zlib-16.cdx.json:lib/apk/db/installed | -| https://osv.dev/ALPINE-CVE-2025-26519 | | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml | +| https://osv.dev/ALPINE-CVE-2025-26519 | 8.1 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | -| https://osv.dev/ALPINE-CVE-2025-26519 | | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | +| https://osv.dev/ALPINE-CVE-2025-26519 | 8.1 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/DSA-4685-1 | 5.5 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -791,7 +805,7 @@ Total 26 packages affected by 160 known vulnerabilities (19 Critical, 62 High, 4 | https://osv.dev/DEBIAN-CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-6297 | | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-6297 | 8.2 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4535-1 | 7.5 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -803,7 +817,7 @@ Total 26 packages affected by 160 known vulnerabilities (19 Critical, 62 High, 4 | https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5863-1 | | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-46848 | 9.1 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -857,6 +871,7 @@ Total 26 packages affected by 160 known vulnerabilities (19 Critical, 62 High, 4 | https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5764-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-6015-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -878,7 +893,7 @@ Total 26 packages affected by 160 known vulnerabilities (19 Critical, 62 High, 4 | https://osv.dev/DEBIAN-CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-3817 | | | | | | | | https://osv.dev/DLA-3530-1 | | | | | | | -| https://osv.dev/DEBIAN-CVE-2023-5678 | 5.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-5678 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-0727 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-2511 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-4741 | | | | | | | @@ -887,16 +902,14 @@ Total 26 packages affected by 160 known vulnerabilities (19 Critical, 62 High, 4 | https://osv.dev/DLA-3942-1 | | | | | | | | https://osv.dev/DLA-3942-2 | | | | | | | | https://osv.dev/DEBIAN-CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2023-6237 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2024-12797 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2024-13176 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-6237 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-12797 | 6.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-13176 | 4.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4176-1 | | | | | | | -| https://osv.dev/DEBIAN-CVE-2024-4603 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-4575 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-9230 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-9231 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-9232 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5902-1 | | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-4603 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -915,7 +928,7 @@ Total 26 packages affected by 160 known vulnerabilities (19 Critical, 62 High, 4 | https://osv.dev/DLA-3926-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2021-36770 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-47038 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-40909 | | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-40909 | 5.9 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3072-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3189-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -927,7 +940,7 @@ Total 26 packages affected by 160 known vulnerabilities (19 Critical, 62 High, 4 | https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-20482 | | | | | | | -| https://osv.dev/CVE-2023-39804 | | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | | | | | | | | https://osv.dev/DLA-3755-1 | | | | | | | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -945,7 +958,7 @@ Total 26 packages affected by 160 known vulnerabilities (19 Critical, 62 High, 4 | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5895-1 | | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ @@ -960,9 +973,9 @@ Total 26 packages affected by 160 known vulnerabilities (19 Critical, 62 High, 4 --- [TestCommand/gh-annotations_with_vulns - 2] -Scanning dir ./testdata/locks-many/package-lock.json -Scanned /testdata/locks-many/package-lock.json file and found 1 package -::error file=testdata/locks-many/package-lock.json::testdata/locks-many/package-lock.json%0A+-----------+-------------------------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+-----------+-------------------------------------+------+-----------------+---------------+%0A| ansi-html | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | 0.0.1 | 0.0.8 |%0A+-----------+-------------------------------------+------+-----------------+---------------+ +Scanning dir ./testdata/locks-many-with-insecure/package-lock.json +Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package +::error file=testdata/locks-many-with-insecure/package-lock.json::testdata/locks-many-with-insecure/package-lock.json%0A+-----------+-------------------------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+-----------+-------------------------------------+------+-----------------+---------------+%0A| ansi-html | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | 0.0.1 | 0.0.8 |%0A+-----------+-------------------------------------+------+-----------------+---------------+ --- [TestCommand/go_packages_in_osv-scanner.json_format - 1] @@ -986,14 +999,16 @@ Total 2 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medi --- [TestCommand/ignores_without_reason_should_be_explicitly_called_out - 1] -Scanning dir ./testdata/locks-many/package-lock.json +Scanning dir ./testdata/locks-many-with-insecure/package-lock.json Scanning dir ./testdata/locks-many/composer.lock +Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Scanned /testdata/locks-many/composer.lock file and found 1 package -Scanned /testdata/locks-many/package-lock.json file and found 1 package Package Packagist/sentry/sdk/2.0.4 has been filtered out because: (no reason given) Filtered 1 ignored package/s from the scan. GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) Filtered 1 vulnerability from output +./testdata/osv-scanner-reasonless-ignores-config.toml has unused ignores: + - GHSA-whgm-jr23-g3j9 No issues found --- @@ -1045,7 +1060,7 @@ invalid verbosity level "unknown" - must be one of: error, warn, info [TestCommand/json_output - 2] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml --- @@ -1138,7 +1153,7 @@ could not determine extractor, requested spdx [TestCommand/one_specific_supported_lockfile - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -1150,9 +1165,11 @@ No issues found [TestCommand/one_specific_supported_lockfile_with_ignore - 1] Scanning dir ./testdata/locks-test-ignore/package-lock.json Scanned /testdata/locks-test-ignore/package-lock.json file and found 1 package -Loaded filter from: /testdata/locks-test-ignore/osv-scanner.toml +Loaded filter from: /testdata/locks-test-ignore/osv-scanner-test.toml CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) Filtered 1 vulnerability from output +/testdata/locks-test-ignore/osv-scanner-test.toml has unused ignores: + - CVE-2021-23424 No issues found --- @@ -1164,7 +1181,7 @@ No issues found [TestCommand/one_specific_supported_lockfile_with_offline_explicitly_false - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -1177,14 +1194,14 @@ No issues found Warning: --sbom has been deprecated in favor of -L Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 15 packages Filtered 1 local/unscannable package/s from the scan. -Total 2 packages affected by 3 known vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. +Total 2 packages affected by 3 known vulnerabilities (1 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+ -| https://osv.dev/ALPINE-CVE-2025-26519 | | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | +| https://osv.dev/ALPINE-CVE-2025-26519 | 8.1 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | +---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+ @@ -1198,14 +1215,14 @@ Total 2 packages affected by 3 known vulnerabilities (1 Critical, 1 High, 0 Medi [TestCommand/one_specific_supported_sbom_with_duplicate_PURLs_using_-L_flag - 1] Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 15 packages Filtered 1 local/unscannable package/s from the scan. -Total 2 packages affected by 3 known vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. +Total 2 packages affected by 3 known vulnerabilities (1 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+ -| https://osv.dev/ALPINE-CVE-2025-26519 | | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | +| https://osv.dev/ALPINE-CVE-2025-26519 | 8.1 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | +---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+ @@ -1243,14 +1260,14 @@ No issues found Warning: --sbom has been deprecated in favor of -L Scanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages Filtered 1 local/unscannable package/s from the scan. -Total 2 packages affected by 3 known vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. +Total 2 packages affected by 3 known vulnerabilities (1 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ -| https://osv.dev/ALPINE-CVE-2025-26519 | | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml | +| https://osv.dev/ALPINE-CVE-2025-26519 | 8.1 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ @@ -1264,14 +1281,14 @@ Total 2 packages affected by 3 known vulnerabilities (1 Critical, 1 High, 0 Medi [TestCommand/one_specific_supported_sbom_with_vulns_using_-L_flag - 1] Scanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages Filtered 1 local/unscannable package/s from the scan. -Total 2 packages affected by 3 known vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. +Total 2 packages affected by 3 known vulnerabilities (1 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ -| https://osv.dev/ALPINE-CVE-2025-26519 | | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml | +| https://osv.dev/ALPINE-CVE-2025-26519 | 8.1 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ @@ -1304,15 +1321,15 @@ No issues found --- [TestCommand/output_format:_markdown_table - 1] -Scanning dir ./testdata/locks-many/package-lock.json -Scanned /testdata/locks-many/package-lock.json file and found 1 package +Scanning dir ./testdata/locks-many-with-insecure/package-lock.json +Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | -| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many/package-lock.json | +| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json | --- @@ -1464,6 +1481,8 @@ Total 15 packages affected by 53 known vulnerabilities (2 Critical, 20 High, 28 "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/bunlock extractor from /testdata/locks-insecure/bun.lock", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1480,6 +1499,8 @@ Total 15 packages affected by 53 known vulnerabilities (2 Critical, 20 High, 28 "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/bunlock extractor from /testdata/locks-insecure/bun.lock", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1496,6 +1517,8 @@ Total 15 packages affected by 53 known vulnerabilities (2 Critical, 20 High, 28 "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the php/composerlock extractor from /testdata/locks-insecure/composer.lock", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1512,6 +1535,8 @@ Total 15 packages affected by 53 known vulnerabilities (2 Critical, 20 High, 28 "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the osv/osvscannerjson extractor from /testdata/locks-insecure/osv-scanner-custom.json", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1528,6 +1553,8 @@ Total 15 packages affected by 53 known vulnerabilities (2 Critical, 20 High, 28 "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the osv/osvscannerjson extractor from /testdata/locks-insecure/osv-scanner-custom.json", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1618,7 +1645,7 @@ No issues found [TestCommand/verbosity_level_=_info - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -1630,7 +1657,7 @@ No issues found [TestCommandNonGit/one_specific_supported_lockfile - 1] Scanning dir /composer.lock Scanned /composer.lock file and found 1 package -Loaded filter from: /osv-scanner.toml +Loaded filter from: /osv-scanner-test.toml No issues found --- @@ -1702,23 +1729,34 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi --- [TestCommand_CommitSupport/offline_uses_git_tags - 1] -Scanned /testdata/locks-git/osv-scanner.json file as a osv-scanner and found 4 packages -Skipping commit scanning for: 45fda76bc1b9fd74d10e85e0ce9b65a12dcc58b0 +Scanned /testdata/locks-git/osv-scanner.json file as a osv-scanner and found 11 packages Loaded GIT local db from /osv-scanner/GIT/all.zip -Total 2 packages affected by 6 known vulnerabilities (2 Critical, 2 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem. +Skipping commit scanning for: 45fda76bc1b9fd74d10e85e0ce9b65a12dcc58b0 +Total 8 packages affected by 17 known vulnerabilities (4 Critical, 4 High, 3 Medium, 0 Low, 6 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. -+--------------------------------+------+-----------+--------------------------+--------------------------+---------------+-------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | -+--------------------------------+------+-----------+--------------------------+--------------------------+---------------+-------------------------------------+ -| https://osv.dev/CVE-2016-2183 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-4575 | | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-10931 | 8.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2018-20997 | 9.8 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-3416 | | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | -+--------------------------------+------+-----------+-----------------------------------------------------+---------------+-------------------------------------+ ++--------------------------------+------+-----------+----------------------------+----------------------------+---------------+-------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | ++--------------------------------+------+-----------+----------------------------+----------------------------+---------------+-------------------------------------+ +| https://osv.dev/OSV-2018-389 | | GIT | git://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2018-389 | | GIT | github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2018-389 | | GIT | http://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2023-1161 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2024-340 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2018-389 | | GIT | https://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-51757 | 9.3 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-61927 | 7.2 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-62410 | 9.4 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2183 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-4575 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-10931 | 8.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2018-20997 | 9.8 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | ++--------------------------------+------+-----------+---------------------------------------------------------+---------------+-------------------------------------+ --- @@ -1727,25 +1765,52 @@ Total 2 packages affected by 6 known vulnerabilities (2 Critical, 2 High, 0 Medi --- [TestCommand_CommitSupport/online_uses_git_commits - 1] -Scanned /testdata/locks-git/osv-scanner.json file as a osv-scanner and found 4 packages -Total 3 packages affected by 11 known vulnerabilities (3 Critical, 1 High, 2 Medium, 0 Low, 5 Unknown) from 1 ecosystem. +Scanned /testdata/locks-git/osv-scanner.json file as a osv-scanner and found 11 packages +Total 10 packages affected by 37 known vulnerabilities (6 Critical, 7 High, 14 Medium, 4 Low, 6 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------+ -| https://osv.dev/CVE-2024-12797 | | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-13176 | | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-9143 | | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2018-389 | | GIT | git://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2018-389 | | GIT | github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2018-389 | | GIT | http://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-44398 | 8.8 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/PYSEC-2023-233 | | | | | | +| https://osv.dev/CVE-2024-24826 | 5.5 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-25112 | 5.5 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-39695 | 5.3 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-26623 | 5.3 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-54080 | 1.8 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-55304 | 1.8 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2023-1161 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2024-340 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2021-22569 | 5.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2022-3509 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2022-3510 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-2410 | 9.8 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-7254 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-4565 | 5.3 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2018-389 | | GIT | https://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-51757 | 9.3 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-61927 | 7.2 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-62410 | 9.4 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-12797 | 6.3 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-13176 | 4.1 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-9143 | 4.3 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2023-6180 | 5.3 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-3416 | | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-24898 | 6.3 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-3416 | 3.7 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2016-10931 | 8.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2018-20997 | 9.8 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2023-6180 | 5.3 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-3416 | | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-3416 | 3.7 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | +--------------------------------+------+-----------+----------------------------------------------------------+---------------+-------------------------------------+ --- @@ -1754,6 +1819,461 @@ Total 3 packages affected by 11 known vulnerabilities (3 Critical, 1 High, 2 Med --- +[TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_file - 1] +Scanning dir testdata/sbom-insecure/alpine.cdx.xml +Scanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages +Filtered 1 local/unscannable package/s from the scan. +CVE-2025-26519 and 1 alias have been filtered out because: (no reason given) +CVE-2018-25032 and 1 alias have been filtered out because: (no reason given) +Filtered 2 vulnerabilities from output +testdata/osv-scanner-partial-ignores-config.toml has unused ignores: + - CVE-2025-26519 + - CVE-2018-25032 + - GO-2022-0274 + - CVE-2019-5188 + - CVE-2022-1304 +Total 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +0 vulnerabilities can be fixed. + + ++---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | ++---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ +| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | ++---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ + +--- + +[TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_file - 2] + +--- + +[TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_file#01 - 1] +Scanning dir testdata/sbom-insecure +Scanned /testdata/sbom-insecure/alpine-zlib-16.cdx.json file and found 1 package +Scanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages +Scanned /testdata/sbom-insecure/bad-purls.cdx.xml file and found 15 packages +Scanned /testdata/sbom-insecure/only-unimportant.spdx.json file and found 1 package +Scanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found 136 packages +Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages +Filtered 9 local/unscannable package/s from the scan. +CVE-2025-26519 and 1 alias have been filtered out because: (no reason given) +CVE-2018-25032 and 1 alias have been filtered out because: (no reason given) +CVE-2022-1304 and 2 aliases have been filtered out because: (no reason given) +GO-2022-0274 and 2 aliases have been filtered out because: (no reason given) +CVE-2025-26519 and 1 alias have been filtered out because: (no reason given) +CVE-2018-25032 and 1 alias have been filtered out because: (no reason given) +CVE-2018-25032 and 1 alias have been filtered out because: (no reason given) +Filtered 9 vulnerabilities from output +testdata/osv-scanner-partial-ignores-config.toml has unused ignores: + - CVE-2025-26519 + - CVE-2018-25032 + - GO-2022-0274 + - CVE-2019-5188 + - CVE-2022-1304 +Total 24 packages affected by 153 known vulnerabilities (20 Critical, 63 High, 47 Medium, 1 Low, 22 Unknown) from 4 ecosystems. +7 vulnerabilities can be fixed. + + ++---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | ++---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ +| https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.2 | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | | +| https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | | +| https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | | +| https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | | +| https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.12 | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | | +| https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.14 | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | | +| https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | 0.0.0-20220412211240-33da011f77ad | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | | +| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.12-r1 | -- | testdata/sbom-insecure/alpine-zlib-16.cdx.json:lib/apk/db/installed | +| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | +| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | +| https://osv.dev/DSA-4685-1 | 5.5 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-3715 | 7.8 | Debian | bash | 4.4-5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-6297 | 8.2 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4535-1 | 7.5 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-0495 | 4.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-46848 | 9.1 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3263-1 | | | | | | | +| https://osv.dev/DSA-5142-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5271-1 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5391-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5990-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2016-3709 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-2309 | | | | | | | +| https://osv.dev/DLA-3878-1 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2016-9318 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-0663 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-15412 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-16931 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-16932 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-18258 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-5130 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-5969 | 4.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-7375 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-7376 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-8872 | 9.1 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-9047 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-9048 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-9049 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-9050 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-14404 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-14567 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2019-19956 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2019-20388 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2020-7595 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-3516 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-3517 | 8.6 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-3518 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-3537 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-3541 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-23308 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-9714 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-4319-1 | | | | | | | +| https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4807-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4855-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4875-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4963-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5103-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5139-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5169-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5343-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5764-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-6015-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-5407 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2019-1543 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2019-1549 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-3450 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-2274 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-3358 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-3602 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-3786 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-3996 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-4203 | 4.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-0216 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-0217 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-0401 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-1255 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-2975 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-3817 | | | | | | | +| https://osv.dev/DLA-3530-1 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2023-5678 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-0727 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2024-2511 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2024-4741 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2024-5535 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2024-9143 | | | | | | | +| https://osv.dev/DLA-3942-1 | | | | | | | +| https://osv.dev/DLA-3942-2 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-6237 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-12797 | 6.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-13176 | 4.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-4176-1 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2024-4603 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-18313 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-18314 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-6797 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-6798 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-6913 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2020-10543 | 8.2 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2020-10878 | 8.6 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2020-12723 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2020-16156 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-31484 | | | | | | | +| https://osv.dev/DLA-3926-1 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2021-36770 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-47038 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-40909 | 5.9 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3072-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3189-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3316-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3422-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-20482 | | | | | | | +| https://osv.dev/CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-39804 | | | | | | | +| https://osv.dev/DLA-3755-1 | | | | | | | +| https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3366-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3412-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3972-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-4085-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-4105-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-4016-1 | | Debian | ucf | 3.0036 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | ++---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ + +--- + +[TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_file#01 - 2] + +--- + +[TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_multiple_files - 1] +Scanning dir testdata/sbom-insecure/alpine.cdx.xml +Scanning dir testdata/sbom-insecure/postgres-stretch.cdx.xml +Scanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages +Scanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found 136 packages +Filtered 1 local/unscannable package/s from the scan. +CVE-2025-26519 and 1 alias have been filtered out because: (no reason given) +CVE-2018-25032 and 1 alias have been filtered out because: (no reason given) +CVE-2022-1304 and 2 aliases have been filtered out because: (no reason given) +GO-2022-0274 and 2 aliases have been filtered out because: (no reason given) +Filtered 6 vulnerabilities from output +testdata/osv-scanner-partial-ignores-config.toml has unused ignores: + - CVE-2025-26519 + - CVE-2018-25032 + - GO-2022-0274 + - CVE-2019-5188 + - CVE-2022-1304 +Total 22 packages affected by 151 known vulnerabilities (18 Critical, 63 High, 47 Medium, 1 Low, 22 Unknown) from 3 ecosystems. +7 vulnerabilities can be fixed. + + ++---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | ++---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ +| https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.2 | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | | +| https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | | +| https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | | +| https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | | +| https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.12 | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | | +| https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.14 | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | | +| https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | 0.0.0-20220412211240-33da011f77ad | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | | +| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | +| https://osv.dev/DSA-4685-1 | 5.5 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-3715 | 7.8 | Debian | bash | 4.4-5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-6297 | 8.2 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4535-1 | 7.5 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-0495 | 4.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-46848 | 9.1 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3263-1 | | | | | | | +| https://osv.dev/DSA-5142-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5271-1 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5391-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5990-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2016-3709 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-2309 | | | | | | | +| https://osv.dev/DLA-3878-1 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2016-9318 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-0663 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-15412 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-16931 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-16932 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-18258 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-5130 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-5969 | 4.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-7375 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-7376 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-8872 | 9.1 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-9047 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-9048 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-9049 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-9050 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-14404 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-14567 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2019-19956 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2019-20388 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2020-7595 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-3516 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-3517 | 8.6 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-3518 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-3537 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-3541 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-23308 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-9714 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-4319-1 | | | | | | | +| https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4807-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4855-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4875-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4963-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5103-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5139-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5169-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5343-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5764-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-6015-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-5407 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2019-1543 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2019-1549 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2021-3450 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-2274 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-3358 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-3602 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-3786 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-3996 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2022-4203 | 4.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-0216 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-0217 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-0401 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-1255 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-2975 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-3817 | | | | | | | +| https://osv.dev/DLA-3530-1 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2023-5678 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-0727 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2024-2511 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2024-4741 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2024-5535 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2024-9143 | | | | | | | +| https://osv.dev/DLA-3942-1 | | | | | | | +| https://osv.dev/DLA-3942-2 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-6237 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-12797 | 6.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-13176 | 4.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-4176-1 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2024-4603 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-18313 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-18314 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-6797 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-6798 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-6913 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2020-10543 | 8.2 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2020-10878 | 8.6 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2020-12723 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2020-16156 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-31484 | | | | | | | +| https://osv.dev/DLA-3926-1 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2021-36770 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-47038 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-40909 | 5.9 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3072-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3189-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3316-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3422-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2018-20482 | | | | | | | +| https://osv.dev/CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-39804 | | | | | | | +| https://osv.dev/DLA-3755-1 | | | | | | | +| https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3366-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3412-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3972-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-4085-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-4105-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-4016-1 | | Debian | ucf | 3.0036 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | ++---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ + +--- + +[TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_multiple_files - 2] + +--- + [TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_nothing - 1] --- @@ -1795,15 +2315,10 @@ No package sources found, --help for usage information. [TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_individually - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package -Scanned /testdata/locks-many/alpine.cdx.xml file and found 15 packages Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package -Filtered 1 local/unscannable package/s from the scan. -Loaded filter from: /testdata/locks-many/osv-scanner.toml -CVE-2025-26519 and 1 alias have been filtered out because: Test manifest file (alpine.cdx.xml) -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 2 vulnerabilities from output +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -1815,15 +2330,10 @@ No issues found [TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package -Scanned /testdata/locks-many/alpine.cdx.xml file and found 15 packages Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package -Filtered 1 local/unscannable package/s from the scan. -Loaded filter from: /testdata/locks-many/osv-scanner.toml -CVE-2025-26519 and 1 alias have been filtered out because: Test manifest file (alpine.cdx.xml) -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 2 vulnerabilities from output +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -1835,15 +2345,10 @@ No issues found [TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_an_extractor_that_does_not_exist - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package -Scanned /testdata/locks-many/alpine.cdx.xml file and found 15 packages Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package -Filtered 1 local/unscannable package/s from the scan. -Loaded filter from: /testdata/locks-many/osv-scanner.toml -CVE-2025-26519 and 1 alias have been filtered out because: Test manifest file (alpine.cdx.xml) -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 2 vulnerabilities from output +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. @@ -1859,13 +2364,9 @@ not an exact name for a plugin: "custom/extractor" [TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_one_specific_extractor_disabled - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package -Scanned /testdata/locks-many/alpine.cdx.xml file and found 15 packages Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package -Filtered 1 local/unscannable package/s from the scan. -Loaded filter from: /testdata/locks-many/osv-scanner.toml -CVE-2025-26519 and 1 alias have been filtered out because: Test manifest file (alpine.cdx.xml) -Filtered 1 vulnerability from output +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -1877,15 +2378,10 @@ No issues found [TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_one_specific_extractor_enabled_and_the_defaults - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package -Scanned /testdata/locks-many/alpine.cdx.xml file and found 15 packages Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package -Filtered 1 local/unscannable package/s from the scan. -Loaded filter from: /testdata/locks-many/osv-scanner.toml -CVE-2025-26519 and 1 alias have been filtered out because: Test manifest file (alpine.cdx.xml) -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 2 vulnerabilities from output +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -1897,7 +2393,7 @@ No issues found [TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_one_different_extractor_enabled - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -1909,9 +2405,7 @@ No issues found [TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_one_specific_extractor_enabled - 1] Scanning dir ./testdata/locks-many/package-lock.json Scanned /testdata/locks-many/package-lock.json file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 1 vulnerability from output +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -1971,9 +2465,7 @@ at least one extractor must be enabled Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 1 vulnerability from output +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -1986,9 +2478,7 @@ No issues found Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 1 vulnerability from output +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -2000,9 +2490,7 @@ No issues found [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_an_extractor_that_does_not_exist - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/package-lock.json file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 1 vulnerability from output +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. @@ -2018,13 +2506,9 @@ not an exact name for a plugin: "custom/extractor" [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_one_specific_extractor_disabled - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package -Scanned /testdata/locks-many/alpine.cdx.xml file and found 15 packages Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package -Filtered 1 local/unscannable package/s from the scan. -Loaded filter from: /testdata/locks-many/osv-scanner.toml -CVE-2025-26519 and 1 alias have been filtered out because: Test manifest file (alpine.cdx.xml) -Filtered 1 vulnerability from output +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -2036,9 +2520,7 @@ No issues found [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_one_specific_extractor_enabled_and_no_defaults - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/package-lock.json file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 1 vulnerability from output +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -2060,9 +2542,7 @@ No package sources found, --help for usage information. [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_file_with_one_specific_extractor_enabled - 1] Scanning dir ./testdata/locks-many/package-lock.json Scanned /testdata/locks-many/package-lock.json file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 1 vulnerability from output +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -2262,7 +2742,7 @@ Total 1 package affected by 2 known vulnerabilities (0 Critical, 2 High, 0 Mediu ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -2285,7 +2765,7 @@ Scanned /testdata/locks-insecure/osv-scanner-flutter-deps.json file as [TestCommand_HtmlFile - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml HTML output available at: /report.html --- @@ -2666,15 +3146,10 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi [TestCommand_Licenses/No_vulnerabilities_with_license_summary - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package -Scanned /testdata/locks-many/alpine.cdx.xml file and found 15 packages Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package -Filtered 1 local/unscannable package/s from the scan. -Loaded filter from: /testdata/locks-many/osv-scanner.toml -CVE-2025-26519 and 1 alias have been filtered out because: Test manifest file (alpine.cdx.xml) -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 2 vulnerabilities from output +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. @@ -2684,7 +3159,7 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi +------------+-------------------------+ | Apache-2.0 | 1 | | MIT | 1 | -| UNKNOWN | 16 | +| UNKNOWN | 2 | +------------+-------------------------+ --- @@ -2696,15 +3171,10 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi [TestCommand_Licenses/No_vulnerabilities_with_license_summary_in_markdown - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package -Scanned /testdata/locks-many/alpine.cdx.xml file and found 15 packages Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package -Filtered 1 local/unscannable package/s from the scan. -Loaded filter from: /testdata/locks-many/osv-scanner.toml -CVE-2025-26519 and 1 alias have been filtered out because: Test manifest file (alpine.cdx.xml) -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 2 vulnerabilities from output +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. @@ -2713,7 +3183,7 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi | --- | ---:| | Apache-2.0 | 1 | | MIT | 1 | -| UNKNOWN | 16 | +| UNKNOWN | 2 | --- @@ -2810,58 +3280,40 @@ Scanned /testdata/locks-insecure/bun.lock file and found 2 packages Scanned /testdata/locks-insecure/composer.lock file and found 1 package Scanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages Scanned /testdata/locks-many/Gemfile.lock file and found 1 package -Scanned /testdata/locks-many/alpine.cdx.xml file and found 15 packages Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package -Filtered 1 local/unscannable package/s from the scan. -Package npm/ansi-html/0.0.1 has been filtered out because: (no reason given) +Package npm/ansi-html/0.0.8 has been filtered out because: (no reason given) Package npm/balanced-match/1.0.2 has been filtered out because: (no reason given) Package npm/has-flag/4.0.0 has been filtered out because: (no reason given) Package npm/wrappy/1.0.2 has been filtered out because: (no reason given) Filtered 4 ignored package/s from the scan. -ignoring license for package Alpine/alpine-baselayout/3.4.0-r0 -ignoring license for package Alpine/alpine-baselayout-data/3.4.0-r0 -ignoring license for package Alpine/alpine-keys/2.4-r1 -ignoring license for package Alpine/apk-tools/2.12.10-r1 -ignoring license for package Alpine/busybox-binsh/1.36.1-r27 -ignoring license for package Alpine/ca-certificates-bundle/20220614-r4 overriding license for package Packagist/league/flysystem/1.0.8 with 0BSD -ignoring license for package Alpine/libc-utils/0.7.2-r3 -ignoring license for package Alpine/libcrypto3/3.0.8-r0 -ignoring license for package Alpine/libssl3/3.0.8-r0 -overriding license for package Alpine/musl/1.2.3-r4 with UNKNOWN -ignoring license for package Alpine/musl-utils/1.2.3-r4 -ignoring license for package Alpine/scanelf/1.3.5-r1 overriding license for package Packagist/sentry/sdk/2.0.4 with 0BSD -ignoring license for package Alpine/ssl_client/1.36.1-r27 -ignoring license for package Alpine/zlib/1.2.13-r0 -Total 2 packages affected by 2 known vulnerabilities (1 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 4 ecosystems. +Total 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 3 ecosystems. 1 vulnerability can be fixed. -+---------------------------------------+------+-----------+------------------+----------+---------------+---------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | -+---------------------------------------+------+-----------+------------------+----------+---------------+---------------------------------------+ -| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-insecure/composer.lock | -| https://osv.dev/ALPINE-CVE-2025-26519 | | Alpine | musl | 1.2.3-r4 | -- | testdata/locks-many/alpine.cdx.xml | -+---------------------------------------+------+-----------+------------------+----------+---------------+---------------------------------------+ ++-------------------------------------+------+-----------+------------------+---------+---------------+---------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | ++-------------------------------------+------+-----------+------------------+---------+---------------+---------------------------------------+ +| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-insecure/composer.lock | ++-------------------------------------+------+-----------+------------------+---------+---------------+---------------------------------------+ +---------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +---------+-------------------------+ | 0BSD | 2 | -| UNKNOWN | 4 | +| UNKNOWN | 3 | +---------+-------------------------+ -+-------------------+-----------+------------------+----------+-------------------------------------------------+ -| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | -+-------------------+-----------+------------------+----------+-------------------------------------------------+ -| 0BSD | Packagist | league/flysystem | 1.0.8 | testdata/locks-insecure/composer.lock | -| UNKNOWN | Go | stdlib | 1.99.9 | testdata/locks-insecure/osv-scanner-custom.json | -| UNKNOWN | Go | toolchain | 1.99.9 | testdata/locks-insecure/osv-scanner-custom.json | -| UNKNOWN | RubyGems | ast | 2.4.2 | testdata/locks-many/Gemfile.lock | -| UNKNOWN | Alpine | musl | 1.2.3-r4 | testdata/locks-many/alpine.cdx.xml | -| 0BSD | Packagist | sentry/sdk | 2.0.4 | testdata/locks-many/composer.lock | -+-------------------+-----------+------------------+----------+-------------------------------------------------+ ++-------------------+-----------+------------------+---------+-------------------------------------------------+ +| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++-------------------+-----------+------------------+---------+-------------------------------------------------+ +| 0BSD | Packagist | league/flysystem | 1.0.8 | testdata/locks-insecure/composer.lock | +| UNKNOWN | Go | stdlib | 1.99.9 | testdata/locks-insecure/osv-scanner-custom.json | +| UNKNOWN | Go | toolchain | 1.99.9 | testdata/locks-insecure/osv-scanner-custom.json | +| UNKNOWN | RubyGems | ast | 2.4.2 | testdata/locks-many/Gemfile.lock | +| 0BSD | Packagist | sentry/sdk | 2.0.4 | testdata/locks-many/composer.lock | ++-------------------+-----------+------------------+---------+-------------------------------------------------+ --- @@ -3014,17 +3466,17 @@ Scanned /testdata/locks-licenses/package-lock.json file and found 4 pac --- [TestCommand_Licenses/Vulnerabilities_and_all_license_violations_allowlisted - 1] -Scanning dir ./testdata/locks-many/package-lock.json -Scanned /testdata/locks-many/package-lock.json file and found 1 package +Scanning dir ./testdata/locks-many-with-insecure/package-lock.json +Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. -+-------------------------------------+------+-----------+-----------+---------+---------------+---------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | -+-------------------------------------+------+-----------+-----------+---------+---------------+---------------------------------------+ -| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many/package-lock.json | -+-------------------------------------+------+-----------+-----------+---------+---------------+---------------------------------------+ ++-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | ++-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ +| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json | ++-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ +------------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +------------+-------------------------+ @@ -3038,17 +3490,17 @@ Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, --- [TestCommand_Licenses/Vulnerabilities_and_license_summary - 1] -Scanning dir ./testdata/locks-many/package-lock.json -Scanned /testdata/locks-many/package-lock.json file and found 1 package +Scanning dir ./testdata/locks-many-with-insecure/package-lock.json +Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. -+-------------------------------------+------+-----------+-----------+---------+---------------+---------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | -+-------------------------------------+------+-----------+-----------+---------+---------------+---------------------------------------+ -| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many/package-lock.json | -+-------------------------------------+------+-----------+-----------+---------+---------------+---------------------------------------+ ++-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | ++-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ +| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json | ++-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ +------------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +------------+-------------------------+ @@ -3062,27 +3514,27 @@ Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, --- [TestCommand_Licenses/Vulnerabilities_and_license_violations_with_allowlist - 1] -Scanning dir ./testdata/locks-many/package-lock.json -Scanned /testdata/locks-many/package-lock.json file and found 1 package +Scanning dir ./testdata/locks-many-with-insecure/package-lock.json +Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. -+-------------------------------------+------+-----------+-----------+---------+---------------+---------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | -+-------------------------------------+------+-----------+-----------+---------+---------------+---------------------------------------+ -| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many/package-lock.json | -+-------------------------------------+------+-----------+-----------+---------+---------------+---------------------------------------+ ++-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | ++-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ +| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json | ++-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ +------------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +------------+-------------------------+ | Apache-2.0 | 1 | +------------+-------------------------+ -+-------------------+-----------+-----------+---------+---------------------------------------+ -| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | -+-------------------+-----------+-----------+---------+---------------------------------------+ -| Apache-2.0 | npm | ansi-html | 0.0.1 | testdata/locks-many/package-lock.json | -+-------------------+-----------+-----------+---------+---------------------------------------+ ++-------------------+-----------+-----------+---------+-----------------------------------------------------+ +| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++-------------------+-----------+-----------+---------+-----------------------------------------------------+ +| Apache-2.0 | npm | ansi-html | 0.0.1 | testdata/locks-many-with-insecure/package-lock.json | ++-------------------+-----------+-----------+---------+-----------------------------------------------------+ --- @@ -3146,22 +3598,27 @@ No issues found --- [TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked - 1] -Scanning dir ./testdata/locks-many -Scanned /testdata/locks-many/Gemfile.lock file and found 1 package -Scanned /testdata/locks-many/alpine.cdx.xml file and found 15 packages -Scanned /testdata/locks-many/composer.lock file and found 1 package -Scanned /testdata/locks-many/package-lock.json file and found 1 package -Scanned /testdata/locks-many/yarn.lock file and found 1 package +Scanning dir ./testdata/locks-many-with-insecure +Scanned /testdata/locks-many-with-insecure/Gemfile.lock file and found 1 package +Scanned /testdata/locks-many-with-insecure/alpine.cdx.xml file and found 15 packages +Scanned /testdata/locks-many-with-insecure/composer.lock file and found 1 package +Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package +Scanned /testdata/locks-many-with-insecure/yarn.lock file and found 1 package Filtered 1 local/unscannable package/s from the scan. -Loaded filter from: /testdata/locks-many/osv-scanner.toml Loaded Alpine local db from /osv-scanner/Alpine/all.zip Loaded npm local db from /osv-scanner/npm/all.zip Loaded RubyGems local db from /osv-scanner/RubyGems/all.zip Loaded Packagist local db from /osv-scanner/Packagist/all.zip -CVE-2025-26519 and 1 alias have been filtered out because: Test manifest file (alpine.cdx.xml) -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 2 vulnerabilities from output -No issues found +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +1 vulnerability can be fixed. + + ++---------------------------------------+------+-----------+-----------+----------+---------------+-----------------------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | ++---------------------------------------+------+-----------+-----------+----------+---------------+-----------------------------------------------------+ +| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json | +| https://osv.dev/ALPINE-CVE-2025-26519 | 8.1 | Alpine | musl | 1.2.3-r4 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml | ++---------------------------------------+------+-----------+-----------+----------+---------------+-----------------------------------------------------+ --- @@ -3170,22 +3627,27 @@ No issues found --- [TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked - 3] -Scanning dir ./testdata/locks-many -Scanned /testdata/locks-many/Gemfile.lock file and found 1 package -Scanned /testdata/locks-many/alpine.cdx.xml file and found 15 packages -Scanned /testdata/locks-many/composer.lock file and found 1 package -Scanned /testdata/locks-many/package-lock.json file and found 1 package -Scanned /testdata/locks-many/yarn.lock file and found 1 package +Scanning dir ./testdata/locks-many-with-insecure +Scanned /testdata/locks-many-with-insecure/Gemfile.lock file and found 1 package +Scanned /testdata/locks-many-with-insecure/alpine.cdx.xml file and found 15 packages +Scanned /testdata/locks-many-with-insecure/composer.lock file and found 1 package +Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package +Scanned /testdata/locks-many-with-insecure/yarn.lock file and found 1 package Filtered 1 local/unscannable package/s from the scan. -Loaded filter from: /testdata/locks-many/osv-scanner.toml Loaded Alpine local db from /osv-scanner/Alpine/all.zip Loaded npm local db from /osv-scanner/npm/all.zip Loaded RubyGems local db from /osv-scanner/RubyGems/all.zip Loaded Packagist local db from /osv-scanner/Packagist/all.zip -CVE-2025-26519 and 1 alias have been filtered out because: Test manifest file (alpine.cdx.xml) -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 2 vulnerabilities from output -No issues found +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +1 vulnerability can be fixed. + + ++---------------------------------------+------+-----------+-----------+----------+---------------+-----------------------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | ++---------------------------------------+------+-----------+-----------+----------+---------------+-----------------------------------------------------+ +| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json | +| https://osv.dev/ALPINE-CVE-2025-26519 | 8.1 | Alpine | musl | 1.2.3-r4 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml | ++---------------------------------------+------+-----------+-----------+----------+---------------+-----------------------------------------------------+ --- @@ -3320,7 +3782,7 @@ No issues found [TestCommand_LocalDatabases/one_specific_supported_lockfile - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip No issues found @@ -3333,7 +3795,7 @@ No issues found [TestCommand_LocalDatabases/one_specific_supported_lockfile - 3] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip No issues found @@ -3349,7 +3811,7 @@ Scanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded Go local db from /osv-scanner/Go/all.zip Loaded OSS-Fuzz local db from /osv-scanner/OSS-Fuzz/all.zip -Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 40 Medium, 1 Low, 36 Unknown) from 2 ecosystems. +Total 21 packages affected by 152 known vulnerabilities (17 Critical, 64 High, 48 Medium, 1 Low, 22 Unknown) from 2 ecosystems. 8 vulnerabilities can be fixed. @@ -3381,7 +3843,7 @@ Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 4 | https://osv.dev/DEBIAN-CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-6297 | | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-6297 | 8.2 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4535-1 | 7.5 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -3393,7 +3855,7 @@ Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 4 | https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5863-1 | | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-46848 | 9.1 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -3447,6 +3909,7 @@ Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 4 | https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5764-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-6015-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -3468,7 +3931,7 @@ Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 4 | https://osv.dev/DEBIAN-CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-3817 | | | | | | | | https://osv.dev/DLA-3530-1 | | | | | | | -| https://osv.dev/DEBIAN-CVE-2023-5678 | 5.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-5678 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-0727 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-2511 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-4741 | | | | | | | @@ -3477,16 +3940,14 @@ Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 4 | https://osv.dev/DLA-3942-1 | | | | | | | | https://osv.dev/DLA-3942-2 | | | | | | | | https://osv.dev/DEBIAN-CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2023-6237 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2024-12797 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2024-13176 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-6237 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-12797 | 6.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-13176 | 4.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4176-1 | | | | | | | -| https://osv.dev/DEBIAN-CVE-2024-4603 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-4575 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-9230 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-9231 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-9232 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5902-1 | | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-4603 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -3505,7 +3966,7 @@ Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 4 | https://osv.dev/DLA-3926-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2021-36770 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-47038 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-40909 | | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-40909 | 5.9 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3072-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3189-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -3517,7 +3978,7 @@ Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 4 | https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-20482 | | | | | | | -| https://osv.dev/CVE-2023-39804 | | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | | | | | | | | https://osv.dev/DLA-3755-1 | | | | | | | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -3535,7 +3996,7 @@ Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 4 | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5895-1 | | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -3551,7 +4012,7 @@ Scanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded Go local db from /osv-scanner/Go/all.zip Loaded OSS-Fuzz local db from /osv-scanner/OSS-Fuzz/all.zip -Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 40 Medium, 1 Low, 36 Unknown) from 2 ecosystems. +Total 21 packages affected by 152 known vulnerabilities (17 Critical, 64 High, 48 Medium, 1 Low, 22 Unknown) from 2 ecosystems. 8 vulnerabilities can be fixed. @@ -3583,7 +4044,7 @@ Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 4 | https://osv.dev/DEBIAN-CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-6297 | | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-6297 | 8.2 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4535-1 | 7.5 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -3595,7 +4056,7 @@ Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 4 | https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5863-1 | | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-46848 | 9.1 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -3649,6 +4110,7 @@ Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 4 | https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5764-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-6015-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -3670,7 +4132,7 @@ Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 4 | https://osv.dev/DEBIAN-CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-3817 | | | | | | | | https://osv.dev/DLA-3530-1 | | | | | | | -| https://osv.dev/DEBIAN-CVE-2023-5678 | 5.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-5678 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-0727 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-2511 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-4741 | | | | | | | @@ -3679,16 +4141,14 @@ Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 4 | https://osv.dev/DLA-3942-1 | | | | | | | | https://osv.dev/DLA-3942-2 | | | | | | | | https://osv.dev/DEBIAN-CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2023-6237 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2024-12797 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2024-13176 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2023-6237 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-12797 | 6.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-13176 | 4.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4176-1 | | | | | | | -| https://osv.dev/DEBIAN-CVE-2024-4603 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-4575 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-9230 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-9231 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-9232 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5902-1 | | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2024-4603 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -3707,7 +4167,7 @@ Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 4 | https://osv.dev/DLA-3926-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2021-36770 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-47038 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2025-40909 | | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2025-40909 | 5.9 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3072-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3189-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -3719,7 +4179,7 @@ Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 4 | https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-20482 | | | | | | | -| https://osv.dev/CVE-2023-39804 | | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | | | | | | | | https://osv.dev/DLA-3755-1 | | | | | | | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -3737,7 +4197,7 @@ Total 21 packages affected by 153 known vulnerabilities (16 Critical, 60 High, 4 | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5895-1 | | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -3794,7 +4254,7 @@ No issues found [TestCommand_LocalDatabases/output_format:_markdown_table - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip No issues found @@ -3807,7 +4267,7 @@ No issues found [TestCommand_LocalDatabases/output_format:_markdown_table - 3] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip No issues found @@ -3833,7 +4293,7 @@ No issues found [TestCommand_LocalDatabases/output_with_json - 2] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip --- @@ -3854,19 +4314,19 @@ Loaded Packagist local db from /osv-scanner/Packagist/all.zip [TestCommand_LocalDatabases/output_with_json - 4] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip --- [TestCommand_LocalDatabases_AlwaysOffline/a_bunch_of_different_lockfiles_and_ecosystem - 1] Scanning dir ./testdata/locks-requirements -Scanning dir ./testdata/locks-many -Scanned /testdata/locks-many/Gemfile.lock file and found 1 package -Scanned /testdata/locks-many/alpine.cdx.xml file and found 15 packages -Scanned /testdata/locks-many/composer.lock file and found 1 package -Scanned /testdata/locks-many/package-lock.json file and found 1 package -Scanned /testdata/locks-many/yarn.lock file and found 1 package +Scanning dir ./testdata/locks-many-with-insecure +Scanned /testdata/locks-many-with-insecure/Gemfile.lock file and found 1 package +Scanned /testdata/locks-many-with-insecure/alpine.cdx.xml file and found 15 packages +Scanned /testdata/locks-many-with-insecure/composer.lock file and found 1 package +Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package +Scanned /testdata/locks-many-with-insecure/yarn.lock file and found 1 package Scanned /testdata/locks-requirements/my-requirements.txt file and found 1 package Scanned /testdata/locks-requirements/requirements-dev.txt file and found 1 package Scanned /testdata/locks-requirements/requirements-transitive.txt file and found 4 packages @@ -3893,12 +4353,12 @@ could not load db for Packagist ecosystem: unable to fetch OSV database: no offl [TestCommand_LocalDatabases_AlwaysOffline/a_bunch_of_different_lockfiles_and_ecosystem - 3] Scanning dir ./testdata/locks-requirements -Scanning dir ./testdata/locks-many -Scanned /testdata/locks-many/Gemfile.lock file and found 1 package -Scanned /testdata/locks-many/alpine.cdx.xml file and found 15 packages -Scanned /testdata/locks-many/composer.lock file and found 1 package -Scanned /testdata/locks-many/package-lock.json file and found 1 package -Scanned /testdata/locks-many/yarn.lock file and found 1 package +Scanning dir ./testdata/locks-many-with-insecure +Scanned /testdata/locks-many-with-insecure/Gemfile.lock file and found 1 package +Scanned /testdata/locks-many-with-insecure/alpine.cdx.xml file and found 15 packages +Scanned /testdata/locks-many-with-insecure/composer.lock file and found 1 package +Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package +Scanned /testdata/locks-many-with-insecure/yarn.lock file and found 1 package Scanned /testdata/locks-requirements/my-requirements.txt file and found 1 package Scanned /testdata/locks-requirements/requirements-dev.txt file and found 1 package Scanned /testdata/locks-requirements/requirements-transitive.txt file and found 4 packages @@ -3925,7 +4385,7 @@ could not load db for Packagist ecosystem: unable to fetch OSV database: no offl [TestCommand_LockfileWithExplicitParseAs/"apk-installed"_is_supported - 1] Scanned /testdata/locks-many/installed file as a apk-installed and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -3936,7 +4396,7 @@ No issues found [TestCommand_LockfileWithExplicitParseAs/"dpkg-status"_is_supported - 1] Scanned /testdata/locks-many/status file as a dpkg-status and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -3947,7 +4407,7 @@ No issues found [TestCommand_LockfileWithExplicitParseAs/absolute_paths_are_automatically_escaped_on_windows - 1] Scanned /testdata/locks-many/yarn.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -3967,7 +4427,7 @@ No issues found [TestCommand_LockfileWithExplicitParseAs/absolute_paths_work_with_explicit_escaping - 1] Scanned /testdata/locks-many/yarn.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -3978,7 +4438,7 @@ No issues found [TestCommand_LockfileWithExplicitParseAs/empty_is_default - 1] Scanned /testdata/locks-many/composer.lock file and found 1 package -Loaded filter from: /testdata/locks-many/osv-scanner.toml +Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- @@ -4614,7 +5074,7 @@ Total 5 packages affected by 16 known vulnerabilities (0 Critical, 5 High, 10 Me [TestCommand_WithDetector_OffLinux/ssh_version_errors - 1] Scanning dir /composer.lock Scanned /composer.lock file and found 1 package -Loaded filter from: /osv-scanner.toml +Loaded filter from: /osv-scanner-test.toml No issues found --- @@ -4626,7 +5086,7 @@ No issues found [TestCommand_WithDetector_OffLinux/ssh_version_is_after_last_vuln_version - 1] Scanning dir /composer.lock Scanned /composer.lock file and found 1 package -Loaded filter from: /osv-scanner.toml +Loaded filter from: /osv-scanner-test.toml No issues found --- @@ -4638,7 +5098,7 @@ No issues found [TestCommand_WithDetector_OffLinux/ssh_version_is_before_first_vuln_version - 1] Scanning dir /composer.lock Scanned /composer.lock file and found 1 package -Loaded filter from: /osv-scanner.toml +Loaded filter from: /osv-scanner-test.toml No issues found --- @@ -4651,7 +5111,7 @@ No issues found Scanning dir /composer.lock Command "ssh -V": exit status 1 Scanned /composer.lock file and found 1 package -Loaded filter from: /osv-scanner.toml +Loaded filter from: /osv-scanner-test.toml No issues found --- @@ -4663,7 +5123,7 @@ No issues found [TestCommand_WithDetector_OnLinux/ssh_version_is_after_last_vuln_version - 1] Scanning dir /composer.lock Scanned /composer.lock file and found 1 package -Loaded filter from: /osv-scanner.toml +Loaded filter from: /osv-scanner-test.toml No issues found --- @@ -4675,7 +5135,7 @@ No issues found [TestCommand_WithDetector_OnLinux/ssh_version_is_before_first_vuln_version - 1] Scanning dir /composer.lock Scanned /composer.lock file and found 1 package -Loaded filter from: /osv-scanner.toml +Loaded filter from: /osv-scanner-test.toml No issues found --- diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 63e9d5dbcd8..1453a982510 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -29,63 +29,63 @@ func TestCommand(t *testing.T) { // one specific supported sbom with vulns { Name: "folder of supported sbom with vulns", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/sbom-insecure/"}, + Args: []string{"", "source", "./testdata/sbom-insecure/"}, Exit: 1, }, // one specific supported sbom with only unimportant { Name: "folder of supported sbom with only unimportant", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/sbom-insecure/only-unimportant.spdx.json"}, + Args: []string{"", "source", "./testdata/sbom-insecure/only-unimportant.spdx.json"}, Exit: 0, }, // one specific supported sbom with only unimportant but with --all-vulns { Name: "folder of supported sbom with only unimportant", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--all-vulns", "./testdata/sbom-insecure/only-unimportant.spdx.json"}, + Args: []string{"", "source", "--all-vulns", "./testdata/sbom-insecure/only-unimportant.spdx.json"}, Exit: 1, }, // one specific supported sbom with vulns { Name: "one specific supported sbom with vulns", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--sbom", "./testdata/sbom-insecure/alpine.cdx.xml"}, + Args: []string{"", "source", "--sbom", "./testdata/sbom-insecure/alpine.cdx.xml"}, Exit: 1, }, { Name: "one specific supported sbom with vulns using -L flag", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "./testdata/sbom-insecure/alpine.cdx.xml"}, + Args: []string{"", "source", "-L", "./testdata/sbom-insecure/alpine.cdx.xml"}, Exit: 1, }, // one specific supported sbom with vulns and invalid PURLs { Name: "one specific supported sbom with invalid PURLs", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--sbom", "./testdata/sbom-insecure/bad-purls.cdx.xml"}, + Args: []string{"", "source", "--sbom", "./testdata/sbom-insecure/bad-purls.cdx.xml"}, Exit: 0, }, { Name: "one specific supported sbom with invalid PURLs using -L flag", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "./testdata/sbom-insecure/bad-purls.cdx.xml"}, + Args: []string{"", "source", "-L", "./testdata/sbom-insecure/bad-purls.cdx.xml"}, Exit: 0, }, // one specific supported sbom with duplicate PURLs { Name: "one specific supported sbom with duplicate PURLs", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--sbom", "./testdata/sbom-insecure/with-duplicates.cdx.xml"}, + Args: []string{"", "source", "--sbom", "./testdata/sbom-insecure/with-duplicates.cdx.xml"}, Exit: 1, }, { Name: "one specific supported sbom with duplicate PURLs using -L flag", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "./testdata/sbom-insecure/with-duplicates.cdx.xml"}, + Args: []string{"", "source", "-L", "./testdata/sbom-insecure/with-duplicates.cdx.xml"}, Exit: 1, }, // one file that does not match the supported sbom file names { Name: "one file that does not match the supported sbom file names", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--sbom", "./testdata/locks-many/composer.lock"}, + Args: []string{"", "source", "--sbom", "./testdata/locks-many/composer.lock"}, Exit: 127, }, { Name: "one file that does not match the supported sbom file names using -L flag", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "spdx:./testdata/locks-many/composer.lock"}, + Args: []string{"", "source", "-L", "spdx:./testdata/locks-many/composer.lock"}, Exit: 127, }, // one specific unsupported lockfile @@ -169,7 +169,7 @@ func TestCommand(t *testing.T) { }, { Name: "Sarif with vulns", - Args: []string{"", "source", "--format", "sarif", "--config", "./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/package-lock.json"}, + Args: []string{"", "source", "--format", "sarif", "./testdata/locks-many-with-insecure/package-lock.json"}, Exit: 1, }, // output format: gh-annotations @@ -180,13 +180,13 @@ func TestCommand(t *testing.T) { }, { Name: "gh-annotations with vulns", - Args: []string{"", "source", "--format", "gh-annotations", "--config", "./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/package-lock.json"}, + Args: []string{"", "source", "--format", "gh-annotations", "./testdata/locks-many-with-insecure/package-lock.json"}, Exit: 1, }, // output format: markdown table { Name: "output format: markdown table", - Args: []string{"", "source", "--format", "markdown", "--config", "./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/package-lock.json"}, + Args: []string{"", "source", "--format", "markdown", "./testdata/locks-many-with-insecure/package-lock.json"}, Exit: 1, }, // output format: cyclonedx 1.4 @@ -257,14 +257,20 @@ func TestCommand(t *testing.T) { }, { Name: "PURL SBOM case sensitivity (api)", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--format", "table", "./testdata/sbom-insecure/alpine.cdx.xml"}, + Args: []string{"", "source", "--format", "table", "./testdata/sbom-insecure/alpine.cdx.xml"}, Exit: 1, }, { Name: "PURL SBOM case sensitivity (local)", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--offline", "--download-offline-databases", "--format", "table", "./testdata/sbom-insecure/alpine.cdx.xml"}, + Args: []string{"", "source", "--offline", "--download-offline-databases", "--format", "table", "./testdata/sbom-insecure/alpine.cdx.xml"}, Exit: 1, }, + // Go project with an overridden go version and licenses + { + Name: "Go project with an overridden go version and licences", + Args: []string{"", "source", "--config=./testdata/go-project/go-version-config.toml", "--licenses", "./testdata/go-project"}, + Exit: 0, + }, // Go project with an overridden go version { Name: "Go project with an overridden go version", @@ -280,13 +286,13 @@ func TestCommand(t *testing.T) { // broad config file that overrides a whole ecosystem { Name: "config file can be broad", - Args: []string{"", "source", "--config=./testdata/osv-scanner-composite-config.toml", "--licenses=MIT", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json", "./testdata/locks-many", "./testdata/locks-insecure", "./testdata/maven-transitive"}, + Args: []string{"", "source", "--config=./testdata/osv-scanner-composite-config.toml", "--licenses=MIT", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json", "./testdata/locks-many-with-insecure", "./testdata/locks-insecure", "./testdata/maven-transitive"}, Exit: 1, }, // ignored vulnerabilities and packages without a reason should be called out { Name: "ignores without reason should be explicitly called out", - Args: []string{"", "source", "--config=./testdata/osv-scanner-reasonless-ignores-config.toml", "./testdata/locks-many/package-lock.json", "./testdata/locks-many/composer.lock"}, + Args: []string{"", "source", "--config=./testdata/osv-scanner-reasonless-ignores-config.toml", "./testdata/locks-many-with-insecure/package-lock.json", "./testdata/locks-many/composer.lock"}, Exit: 0, }, // invalid config file @@ -310,12 +316,40 @@ func TestCommand(t *testing.T) { // a bunch of requirements.txt files with different names { Name: "requirements.txt can have all kinds of names", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-requirements"}, + Args: []string{"", "source", "./testdata/locks-requirements"}, Exit: 1, }, { Name: "go_packages_in_osv-scanner.json_format", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner.json"}, + Args: []string{"", "source", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner.json"}, + Exit: 1, + }, + } + for _, tt := range tests { + t.Run(tt.Name, func(t *testing.T) { + t.Parallel() + testcmd.RunAndMatchSnapshots(t, tt) + }) + } +} + +func TestCommand_Config_UnusedIgnores(t *testing.T) { + t.Parallel() + + tests := []testcmd.Case{ + { + Name: "unused_ignores_are_reported_with_specific_config_and_file", + Args: []string{"", "source", "--config", "testdata/osv-scanner-partial-ignores-config.toml", "testdata/sbom-insecure/alpine.cdx.xml"}, + Exit: 1, + }, + { + Name: "unused_ignores_are_reported_with_specific_config_and_multiple_files", + Args: []string{"", "source", "--config", "testdata/osv-scanner-partial-ignores-config.toml", "testdata/sbom-insecure/alpine.cdx.xml", "testdata/sbom-insecure/postgres-stretch.cdx.xml"}, + Exit: 1, + }, + { + Name: "unused_ignores_are_reported_with_specific_config_and_file", + Args: []string{"", "source", "--config", "testdata/osv-scanner-partial-ignores-config.toml", "testdata/sbom-insecure"}, Exit: 1, }, } @@ -723,7 +757,6 @@ func TestCommand_LockfileWithExplicitParseAs(t *testing.T) { Args: []string{ "", "source", - "--config=./testdata/osv-scanner-empty-config.toml", "-L", "package-lock.json:" + filepath.FromSlash("./testdata/locks-insecure/my-package-lock.json"), filepath.FromSlash("./testdata/locks-insecure"), @@ -735,7 +768,6 @@ func TestCommand_LockfileWithExplicitParseAs(t *testing.T) { Args: []string{ "", "source", - "--config=./testdata/osv-scanner-empty-config.toml", "-L", "package-lock.json:" + filepath.FromSlash("./testdata/locks-insecure/my-package-lock.json"), "-L", "yarn.lock:" + filepath.FromSlash("./testdata/locks-insecure/my-yarn.lock"), filepath.FromSlash("./testdata/locks-insecure"), @@ -747,7 +779,6 @@ func TestCommand_LockfileWithExplicitParseAs(t *testing.T) { Args: []string{ "", "source", - "--config=./testdata/osv-scanner-empty-config.toml", "-L", "yarn.lock:" + filepath.FromSlash("./testdata/locks-insecure/my-yarn.lock"), "-L", "package-lock.json:" + filepath.FromSlash("./testdata/locks-insecure/my-package-lock.json"), filepath.FromSlash("./testdata/locks-insecure"), @@ -844,12 +875,12 @@ func TestCommand_GithubActions(t *testing.T) { tests := []testcmd.Case{ { Name: "scanning osv-scanner custom format", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json"}, + Args: []string{"", "source", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json"}, Exit: 1, }, { Name: "scanning osv-scanner custom format output json", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json", "--format=sarif"}, + Args: []string{"", "source", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json", "--format=sarif"}, Exit: 1, }, } @@ -872,7 +903,7 @@ func TestCommand_LocalDatabases(t *testing.T) { }, { Name: "one specific supported sbom with vulns", - Args: []string{"", "source", "--offline", "--download-offline-databases", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/sbom-insecure/postgres-stretch.cdx.xml"}, + Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/sbom-insecure/postgres-stretch.cdx.xml"}, Exit: 1, }, { @@ -882,8 +913,8 @@ func TestCommand_LocalDatabases(t *testing.T) { }, { Name: "all supported lockfiles in the directory should be checked", - Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/locks-many"}, - Exit: 0, + Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/locks-many-with-insecure"}, + Exit: 1, }, { Name: "all supported lockfiles in the directory should be checked", @@ -951,7 +982,7 @@ func TestCommand_LocalDatabases_AlwaysOffline(t *testing.T) { tests := []testcmd.Case{ { Name: "a bunch of different lockfiles and ecosystem", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--offline", "./testdata/locks-requirements", "./testdata/locks-many"}, + Args: []string{"", "source", "--offline", "./testdata/locks-requirements", "./testdata/locks-many-with-insecure"}, Exit: 127, }, } @@ -1013,12 +1044,12 @@ func TestCommand_Licenses(t *testing.T) { }, { Name: "Vulnerabilities and license summary", - Args: []string{"", "source", "--licenses", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/package-lock.json"}, + Args: []string{"", "source", "--licenses", "./testdata/locks-many-with-insecure/package-lock.json"}, Exit: 1, }, { Name: "Vulnerabilities and license violations with allowlist", - Args: []string{"", "source", "--licenses=MIT", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/package-lock.json"}, + Args: []string{"", "source", "--licenses=MIT", "./testdata/locks-many-with-insecure/package-lock.json"}, Exit: 1, }, { @@ -1028,7 +1059,7 @@ func TestCommand_Licenses(t *testing.T) { }, { Name: "Vulnerabilities and all license violations allowlisted", - Args: []string{"", "source", "--licenses=Apache-2.0", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/package-lock.json"}, + Args: []string{"", "source", "--licenses=Apache-2.0", "./testdata/locks-many-with-insecure/package-lock.json"}, Exit: 1, }, { @@ -1078,12 +1109,12 @@ func TestCommand_Licenses(t *testing.T) { }, { Name: "When offline licenses summary cannot be printed", - Args: []string{"", "source", "--offline", "--licenses", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/package-lock.json"}, + Args: []string{"", "source", "--offline", "--licenses", "./testdata/locks-many/package-lock.json"}, Exit: 127, }, { Name: "When offline licenses cannot be checked", - Args: []string{"", "source", "--offline", "--licenses=MIT", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/package-lock.json"}, + Args: []string{"", "source", "--offline", "--licenses=MIT", "./testdata/locks-many/package-lock.json"}, Exit: 127, }, { @@ -1107,69 +1138,69 @@ func TestCommand_Transitive(t *testing.T) { tests := []testcmd.Case{ { Name: "scans transitive dependencies for pom.xml by default", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/maven-transitive/pom.xml"}, + Args: []string{"", "source", "./testdata/maven-transitive/pom.xml"}, Exit: 1, }, { Name: "scans transitive dependencies by specifying pom.xml", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "pom.xml:./testdata/maven-transitive/abc.xml"}, + Args: []string{"", "source", "-L", "pom.xml:./testdata/maven-transitive/abc.xml"}, Exit: 1, }, { Name: "scans pom.xml with non UTF-8 encoding", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "pom.xml:./testdata/maven-transitive/encoding.xml"}, + Args: []string{"", "source", "-L", "pom.xml:./testdata/maven-transitive/encoding.xml"}, Exit: 1, }, { // Direct dependencies do not have any vulnerability. Name: "does not scan transitive dependencies for pom.xml with offline mode", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--offline", "--download-offline-databases", "./testdata/maven-transitive/pom.xml"}, + Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/maven-transitive/pom.xml"}, Exit: 0, }, { // Direct dependencies do not have any vulnerability. Name: "does not scan transitive dependencies for pom.xml with no-resolve", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--no-resolve", "./testdata/maven-transitive/pom.xml"}, + Args: []string{"", "source", "--no-resolve", "./testdata/maven-transitive/pom.xml"}, Exit: 0, }, { Name: "scans dependencies from multiple registries", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "pom.xml:./testdata/maven-transitive/registry.xml"}, + Args: []string{"", "source", "-L", "pom.xml:./testdata/maven-transitive/registry.xml"}, Exit: 1, }, { Name: "resolves transitive dependencies with native data source", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--data-source=native", "-L", "pom.xml:./testdata/maven-transitive/registry.xml"}, + Args: []string{"", "source", "--data-source=native", "-L", "pom.xml:./testdata/maven-transitive/registry.xml"}, Exit: 1, }, { Name: "uses native data source for requirements.txt", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-requirements/requirements.txt"}, + Args: []string{"", "source", "./testdata/locks-requirements/requirements.txt"}, Exit: 1, }, { Name: "fall back to the offline extractor if resolution failed", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-requirements/unresolvable-requirements.txt"}, + Args: []string{"", "source", "./testdata/locks-requirements/unresolvable-requirements.txt"}, Exit: 1, }, { Name: "does not scan transitive dependencies for requirements.txt with no-resolve", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--no-resolve", "./testdata/locks-requirements/requirements.txt"}, + Args: []string{"", "source", "--no-resolve", "./testdata/locks-requirements/requirements.txt"}, Exit: 1, }, { Name: "does not scan transitive dependencies for requirements.txt with offline mode", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--offline", "--download-offline-databases", "./testdata/locks-requirements/requirements.txt"}, + Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/locks-requirements/requirements.txt"}, Exit: 1, }, { Name: "errors_with_invalid_data_source", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--data-source=github", "-L", "pom.xml:./testdata/maven-transitive/registry.xml"}, + Args: []string{"", "source", "--data-source=github", "-L", "pom.xml:./testdata/maven-transitive/registry.xml"}, Exit: 127, }, { Name: "scan local disk transitive dependencies", - Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--no-resolve", "./testdata/locks-requirements/requirements-transitive.txt"}, + Args: []string{"", "source", "--no-resolve", "./testdata/locks-requirements/requirements-transitive.txt"}, Exit: 1, }, } diff --git a/cmd/osv-scanner/scan/source/testdata/artifact/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/artifact/osv-scanner.toml new file mode 100644 index 00000000000..dfafb8fb5fe --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/artifact/osv-scanner.toml @@ -0,0 +1,2 @@ +[[PackageOverrides]] +ignore = true diff --git a/cmd/osv-scanner/scan/source/testdata/call-analysis-go-project-all-uncalled/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/call-analysis-go-project-all-uncalled/osv-scanner.toml index cb4f5aafed5..dfafb8fb5fe 100644 --- a/cmd/osv-scanner/scan/source/testdata/call-analysis-go-project-all-uncalled/osv-scanner.toml +++ b/cmd/osv-scanner/scan/source/testdata/call-analysis-go-project-all-uncalled/osv-scanner.toml @@ -1,23 +1,2 @@ [[PackageOverrides]] -name = "stdlib" -ecosystem = "Go" ignore = true -reason = "This is an intentionally vulnerable test project" - -[[PackageOverrides]] -name = "golang.org/x/image" -ecosystem = "Go" -ignore = true -reason = "This is an intentionally vulnerable test project" - -[[PackageOverrides]] -name = "github.com/ipfs/go-bitfield" -ecosystem = "Go" -ignore = true -reason = "This is an intentionally vulnerable test project" - -[[PackageOverrides]] -name = "github.com/gogo/protobuf" -ecosystem = "Go" -ignore = true -reason = "This is an intentionally vulnerable test project" diff --git a/cmd/osv-scanner/scan/source/testdata/call-analysis-go-project/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/call-analysis-go-project/osv-scanner.toml index cb4f5aafed5..dfafb8fb5fe 100644 --- a/cmd/osv-scanner/scan/source/testdata/call-analysis-go-project/osv-scanner.toml +++ b/cmd/osv-scanner/scan/source/testdata/call-analysis-go-project/osv-scanner.toml @@ -1,23 +1,2 @@ [[PackageOverrides]] -name = "stdlib" -ecosystem = "Go" ignore = true -reason = "This is an intentionally vulnerable test project" - -[[PackageOverrides]] -name = "golang.org/x/image" -ecosystem = "Go" -ignore = true -reason = "This is an intentionally vulnerable test project" - -[[PackageOverrides]] -name = "github.com/ipfs/go-bitfield" -ecosystem = "Go" -ignore = true -reason = "This is an intentionally vulnerable test project" - -[[PackageOverrides]] -name = "github.com/gogo/protobuf" -ecosystem = "Go" -ignore = true -reason = "This is an intentionally vulnerable test project" diff --git a/cmd/osv-scanner/scan/source/testdata/config-invalid/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/config-invalid/osv-scanner-test.toml similarity index 100% rename from cmd/osv-scanner/scan/source/testdata/config-invalid/osv-scanner.toml rename to cmd/osv-scanner/scan/source/testdata/config-invalid/osv-scanner-test.toml diff --git a/cmd/osv-scanner/scan/source/testdata/go-project/nested/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/go-project/nested/osv-scanner.toml index abab9245b22..dfafb8fb5fe 100644 --- a/cmd/osv-scanner/scan/source/testdata/go-project/nested/osv-scanner.toml +++ b/cmd/osv-scanner/scan/source/testdata/go-project/nested/osv-scanner.toml @@ -1,5 +1,2 @@ [[PackageOverrides]] -name = "stdlib" -ecosystem = "Go" ignore = true -reason = "This is an intentionally vulnerable test project" diff --git a/cmd/osv-scanner/scan/source/testdata/go-project/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/go-project/osv-scanner.toml index abab9245b22..dfafb8fb5fe 100644 --- a/cmd/osv-scanner/scan/source/testdata/go-project/osv-scanner.toml +++ b/cmd/osv-scanner/scan/source/testdata/go-project/osv-scanner.toml @@ -1,5 +1,2 @@ [[PackageOverrides]] -name = "stdlib" -ecosystem = "Go" ignore = true -reason = "This is an intentionally vulnerable test project" diff --git a/cmd/osv-scanner/scan/source/testdata/locks-git/osv-scanner.json b/cmd/osv-scanner/scan/source/testdata/locks-git/osv-scanner.json index 3aa6265f63f..b2259661e34 100644 --- a/cmd/osv-scanner/scan/source/testdata/locks-git/osv-scanner.json +++ b/cmd/osv-scanner/scan/source/testdata/locks-git/osv-scanner.json @@ -33,6 +33,63 @@ "commit": "aea7aaf2abb04789f5868cbabec406ea43aa84bf", "version": "openssl-3.5.0" } + }, + { + "//1": "commit is for a completely different repository that does have vulns", + "package": { + "name": "https://github.com/apache/orc", + "commit": "17b30e96476be70b8773b2b807bab857fd3ceb39", + "version": "v3.19.0" + } + }, + { + "//1": "matches an advisory whose repo url does not start with the http protocol, which should not matter", + "package": { + "name": "http://github.com/boostorg/boost", + "commit": "1a9dda41fbfb0dfbec17ab6afeba8138265395f7", + "version": "boost-1.67.0" + } + }, + { + "//1": "matches an advisory whose repo url does not start with the git protocol, which should not matter", + "package": { + "name": "git://github.com/boostorg/boost", + "commit": "1a9dda41fbfb0dfbec17ab6afeba8138265395f7", + "version": "boost-1.67.0" + } + }, + { + "//1": "matches an advisory even though the repo url has no protocol, which should not matter", + "package": { + "name": "github.com/boostorg/boost", + "commit": "1a9dda41fbfb0dfbec17ab6afeba8138265395f7", + "version": "boost-1.67.0" + } + }, + { + "//1": "matches an advisory whose repo url ends with .git, which should not matter", + "package": { + "name": "https://github.com/boostorg/boost", + "commit": "1a9dda41fbfb0dfbec17ab6afeba8138265395f7", + "version": "boost-1.67.0" + } + }, + { + "//1": "matches an advisory whose repo url does not end .git, which should not matter", + "package": { + "name": "https://github.com/capricorn86/happy-dom.git", + "commit": "f82211036f434593c69b8e3680ea65203a46d315", + "version": "v11.1.0" + } + }, + { + "//1": "matches advisories whose repo urls are a different case, which should be respected", + "//2": "note in future this might change for github and gitlab, as they are not case-sensitive", + "package": { + "name": "https://github.com/Exiv2/exiv2", + "commit": "931a40a746f5678dcc4625b06a2eb25fa4f00b34", + "version": "v0.28.0" + } } ] } diff --git a/cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner.toml index d99ee09e85c..dfafb8fb5fe 100644 --- a/cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner.toml +++ b/cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner.toml @@ -1,5 +1,2 @@ [[PackageOverrides]] -name = "league/flysystem" -ecosystem = "Packagist" ignore = true -reason = "This is an intentionally vulnerable test project" diff --git a/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/Gemfile.lock b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/Gemfile.lock new file mode 100644 index 00000000000..19a42f0fbc7 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/Gemfile.lock @@ -0,0 +1,16 @@ +GEM + remote: https://rubygems.org/ + specs: + ast (2.4.2) + +PLATFORMS + x86_64-linux + +DEPENDENCIES + ast + +RUBY VERSION + ruby 3.0.2p107 + +BUNDLED WITH + 2.2.28 diff --git a/cmd/osv-scanner/scan/source/testdata/locks-many/alpine.cdx.xml b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/alpine.cdx.xml similarity index 100% rename from cmd/osv-scanner/scan/source/testdata/locks-many/alpine.cdx.xml rename to cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/alpine.cdx.xml diff --git a/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/composer.lock b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/composer.lock new file mode 100644 index 00000000000..3cfadf73cb4 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/composer.lock @@ -0,0 +1,51 @@ +{ + "_readme": [ + "This file locks the dependencies of your project to a known state", + "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", + "This file is @generated automatically" + ], + "content-hash": "439b16dd5df2e0730bd1cc4352654d09", + "packages": [ + { + "name": "sentry/sdk", + "version": "2.0.4", + "source": { + "type": "git", + "url": "https://github.com/getsentry/sentry-php-sdk.git", + "reference": "4c115873c86ad5bd0ac6d962db70ca53bf8fb874" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/getsentry/sentry-php-sdk/zipball/4c115873c86ad5bd0ac6d962db70ca53bf8fb874", + "reference": "4c115873c86ad5bd0ac6d962db70ca53bf8fb874", + "shasum": "" + }, + "require": { + "http-interop/http-factory-guzzle": "^1.0", + "php-http/curl-client": "^1.0|^2.0", + "sentry/sentry": "^2.1.3" + }, + "type": "metapackage", + "notification-url": "https://packagist.org/downloads/", + "license": ["MIT"], + "authors": [ + { + "name": "Sentry", + "email": "accounts@sentry.io" + } + ], + "description": "This is a metapackage shipping sentry/sentry with a recommended http client.", + "time": "2019-09-09T19:54:44+00:00" + } + ], + "packages-dev": [], + "aliases": [], + "minimum-stability": "dev", + "stability-flags": [], + "prefer-stable": true, + "prefer-lowest": false, + "platform": { + "php": "^7.1.3" + }, + "platform-dev": [] +} diff --git a/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/installed b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/installed new file mode 100644 index 00000000000..181245d8265 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/installed @@ -0,0 +1,32 @@ +C:Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ= +P:apk-tools +V:2.12.10-r1 +A:x86_64 +S:120973 +I:307200 +T:Alpine Package Keeper - package manager for alpine +U:https://gitlab.alpinelinux.org/alpine/apk-tools +L:GPL-2.0-only +o:apk-tools +m:Natanael Copa +t:1666552494 +c:0188f510baadbae393472103427b9c1875117136 +D:musl>=1.2 ca-certificates-bundle so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 so:libz.so.1 +p:so:libapk.so.3.12.0=3.12.0 cmd:apk=2.12.10-r1 +F:etc +F:etc/apk +F:etc/apk/keys +F:etc/apk/protected_paths.d +F:lib +R:libapk.so.3.12.0 +a:0:0:755 +Z:Q1opjpYqXgzmOVo7EbNe8l5Xol08g= +F:lib/apk +F:lib/apk/exec +F:sbin +R:apk +a:0:0:755 +Z:Q1/4bmOPe/H1YhHRzlrj27oufThMw= +F:var +F:var/lib +F:var/lib/apk \ No newline at end of file diff --git a/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/not-a-lockfile.toml b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/not-a-lockfile.toml new file mode 100644 index 00000000000..3e4db4a63ef --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/not-a-lockfile.toml @@ -0,0 +1 @@ +_="whatever this is, it's not a lockfile!" diff --git a/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/osv-scanner.toml new file mode 100644 index 00000000000..dfafb8fb5fe --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/osv-scanner.toml @@ -0,0 +1,2 @@ +[[PackageOverrides]] +ignore = true diff --git a/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/package-lock.json b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/package-lock.json new file mode 100644 index 00000000000..e3a2d44973c --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/package-lock.json @@ -0,0 +1,9 @@ +{ + "requires": true, + "lockfileVersion": 1, + "dependencies": { + "ansi-html": { + "version": "0.0.1" + } + } +} diff --git a/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/replace-local.mod b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/replace-local.mod new file mode 100644 index 00000000000..b8a116300bf --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/replace-local.mod @@ -0,0 +1,7 @@ +require ( + golang.org/x/net v1.2.3 +) + +replace ( + golang.org/x/net v1.2.3 => ./fork/net +) diff --git a/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/status b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/status new file mode 100644 index 00000000000..d17f8d40531 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/status @@ -0,0 +1,31 @@ +Package: adduser +Status: install ok installed +Priority: important +Section: admin +Installed-Size: 849 +Maintainer: redacted +Architecture: all +Multi-Arch: foreign +Version: 3.118 +Depends: passwd, debconf (>= 0.5) | debconf-2.0 +Suggests: liblocale-gettext-perl, perl +Conffiles: + /etc/deluser.conf 773fb95e98a27947de4a95abb3d3f2a2 +Description: add and remove users and groups + This package includes the 'adduser' and 'deluser' commands for creating + and removing users. + . + - 'adduser' creates new users and groups and adds existing users to + existing groups; + - 'deluser' removes users and groups and removes users from a given + group. + . + Adding users with 'adduser' is much easier than adding them manually. + Adduser will choose appropriate UID and GID values, create a home + directory, copy skeletal user configuration, and automate setting + initial values for the user's password, real name and so on. + . + Deluser can back up and remove users' home directories + and mail spool or all the files they own on the system. + . + A custom script can be executed after each of the commands. \ No newline at end of file diff --git a/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/yarn.lock b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/yarn.lock new file mode 100644 index 00000000000..65a4fc7dff4 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/yarn.lock @@ -0,0 +1,7 @@ +# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. +# yarn lockfile v1 + +balanced-match@^1.0.0: + version "1.0.2" + resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.2.tgz#e83e3a7e3f300b34cb9d87f615fa0cbf357690ee" + integrity sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw== diff --git a/cmd/osv-scanner/scan/source/testdata/locks-many/osv-scanner-test.toml b/cmd/osv-scanner/scan/source/testdata/locks-many/osv-scanner-test.toml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/cmd/osv-scanner/scan/source/testdata/locks-many/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/locks-many/osv-scanner.toml deleted file mode 100644 index 67c2b6ee859..00000000000 --- a/cmd/osv-scanner/scan/source/testdata/locks-many/osv-scanner.toml +++ /dev/null @@ -1,12 +0,0 @@ -[[IgnoredVulns]] -id = "GHSA-whgm-jr23-g3j9" -# ignore_until = 2022-11-09 -reason = "Test manifest file" - -[[IgnoredVulns]] -id = "CVE-2022-48174" -reason = "Test manifest file (alpine.cdx.xml)" - -[[IgnoredVulns]] -id = "CVE-2025-26519" -reason = "Test manifest file (alpine.cdx.xml)" diff --git a/cmd/osv-scanner/scan/source/testdata/locks-many/package-lock.json b/cmd/osv-scanner/scan/source/testdata/locks-many/package-lock.json index e3a2d44973c..5f0c6681b24 100644 --- a/cmd/osv-scanner/scan/source/testdata/locks-many/package-lock.json +++ b/cmd/osv-scanner/scan/source/testdata/locks-many/package-lock.json @@ -3,7 +3,7 @@ "lockfileVersion": 1, "dependencies": { "ansi-html": { - "version": "0.0.1" + "version": "0.0.8" } } } diff --git a/cmd/osv-scanner/scan/source/testdata/locks-scalibr/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/locks-scalibr/osv-scanner.toml new file mode 100644 index 00000000000..dfafb8fb5fe --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-scalibr/osv-scanner.toml @@ -0,0 +1,2 @@ +[[PackageOverrides]] +ignore = true diff --git a/cmd/osv-scanner/scan/source/testdata/locks-test-ignore/osv-scanner-test.toml b/cmd/osv-scanner/scan/source/testdata/locks-test-ignore/osv-scanner-test.toml new file mode 100644 index 00000000000..6b6d8b344ee --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-test-ignore/osv-scanner-test.toml @@ -0,0 +1,3 @@ +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" diff --git a/cmd/osv-scanner/scan/source/testdata/locks-test-ignore/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/locks-test-ignore/osv-scanner.toml index 6b6d8b344ee..dfafb8fb5fe 100644 --- a/cmd/osv-scanner/scan/source/testdata/locks-test-ignore/osv-scanner.toml +++ b/cmd/osv-scanner/scan/source/testdata/locks-test-ignore/osv-scanner.toml @@ -1,3 +1,2 @@ -[[IgnoredVulns]] -id = "CVE-2021-23424" -reason = "Test manifest file (package-lock.json)" +[[PackageOverrides]] +ignore = true diff --git a/cmd/osv-scanner/scan/source/testdata/maven-transitive/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/maven-transitive/osv-scanner.toml index c9314edd752..dfafb8fb5fe 100644 --- a/cmd/osv-scanner/scan/source/testdata/maven-transitive/osv-scanner.toml +++ b/cmd/osv-scanner/scan/source/testdata/maven-transitive/osv-scanner.toml @@ -1,5 +1,2 @@ [[PackageOverrides]] -name = "org.apache.logging.log4j:log4j-core" -ecosystem = "Maven" ignore = true -reason = "This is an intentionally vulnerable test project" diff --git a/cmd/osv-scanner/scan/source/testdata/osv-scanner-partial-ignores-config.toml b/cmd/osv-scanner/scan/source/testdata/osv-scanner-partial-ignores-config.toml new file mode 100644 index 00000000000..0b0e4c66ac8 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/osv-scanner-partial-ignores-config.toml @@ -0,0 +1,16 @@ +[[IgnoredVulns]] +id = "CVE-2025-26519" # in alpine.cdx.xml + +[[IgnoredVulns]] +id = "CVE-2018-25032" # in alpine.cdx.xml + +[[IgnoredVulns]] +id = "GO-2022-0274" # in postgres-stretch.cdx.xml + +[[IgnoredVulns]] +id = "CVE-2019-5188" +ignoreUntil = 2020-01-01 + +[[IgnoredVulns]] +id = "CVE-2022-1304" +ignoreUntil = 2100-01-01 diff --git a/cmd/osv-scanner/scan/source/testdata/sbom-insecure/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/sbom-insecure/osv-scanner.toml index 4a3e9070b85..dfafb8fb5fe 100644 --- a/cmd/osv-scanner/scan/source/testdata/sbom-insecure/osv-scanner.toml +++ b/cmd/osv-scanner/scan/source/testdata/sbom-insecure/osv-scanner.toml @@ -1,3 +1,2 @@ [[PackageOverrides]] ignore = true -reason = "This is an intentionally vulnerable test sbom" diff --git a/cmd/osv-scanner/scan/source/testmain_test.go b/cmd/osv-scanner/scan/source/testmain_test.go index 566606d3584..8d137ac7e7f 100644 --- a/cmd/osv-scanner/scan/source/testmain_test.go +++ b/cmd/osv-scanner/scan/source/testmain_test.go @@ -7,11 +7,14 @@ import ( "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/scan/source" + "github.com/google/osv-scanner/v2/internal/config" "github.com/google/osv-scanner/v2/internal/testlogger" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { + config.OSVScannerConfigName = "osv-scanner-test.toml" + cleanupGitFixtures, err := testcmd.SetupGitFixtures() if err != nil { diff --git a/cmd/osv-scanner/scan/testmain_test.go b/cmd/osv-scanner/scan/testmain_test.go index 9919dbe2101..91ead6d4bd6 100644 --- a/cmd/osv-scanner/scan/testmain_test.go +++ b/cmd/osv-scanner/scan/testmain_test.go @@ -7,11 +7,14 @@ import ( "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/scan" + "github.com/google/osv-scanner/v2/internal/config" "github.com/google/osv-scanner/v2/internal/testlogger" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { + config.OSVScannerConfigName = "osv-scanner-test.toml" + cleanupGitFixtures, err := testcmd.SetupGitFixtures() if err != nil { diff --git a/cmd/osv-scanner/testdata/locks-many/osv-scanner.toml b/cmd/osv-scanner/testdata/locks-many/osv-scanner.toml index 67c2b6ee859..dfafb8fb5fe 100644 --- a/cmd/osv-scanner/testdata/locks-many/osv-scanner.toml +++ b/cmd/osv-scanner/testdata/locks-many/osv-scanner.toml @@ -1,12 +1,2 @@ -[[IgnoredVulns]] -id = "GHSA-whgm-jr23-g3j9" -# ignore_until = 2022-11-09 -reason = "Test manifest file" - -[[IgnoredVulns]] -id = "CVE-2022-48174" -reason = "Test manifest file (alpine.cdx.xml)" - -[[IgnoredVulns]] -id = "CVE-2025-26519" -reason = "Test manifest file (alpine.cdx.xml)" +[[PackageOverrides]] +ignore = true diff --git a/cmd/osv-scanner/testmain_test.go b/cmd/osv-scanner/testmain_test.go index 12b64645b07..920cc9ee74a 100644 --- a/cmd/osv-scanner/testmain_test.go +++ b/cmd/osv-scanner/testmain_test.go @@ -9,11 +9,14 @@ import ( "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/scan" "github.com/google/osv-scanner/v2/cmd/osv-scanner/update" + "github.com/google/osv-scanner/v2/internal/config" "github.com/google/osv-scanner/v2/internal/testlogger" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { + config.OSVScannerConfigName = "osv-scanner-test.toml" + cleanupGitFixtures, err := testcmd.SetupGitFixtures() if err != nil { diff --git a/cmd/osv-scanner/update/testdata/osv-scanner.toml b/cmd/osv-scanner/update/testdata/osv-scanner.toml new file mode 100644 index 00000000000..dfafb8fb5fe --- /dev/null +++ b/cmd/osv-scanner/update/testdata/osv-scanner.toml @@ -0,0 +1,2 @@ +[[PackageOverrides]] +ignore = true diff --git a/docs/github-action.md b/docs/github-action.md index fa63551cdcd..ff62f68c47c 100644 --- a/docs/github-action.md +++ b/docs/github-action.md @@ -54,7 +54,7 @@ permissions: jobs: scan-pr: - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.2.3" + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.2.4" ``` ### View results @@ -97,7 +97,7 @@ permissions: jobs: scan-scheduled: - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.2.3" + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.2.4" ``` As written, the scanner will run on 12:30 pm UTC every Monday, and also on every push to the main branch. You can change the schedule by following the instructions [here](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule). @@ -132,7 +132,7 @@ permissions: jobs: osv-scan: - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.2.3" + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.2.4" with: # Only scan the top level go.mod file without recursively scanning directories since # this is pipeline is about releasing the go module and binary @@ -184,7 +184,7 @@ Examples ```yml jobs: scan-pr: - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.2.3" + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.2.4" with: scan-args: |- --lockfile=./path/to/lockfile1 @@ -196,7 +196,7 @@ jobs: ```yml jobs: scan-pr: - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.2.3" + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.2.4" with: scan-args: |- --recursive @@ -222,7 +222,7 @@ jobs: name: Vulnerability scanning # makes sure the extraction step is completed before running the scanner needs: extract-deps - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.2.3" + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.2.4" with: # Download the artifact uploaded in extract-deps step download-artifact: converted-OSV-Scanner-deps diff --git a/go.mod b/go.mod index 7705a97eeab..570a2425243 100644 --- a/go.mod +++ b/go.mod @@ -4,24 +4,26 @@ go 1.24.6 require ( deps.dev/api/v3 v3.0.0-20250917073939-6ff3dd7d2eea + deps.dev/api/v3alpha v0.0.0-20250903005441-604c45d5b44b deps.dev/util/maven v0.0.0-20250917073939-6ff3dd7d2eea deps.dev/util/resolve v0.0.0-20250917073939-6ff3dd7d2eea deps.dev/util/semver v0.0.0-20250917073939-6ff3dd7d2eea github.com/BurntSushi/toml v1.5.0 - github.com/CycloneDX/cyclonedx-go v0.9.2 + github.com/CycloneDX/cyclonedx-go v0.9.3 github.com/charmbracelet/bubbles v0.21.0 github.com/charmbracelet/bubbletea v1.3.10 github.com/charmbracelet/glamour v0.10.0 github.com/charmbracelet/lipgloss v1.1.1-0.20250404203927-76690c660834 github.com/gkampitakis/go-snaps v0.5.15 - github.com/go-git/go-git/v5 v5.16.2 + github.com/go-git/go-git/v5 v5.16.3 github.com/google/go-cmp v0.7.0 - github.com/google/osv-scalibr v0.3.4 + github.com/google/osv-scalibr v0.3.7-0.20251023161426-90e9ac9cc1b3 github.com/ianlancetaylor/demangle v0.0.0-20250628045327-2d64ad6b7ec5 github.com/jedib0t/go-pretty/v6 v6.6.8 + github.com/modelcontextprotocol/go-sdk v1.0.0 github.com/muesli/reflow v0.3.0 github.com/opencontainers/go-digest v1.0.0 - github.com/ossf/osv-schema/bindings/go v0.0.0-20250926044009-f6ae0b6bae32 + github.com/ossf/osv-schema/bindings/go v0.0.0-20251012234424-434020c6442f github.com/owenrumney/go-sarif/v3 v3.2.3 github.com/package-url/packageurl-go v0.1.3 github.com/pandatix/go-cvss v0.6.2 @@ -29,21 +31,21 @@ require ( github.com/tidwall/pretty v1.2.1 github.com/tidwall/sjson v1.2.5 github.com/urfave/cli/v3 v3.4.1 - golang.org/x/net v0.44.0 + golang.org/x/net v0.46.0 golang.org/x/sync v0.17.0 - golang.org/x/term v0.35.0 + golang.org/x/term v0.36.0 golang.org/x/vuln v1.1.4 - google.golang.org/grpc v1.75.1 - google.golang.org/protobuf v1.36.9 + google.golang.org/grpc v1.76.0 + google.golang.org/protobuf v1.36.10 gopkg.in/ini.v1 v1.67.0 gopkg.in/yaml.v3 v3.0.1 - osv.dev/bindings/go v0.0.0-20250929041518-3b73304a1688 + osv.dev/bindings/go v0.0.0-20251013010847-b847e93bd9b0 ) require ( + bitbucket.org/creachadair/stringset v0.0.14 // indirect cloud.google.com/go/compute/metadata v0.8.4 // indirect dario.cat/mergo v1.0.2 // indirect - deps.dev/api/v3alpha v0.0.0-20250903005441-604c45d5b44b // indirect deps.dev/util/pypi v0.0.0-20250903005441-604c45d5b44b // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20250520111509-a70c2aa677fa // indirect @@ -53,6 +55,7 @@ require ( github.com/ProtonMail/go-crypto v1.3.0 // indirect github.com/agext/levenshtein v1.2.3 // indirect github.com/alecthomas/chroma/v2 v2.19.0 // indirect + github.com/anchore/go-lzo v0.1.0 // indirect github.com/anchore/go-struct-converter v0.0.0-20250211213226-cce56d595160 // indirect github.com/atotto/clipboard v0.1.4 // indirect github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect @@ -63,6 +66,7 @@ require ( github.com/charmbracelet/x/exp/slice v0.0.0-20250711012602-b1f986320f7e // indirect github.com/charmbracelet/x/term v0.2.1 // indirect github.com/cloudflare/circl v1.6.1 // indirect + github.com/compose-spec/compose-go/v2 v2.8.1 // indirect github.com/containerd/cgroups/v3 v3.0.5 // indirect github.com/containerd/containerd v1.7.27 // indirect github.com/containerd/containerd/api v1.9.0 // indirect @@ -76,9 +80,11 @@ require ( github.com/containerd/ttrpc v1.2.7 // indirect github.com/containerd/typeurl/v2 v2.2.3 // indirect github.com/cyphar/filepath-securejoin v0.4.1 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/deitch/magic v0.0.0-20240306090643-c67ab88f10cb // indirect + github.com/diskfs/go-diskfs v1.7.0 // indirect github.com/distribution/reference v0.6.0 // indirect + github.com/djherbis/times v1.6.0 // indirect github.com/dlclark/regexp2 v1.11.5 // indirect github.com/docker/cli v28.3.3+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect @@ -87,24 +93,31 @@ require ( github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-events v0.0.0-20250114142523-c867878c5e32 // indirect github.com/docker/go-units v0.5.0 // indirect + github.com/dsoprea/go-exfat v0.0.0-20190906070738-5e932fbdb589 // indirect + github.com/dsoprea/go-logging v0.0.0-20200710184922-b02d349568dd // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/edsrzf/mmap-go v1.2.0 // indirect + github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab // indirect github.com/emirpasic/gods v1.18.1 // indirect github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect github.com/erikvarga/go-rpmdb v0.0.0-20250523120114-a15a62cd4593 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/gkampitakis/ciinfo v0.3.2 // indirect github.com/gkampitakis/go-diff v1.3.2 // indirect + github.com/go-errors/errors v1.0.2 // indirect github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect github.com/go-git/go-billy/v5 v5.6.2 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-ole/go-ole v1.2.6 // indirect + github.com/go-restruct/restruct v1.2.0-alpha // indirect + github.com/go-viper/mapstructure/v2 v2.4.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/goccy/go-yaml v1.18.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/google/go-containerregistry v0.20.6 // indirect + github.com/google/jsonschema-go v0.3.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/gorilla/css v1.0.1 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect @@ -113,10 +126,13 @@ require ( github.com/kr/pretty v0.3.1 // indirect github.com/kr/text v0.2.0 // indirect github.com/lucasb-eyer/go-colorful v1.2.0 // indirect + github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 // indirect github.com/maruel/natural v1.1.1 // indirect + github.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-localereader v0.0.1 // indirect github.com/mattn/go-runewidth v0.0.16 // indirect + github.com/mattn/go-shellwords v1.0.12 // indirect github.com/microcosm-cc/bluemonday v1.0.27 // indirect github.com/micromdm/plist v0.2.1 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect @@ -135,8 +151,10 @@ require ( github.com/opencontainers/image-spec v1.1.1 // indirect github.com/opencontainers/runtime-spec v1.2.1 // indirect github.com/opencontainers/selinux v1.12.0 // indirect + github.com/pierrec/lz4/v4 v4.1.17 // indirect github.com/pjbgf/sha1cd v0.4.0 // indirect github.com/pkg/errors v0.9.1 // indirect + github.com/pkg/xattr v0.4.9 // indirect github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect github.com/rivo/uniseg v0.4.7 // indirect @@ -144,25 +162,30 @@ require ( github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c // indirect github.com/saferwall/pe v1.5.7 // indirect github.com/sahilm/fuzzy v0.1.1 // indirect + github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 // indirect github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d // indirect github.com/sergi/go-diff v1.4.0 // indirect github.com/shirou/gopsutil v3.21.11+incompatible // indirect - github.com/sirupsen/logrus v1.9.3 // indirect + github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect github.com/skeema/knownhosts v1.3.1 // indirect github.com/spdx/gordf v0.0.0-20250128162952-000978ccd6fb // indirect github.com/spdx/tools-golang v0.5.5 // indirect + github.com/thoas/go-funk v0.9.3 // indirect github.com/tidwall/jsonc v0.3.2 // indirect github.com/tidwall/match v1.1.1 // indirect github.com/tink-crypto/tink-go/v2 v2.4.0 // indirect github.com/tklauser/go-sysconf v0.3.15 // indirect github.com/tklauser/numcpus v0.10.0 // indirect github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0 // indirect + github.com/ulikunitz/xz v0.5.15 // indirect github.com/vbatts/tar-split v0.12.1 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect + github.com/xhit/go-str2duration/v2 v2.1.0 // indirect github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect + github.com/yosida95/uritemplate/v3 v3.0.2 // indirect github.com/yuin/goldmark v1.7.12 // indirect github.com/yuin/goldmark-emoji v1.0.6 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect @@ -173,25 +196,29 @@ require ( go.opentelemetry.io/otel v1.37.0 // indirect go.opentelemetry.io/otel/metric v1.37.0 // indirect go.opentelemetry.io/otel/trace v1.37.0 // indirect + go.uber.org/atomic v1.7.0 // indirect go.uber.org/multierr v1.11.0 // indirect + go.uber.org/zap v1.17.0 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect - golang.org/x/crypto v0.42.0 // indirect + go.yaml.in/yaml/v3 v3.0.4 // indirect + golang.org/x/crypto v0.43.0 // indirect golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc // indirect - golang.org/x/mod v0.27.0 // indirect + golang.org/x/mod v0.28.0 // indirect golang.org/x/oauth2 v0.30.0 // indirect - golang.org/x/sys v0.36.0 // indirect - golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488 // indirect - golang.org/x/text v0.29.0 // indirect - golang.org/x/tools v0.36.0 // indirect + golang.org/x/sys v0.37.0 // indirect + golang.org/x/telemetry v0.0.0-20250908211612-aef8a434d053 // indirect + golang.org/x/text v0.30.0 // indirect + golang.org/x/tools v0.37.0 // indirect golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect google.golang.org/genproto v0.0.0-20250707201910-8d1bb00bc6a7 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b // indirect gopkg.in/warnings.v0 v0.1.2 // indirect modernc.org/libc v1.66.3 // indirect modernc.org/mathutil v1.7.1 // indirect modernc.org/memory v1.11.0 // indirect modernc.org/sqlite v1.38.0 // indirect sigs.k8s.io/yaml v1.5.0 // indirect + www.velocidex.com/golang/go-ntfs v0.2.0 // indirect www.velocidex.com/golang/regparser v0.0.0-20250203141505-31e704a67ef7 // indirect ) diff --git a/go.sum b/go.sum index deee33e5dc1..1be1adba6df 100644 --- a/go.sum +++ b/go.sum @@ -1,3 +1,5 @@ +bitbucket.org/creachadair/stringset v0.0.14 h1:t1ejQyf8utS4GZV/4fM+1gvYucggZkfhb+tMobDxYOE= +bitbucket.org/creachadair/stringset v0.0.14/go.mod h1:Ej8fsr6rQvmeMDf6CCWMWGb14H9mz8kmDgPPTdiVT0w= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go/compute/metadata v0.8.4 h1:oXMa1VMQBVCyewMIOm3WQsnVd9FbKBtm8reqWRaXnHQ= cloud.google.com/go/compute/metadata v0.8.4/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10= @@ -24,8 +26,8 @@ github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg6 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg= github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= -github.com/CycloneDX/cyclonedx-go v0.9.2 h1:688QHn2X/5nRezKe2ueIVCt+NRqf7fl3AVQk+vaFcIo= -github.com/CycloneDX/cyclonedx-go v0.9.2/go.mod h1:vcK6pKgO1WanCdd61qx4bFnSsDJQ6SbM2ZuMIgq86Jg= +github.com/CycloneDX/cyclonedx-go v0.9.3 h1:Pyk/lwavPz7AaZNvugKFkdWOm93MzaIyWmBwmBo3aUI= +github.com/CycloneDX/cyclonedx-go v0.9.3/go.mod h1:vcK6pKgO1WanCdd61qx4bFnSsDJQ6SbM2ZuMIgq86Jg= github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 h1:IEjq88XO4PuBDcvmjQJcQGg+w+UaafSy8G5Kcb5tBhI= github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5/go.mod h1:exZ0C/1emQJAw5tHOaUDyY1ycttqBAPcxuzf7QbY6ec= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= @@ -37,12 +39,18 @@ github.com/ProtonMail/go-crypto v1.3.0 h1:ILq8+Sf5If5DCpHQp4PbZdS1J7HDFRXz/+xKBi github.com/ProtonMail/go-crypto v1.3.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/alecthomas/assert v1.0.0 h1:3XmGh/PSuLzDbK3W2gUbRXwgW5lqPkuqvRgeQ30FI5o= +github.com/alecthomas/assert v1.0.0/go.mod h1:va/d2JC+M7F6s+80kl/R3G7FUiW6JzUO+hPhLyJ36ZY= github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0= github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k= github.com/alecthomas/chroma/v2 v2.19.0 h1:Im+SLRgT8maArxv81mULDWN8oKxkzboH07CHesxElq4= github.com/alecthomas/chroma/v2 v2.19.0/go.mod h1:RVX6AvYm4VfYe/zsk7mjHueLDZor3aWCNE14TFlepBk= +github.com/alecthomas/colour v0.1.0 h1:nOE9rJm6dsZ66RGWYSFrXw461ZIt9A6+nHgL7FRrDUk= +github.com/alecthomas/colour v0.1.0/go.mod h1:QO9JBoKquHd+jz9nshCh40fOfO+JzsoXy8qTHF68zU0= github.com/alecthomas/repr v0.4.0 h1:GhI2A8MACjfegCPVq9f1FLvIBS+DrQ2KQBFZP1iFzXc= github.com/alecthomas/repr v0.4.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4= +github.com/anchore/go-lzo v0.1.0 h1:NgAacnzqPeGH49Ky19QKLBZEuFRqtTG9cdaucc3Vncs= +github.com/anchore/go-lzo v0.1.0/go.mod h1:3kLx0bve2oN1iDwgM1U5zGku1Tfbdb0No5qp1eL1fIk= github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA= github.com/anchore/go-struct-converter v0.0.0-20250211213226-cce56d595160 h1:r8/1fxpbDMlQO6GgQiud1uL5eAu3p/NVUmfNx95/KY8= github.com/anchore/go-struct-converter v0.0.0-20250211213226-cce56d595160/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA= @@ -87,6 +95,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0= github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/compose-spec/compose-go/v2 v2.8.1 h1:27O4dzyhiS/UEUKp1zHOHCBWD1WbxGsYGMNNaSejTk4= +github.com/compose-spec/compose-go/v2 v2.8.1/go.mod h1:veko/VB7URrg/tKz3vmIAQDaz+CGiXH8vZsW79NmAww= github.com/containerd/cgroups/v3 v3.0.5 h1:44na7Ud+VwyE7LIoJ8JTNQOa549a8543BmzaJHo6Bzo= github.com/containerd/cgroups/v3 v3.0.5/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins= github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII= @@ -115,12 +125,17 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/deitch/magic v0.0.0-20240306090643-c67ab88f10cb h1:4W/2rQ3wzEimF5s+J6OY3ODiQtJZ5W1sForSgogVXkY= github.com/deitch/magic v0.0.0-20240306090643-c67ab88f10cb/go.mod h1:B3tI9iGHi4imdLi4Asdha1Sc6feLMTfPLXh9IUYmysk= +github.com/diskfs/go-diskfs v1.7.0 h1:vonWmt5CMowXwUc79jWyGrf2DIMeoOjkLlMnQYGVOs8= +github.com/diskfs/go-diskfs v1.7.0/go.mod h1:LhQyXqOugWFRahYUSw47NyZJPezFzB9UELwhpszLP/k= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= +github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c= +github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0= github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ= github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8= github.com/docker/cli v28.3.3+incompatible h1:fp9ZHAr1WWPGdIWBM1b3zLtgCF+83gRdVMTJsUeiyAo= @@ -137,6 +152,12 @@ github.com/docker/go-events v0.0.0-20250114142523-c867878c5e32 h1:EHZfspsnLAz8Hz github.com/docker/go-events v0.0.0-20250114142523-c867878c5e32/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/dsoprea/go-exfat v0.0.0-20190906070738-5e932fbdb589 h1:LzrKhEeL5tqo8i86+5a8JgL5cEJBRspVm4FsKRK/gxA= +github.com/dsoprea/go-exfat v0.0.0-20190906070738-5e932fbdb589/go.mod h1:zs3tKt0dOHncKZ7QhimWwN9RP7f6W6CLdjRfscKvvcA= +github.com/dsoprea/go-logging v0.0.0-20190624164917-c4f10aab7696/go.mod h1:Nm/x2ZUNRW6Fe5C3LxdY1PyZY5wmDv/s5dkPJ/VB3iA= +github.com/dsoprea/go-logging v0.0.0-20200710184922-b02d349568dd h1:l+vLbuxptsC6VQyQsfD7NnEC8BZuFpz45PgY+pH8YTg= +github.com/dsoprea/go-logging v0.0.0-20200710184922-b02d349568dd/go.mod h1:7I+3Pe2o/YSU88W0hWlm9S22W7XI1JFNJ86U0zPKMf8= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/edsrzf/mmap-go v1.1.0/go.mod h1:19H/e8pUPLicwkyNgOykDXkJ9F0MHE+Z52B8EIth78Q= @@ -144,6 +165,8 @@ github.com/edsrzf/mmap-go v1.2.0 h1:hXLYlkbaPzt1SaQk+anYwKSRNhufIDCchSPkUD6dD84= github.com/edsrzf/mmap-go v1.2.0/go.mod h1:19H/e8pUPLicwkyNgOykDXkJ9F0MHE+Z52B8EIth78Q= github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o= github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE= +github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab h1:h1UgjJdAAhj+uPL68n7XASS6bU+07ZX1WJvVS2eyoeY= +github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw= github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -166,14 +189,17 @@ github.com/glebarez/go-sqlite v1.20.3 h1:89BkqGOXR9oRmG58ZrzgoY/Fhy5x0M+/WV48U5z github.com/glebarez/go-sqlite v1.20.3/go.mod h1:u3N6D/wftiAzIOJtZl6BmedqxmmkDfH3q+ihjqxC9u0= github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c= github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU= +github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-errors/errors v1.0.2 h1:xMxH9j2fNg/L4hLn/4y3M0IUsn0M6Wbu/Uh9QlOfBh4= +github.com/go-errors/errors v1.0.2/go.mod h1:psDX2osz5VnTOnFWbDeWwS7yejl+uV3FEWEp4lssFEs= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic= github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UNbRM= github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= -github.com/go-git/go-git/v5 v5.16.2 h1:fT6ZIOjE5iEnkzKyxTHK1W4HGAsPhqEqiSAssSO77hM= -github.com/go-git/go-git/v5 v5.16.2/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8= +github.com/go-git/go-git/v5 v5.16.3 h1:Z8BtvxZ09bYm/yYNgPKCzgWtaRqDTgIKRgIRHBfU6Z8= +github.com/go-git/go-git/v5 v5.16.3/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -181,6 +207,13 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY= github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= +github.com/go-restruct/restruct v0.0.0-20190418070341-acd4e4c2cb35/go.mod h1:e2k/t2/850rC773ilFYQSoqyJ78SpTx7gtFtOY6/AYA= +github.com/go-restruct/restruct v1.2.0-alpha h1:2Lp474S/9660+SJjpVxoKuWX09JsXHSrdV7Nv3/gkvc= +github.com/go-restruct/restruct v1.2.0-alpha/go.mod h1:KqrpKpn4M8OLznErihXTGLlsXFGeLxHUrLRRI/1YjGk= +github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM= +github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= +github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs= +github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw= @@ -219,8 +252,10 @@ github.com/google/go-containerregistry v0.20.6 h1:cvWX87UxxLgaH76b4hIvya6Dzz9qHB github.com/google/go-containerregistry v0.20.6/go.mod h1:T0x8MuoAoKX/873bkeSfLD2FAkwCDf9/HZgsFJ02E2Y= github.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932 h1:5/4TSDzpDnHQ8rKEEQBjRlYx77mHOvXu08oGchxej7o= github.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932/go.mod h1:cC6EdPbj/17GFCPDK39NRarlMI+kt+O60S12cNB5J9Y= -github.com/google/osv-scalibr v0.3.4 h1:YoHviDLM6/FIEfqH1nuLdImmqmg4XGYL0kr0s+6T+sk= -github.com/google/osv-scalibr v0.3.4/go.mod h1:YeOH2wz0HlccjDbYYYTcX01ZyAuwqhZcpQFV7Cxsrwo= +github.com/google/jsonschema-go v0.3.0 h1:6AH2TxVNtk3IlvkkhjrtbUc4S8AvO0Xii0DxIygDg+Q= +github.com/google/jsonschema-go v0.3.0/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE= +github.com/google/osv-scalibr v0.3.7-0.20251023161426-90e9ac9cc1b3 h1:JNLsaIi+lHdzsKoxcDmMBZCbE/qKi/mt9N3eQRxrThc= +github.com/google/osv-scalibr v0.3.7-0.20251023161426-90e9ac9cc1b3/go.mod h1:XN3PWSKiShu3MXb+9nGtwLGHWXarZ/0lfbovOhPKTRc= github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8= github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -238,6 +273,7 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jedib0t/go-pretty/v6 v6.6.8 h1:JnnzQeRz2bACBobIaa/r+nqjvws4yEhcmaZ4n1QzsEc= github.com/jedib0t/go-pretty/v6 v6.6.8/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU= +github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= @@ -255,8 +291,12 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY= github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= +github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 h1:EnfXoSqDfSNJv0VBNqY/88RNnhSGYkrHaO0mmFGbVsc= +github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40/go.mod h1:vy1vK6wD6j7xX6O6hXe621WabdtNkou2h7uRtTfRMyg= github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo= github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg= +github.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd h1:JEIW94K3spsvBI5Xb9PGhKSIza9/jxO1lF30tPCAJlA= +github.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd/go.mod h1:3XMMY1M486mWGTD13WPItg6FsgflQR72ZMAkd+gsyoQ= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4= @@ -264,6 +304,8 @@ github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+Ei github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk= github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc= github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= +github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk= +github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk= github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA= github.com/micromdm/plist v0.2.1 h1:4SoSMOVAyzv1ThT8IKLgXLJEKezLkcVDN6wivqTTFdo= @@ -290,6 +332,8 @@ github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28= github.com/moby/term v0.0.0-20221205130635-1aeaba878587 h1:HfkjXDfhgVaN5rmueG8cL8KKeFNecRCXFhaJ2qZ5SKA= github.com/moby/term v0.0.0-20221205130635-1aeaba878587/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= +github.com/modelcontextprotocol/go-sdk v1.0.0 h1:Z4MSjLi38bTgLrd/LjSmofqRqyBiVKRyQSJgw8q8V74= +github.com/modelcontextprotocol/go-sdk v1.0.0/go.mod h1:nYtYQroQ2KQiM0/SbyEPUWQ6xs4B95gJjEalc9AQyOs= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= @@ -314,19 +358,24 @@ github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8= github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U= -github.com/ossf/osv-schema/bindings/go v0.0.0-20250926044009-f6ae0b6bae32 h1:QFuqxEaRdRapDSJYMrl/5vAxYl5ZvIqtWszhuy/EeRs= -github.com/ossf/osv-schema/bindings/go v0.0.0-20250926044009-f6ae0b6bae32/go.mod h1:/ypmJBpoMvgNp4g93snzyYoyIPmZfLdSiGn/Vq07Dfo= +github.com/ossf/osv-schema/bindings/go v0.0.0-20251012234424-434020c6442f h1:0AlxQEA7JATli/nATcQ66fAASlokay8Qpcdjhqxd1gU= +github.com/ossf/osv-schema/bindings/go v0.0.0-20251012234424-434020c6442f/go.mod h1:/ypmJBpoMvgNp4g93snzyYoyIPmZfLdSiGn/Vq07Dfo= github.com/owenrumney/go-sarif/v3 v3.2.3 h1:n6mdX5ugKwCrZInvBsf6WumXmpAe3mbmQXgkXlIq34U= github.com/owenrumney/go-sarif/v3 v3.2.3/go.mod h1:1bV7t8SZg7pX41spaDkEUs8/yEjzk9JapztMoX1XNjg= github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs= github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0= github.com/pandatix/go-cvss v0.6.2 h1:TFiHlzUkT67s6UkelHmK6s1INKVUG7nlKYiWWDTITGI= github.com/pandatix/go-cvss v0.6.2/go.mod h1:jDXYlQBZrc8nvrMUVVvTG8PhmuShOnKrxP53nOFkt8Q= +github.com/pierrec/lz4/v4 v4.1.17 h1:kV4Ip+/hUBC+8T6+2EgburRtkE9ef4nbY3f4dFhGjMc= +github.com/pierrec/lz4/v4 v4.1.17/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= github.com/pjbgf/sha1cd v0.4.0 h1:NXzbL1RvjTUi6kgYZCX3fPwwl27Q1LJndxtUDVfJGRY= github.com/pjbgf/sha1cd v0.4.0/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE= +github.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU= github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -350,6 +399,10 @@ github.com/saferwall/pe v1.5.7 h1:fxlRLvhyr+3cIs1yturWhWmgACIu147o+xSEYFlUAyA= github.com/saferwall/pe v1.5.7/go.mod h1:mJx+PuptmNpoPFBNhWs/uDMFL/kTHVZIkg0d4OUJFbQ= github.com/sahilm/fuzzy v0.1.1 h1:ceu5RHF8DGgoi+/dR5PsECjCDH1BE3Fnmpo7aVXOdRA= github.com/sahilm/fuzzy v0.1.1/go.mod h1:VFvziUEIMCrT6A6tw2RFIXPXXmzXbOsSHF0DOI8ZK9Y= +github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 h1:PKK9DyHxif4LZo+uQSgXNqs0jj5+xZwwfKHgph2lxBw= +github.com/santhosh-tekuri/jsonschema/v6 v6.0.1/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU= +github.com/sebdah/goldie v1.0.0 h1:9GNhIat69MSlz/ndaBg48vl9dF5fI+NBB6kfOxgfkMc= +github.com/sebdah/goldie v1.0.0/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4= github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d h1:RQqyEogx5J6wPdoxqL132b100j8KjcVHO1c0KLRoIhc= github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d/go.mod h1:PegD7EVqlN88z7TpCqH92hHP+GBpfomGCCnw1PFtNOA= github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw= @@ -357,8 +410,8 @@ github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepq github.com/shirou/gopsutil v3.21.11+incompatible h1:+1+c1VGhc88SSonWP6foOcLhvnKlUeu/erjjvaPEYiI= github.com/shirou/gopsutil v3.21.11+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= -github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0= +github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8= github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY= github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM= @@ -383,6 +436,8 @@ github.com/stretchr/testify v1.11.0 h1:ib4sjIrwZKxE5u/Japgo/7SJV3PvgjGiRNAvTVGqQ github.com/stretchr/testify v1.11.0/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= github.com/terminalstatic/go-xsd-validate v0.1.6 h1:TenYeQ3eY631qNi1/cTmLH/s2slHPRKTTHT+XSHkepo= github.com/terminalstatic/go-xsd-validate v0.1.6/go.mod h1:18lsvYFofBflqCrvo1umpABZ99+GneNTw2kEEc8UPJw= +github.com/thoas/go-funk v0.9.3 h1:7+nAEx3kn5ZJcnDm2Bh23N2yOtweO14bi//dvRtgLpw= +github.com/thoas/go-funk v0.9.3/go.mod h1:+IWnUfUmFO1+WVYQWQtIJHeRRdaIyyYglZN7xzUPe4Q= github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY= github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= @@ -403,6 +458,8 @@ github.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfj github.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XVuEeem8LsQ= github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0 h1:2f304B10LaZdB8kkVEaoXvAMVan2tl9AiK4G0odjQtE= github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0/go.mod h1:278M4p8WsNh3n4a1eqiFcV2FGk7wE5fwUpUom9mK9lE= +github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= +github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/urfave/cli/v3 v3.4.1 h1:1M9UOCy5bLmGnuu1yn3t3CB4rG79Rtoxuv1sPhnm6qM= github.com/urfave/cli/v3 v3.4.1/go.mod h1:FJSKtM/9AiiTOJL4fJ6TbMUkxBXn7GO9guZqoZtpYpo= github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo= @@ -416,8 +473,12 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= +github.com/xhit/go-str2duration/v2 v2.1.0 h1:lxklc02Drh6ynqX+DdPyp5pCKLUQpRT8bp8Ydu2Bstc= +github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU= github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no= github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM= +github.com/yosida95/uritemplate/v3 v3.0.2 h1:Ed3Oyj9yrmi9087+NczuL5BwkIc4wvTb5zIM+UJPGz4= +github.com/yosida95/uritemplate/v3 v3.0.2/go.mod h1:ILOh0sOhIJR3+L/8afwt/kE++YT040gmv5BQTMR2HP4= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= @@ -451,19 +512,24 @@ go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mx go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0= go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4= go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4= +go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= +go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.17.0 h1:MTjgFu6ZLKvY6Pvaqk97GlxNBuMpV4Hy/3P6tRGlI2U= +go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= -go.yaml.in/yaml/v3 v3.0.3 h1:bXOww4E/J3f66rav3pX3m8w6jDE4knZjGOw8b5Y6iNE= -go.yaml.in/yaml/v3 v3.0.3/go.mod h1:tBHosrYAkRZjRAOREWbDnBXUf08JOwYq++0QNwQiWzI= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= +go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI= -golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8= +golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04= +golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc h1:TS73t7x3KarrNd5qAipmspBDS1rkMcgVG/fS1aRb4Rc= golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc= @@ -473,22 +539,24 @@ golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ= -golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc= +golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U= +golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I= -golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY= +golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4= +golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= @@ -505,6 +573,7 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -512,25 +581,27 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k= -golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= -golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488 h1:3doPGa+Gg4snce233aCWnbZVFsyFMo/dR40KK/6skyE= -golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488/go.mod h1:fGb/2+tgXXjhjHsTNdVEEMZNWA0quBnfrO+AfoDSAKw= +golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ= +golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/telemetry v0.0.0-20250908211612-aef8a434d053 h1:dHQOQddU4YHS5gY33/6klKjq7Gp3WwMyOXGNp5nzRj8= +golang.org/x/telemetry v0.0.0-20250908211612-aef8a434d053/go.mod h1:+nZKN+XVh4LCiA9DV3ywrzN4gumyCnKjau3NGb9SGoE= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ= -golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA= +golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q= +golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk= -golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4= +golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k= +golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM= golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -542,8 +613,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg= -golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s= +golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE= +golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w= golang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY= golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY= golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM= @@ -565,17 +636,17 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20250707201910-8d1bb00bc6a7 h1:FGOcxvKlJgRBVbXeugjljCfCgfKWhC42FBoYmTCWVBs= google.golang.org/genproto v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:249YoW4b1INqFTEop2T4aJgiO7UBYJrpejsaLvjWfI8= -google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7 h1:FiusG7LWj+4byqhbvmB+Q93B/mOxJLN2DTozDuZm4EU= -google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:kXqgZtrWaf6qS3jZOCnCH7WYfrvFjkC51bM8fz3RsCA= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 h1:pFyd6EwwL2TqFf8emdthzeX+gZE1ElRq3iM8pui4KBY= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= +google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b h1:ULiyYQ0FdsJhwwZUwbaXpZF5yUE3h+RA+gxvBu37ucc= +google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b/go.mod h1:oDOGiMSXHL4sDTJvFvIB9nRQCGdLP1o/iVaqQK8zB+M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b h1:zPKJod4w6F1+nRGDI9ubnXYhU9NSWoFAijkHkUXeTK8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.75.1 h1:/ODCNEuf9VghjgO3rqLcfg8fiOP0nSluljWFlDxELLI= -google.golang.org/grpc v1.75.1/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ= +google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A= +google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -585,8 +656,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw= -google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU= +google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= +google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= @@ -596,12 +667,15 @@ gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= -gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= +gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= +gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= modernc.org/cc/v4 v4.26.2 h1:991HMkLjJzYBIfha6ECZdjrIYz2/1ayr+FL8GN+CNzM= @@ -630,10 +704,12 @@ modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0= modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A= modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y= modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM= -osv.dev/bindings/go v0.0.0-20250929041518-3b73304a1688 h1:ZoNfLkmA0fMDPvviJkh0cJKNkZS1+urQDurQ4p4OIjA= -osv.dev/bindings/go v0.0.0-20250929041518-3b73304a1688/go.mod h1:Q/9axnazyiBRWDN5ruXSGRkH3wrBS5ejQCkflp/VyFg= +osv.dev/bindings/go v0.0.0-20251013010847-b847e93bd9b0 h1:Ifkkko1GPrSnkoexWdoJXpQDta+JCq/KLfyHpTHEmcE= +osv.dev/bindings/go v0.0.0-20251013010847-b847e93bd9b0/go.mod h1:rdPwQuPQTR0mCfqasd9g0UYFuHWD/iXmj1E+YXuGYeg= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= sigs.k8s.io/yaml v1.5.0 h1:M10b2U7aEUY6hRtU870n2VTPgR5RZiL/I6Lcc2F4NUQ= sigs.k8s.io/yaml v1.5.0/go.mod h1:wZs27Rbxoai4C0f8/9urLZtZtF3avA3gKvGyPdDqTO4= +www.velocidex.com/golang/go-ntfs v0.2.0 h1:JLS4hOQLupiVzo+1z4Xb8AZyIaXHDmiGnKyoM/bRYq0= +www.velocidex.com/golang/go-ntfs v0.2.0/go.mod h1:itvbHQcnLdTVIDY6fI3lR0zeBwXwBYBdUFtswE0x1vc= www.velocidex.com/golang/regparser v0.0.0-20250203141505-31e704a67ef7 h1:BMX/37sYwX+8JhHt+YNbPfbx7dXG1w1L1mXonNBtjt0= www.velocidex.com/golang/regparser v0.0.0-20250203141505-31e704a67ef7/go.mod h1:pxSECT5mWM3goJ4sxB4HCJNKnKqiAlpyT8XnvBwkLGU= diff --git a/goreleaser-action.dockerfile b/goreleaser-action.dockerfile index 513b61031d9..dba71cf3a14 100644 --- a/goreleaser-action.dockerfile +++ b/goreleaser-action.dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.25.1-alpine3.21@sha256:331bde41663c297cba0f5abf37e929be644f3cbd84bf45f49b0df9d774f4d912 +FROM golang:1.25.3-alpine3.21@sha256:0c9f3e09a50a6c11714dbc37a6134fd0c474690030ed07d23a61755afd3a812f RUN apk --no-cache add \ ca-certificates \ git \ diff --git a/goreleaser.dockerfile b/goreleaser.dockerfile index a6801b57b71..3be2925e261 100644 --- a/goreleaser.dockerfile +++ b/goreleaser.dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.25.1-alpine3.21@sha256:331bde41663c297cba0f5abf37e929be644f3cbd84bf45f49b0df9d774f4d912 +FROM golang:1.25.3-alpine3.21@sha256:0c9f3e09a50a6c11714dbc37a6134fd0c474690030ed07d23a61755afd3a812f RUN apk add --no-cache \ ca-certificates \ diff --git a/internal/clients/clientimpl/baseimagematcher/baseimagematcher.go b/internal/clients/clientimpl/baseimagematcher/baseimagematcher.go deleted file mode 100644 index d508cbab3c8..00000000000 --- a/internal/clients/clientimpl/baseimagematcher/baseimagematcher.go +++ /dev/null @@ -1,228 +0,0 @@ -// Package baseimagematcher implements a client for matching base images using the deps.dev API. -package baseimagematcher - -import ( - "context" - "encoding/json" - "errors" - "fmt" - "io" - "math" - "math/rand/v2" - "net/http" - "slices" - "strings" - "time" - - "github.com/google/go-cmp/cmp" - "github.com/google/osv-scanner/v2/internal/cmdlogger" - "github.com/google/osv-scanner/v2/pkg/models" - "github.com/opencontainers/go-digest" - "golang.org/x/sync/errgroup" -) - -const ( - maxConcurrentRequests = 1000 - APIEndpoint = "https://api.deps.dev/v3alpha/querycontainerimages/" - // DigestSHA256EmptyTar is the canonical sha256 digest of empty tar file - - // (1024 NULL bytes) - DigestSHA256EmptyTar = digest.Digest("sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef") -) - -// DepsDevBaseImageMatcher is an implementation of clientinterfaces.BaseImageMatcher -// that uses the deps.dev API to match base images. -// -// It sends out requests for every package version and does not perform caching. -type DepsDevBaseImageMatcher struct { - HTTPClient http.Client - Config ClientConfig -} - -func (matcher *DepsDevBaseImageMatcher) MatchBaseImages(ctx context.Context, layerMetadata []models.LayerMetadata) ([][]models.BaseImageDetails, error) { - baseImagesToLayerMap := make([][]models.BaseImageDetails, len(layerMetadata)) - g, ctx := errgroup.WithContext(ctx) - g.SetLimit(maxConcurrentRequests) - - var runningDigest digest.Digest - for i, l := range layerMetadata { - diffID := l.DiffID - if diffID == "" { - diffID = DigestSHA256EmptyTar - } - - if runningDigest == "" { - runningDigest = diffID - } else { - runningDigest = digest.FromBytes([]byte(runningDigest + " " + diffID)) - } - - chainID := runningDigest - g.Go(func() error { - if ctx.Err() != nil { - return ctx.Err() // this value doesn't matter to errgroup.Wait(), it will be ctx.Err() - } - - // If we are erroring for one base image even with retry, we probably should stop - var err error - baseImagesToLayerMap[i], err = matcher.queryBaseImagesForChainID(ctx, chainID) - - return err - }) - } - - if err := g.Wait(); err != nil { - return nil, err - } - - return buildBaseImageDetails(layerMetadata, baseImagesToLayerMap), nil -} - -// makeRetryRequest will return an error on both network errors, and if the response is not 200 or 404 -func (matcher *DepsDevBaseImageMatcher) makeRetryRequest(action func(client *http.Client) (*http.Response, error)) (*http.Response, error) { - var resp *http.Response - var err error - var lastErr error - - for i := range matcher.Config.MaxRetryAttempts { - // rand is initialized with a random number (since go1.20), and is also safe to use concurrently - // we do not need to use a cryptographically secure random jitter, this is just to spread out the retry requests - // #nosec G404 - jitterAmount := (rand.Float64() * float64(matcher.Config.JitterMultiplier) * float64(i)) - time.Sleep( - time.Duration(math.Pow(float64(i), matcher.Config.BackoffDurationExponential)*matcher.Config.BackoffDurationMultiplier*1000)*time.Millisecond + - time.Duration(jitterAmount*1000)*time.Millisecond) - - resp, err = action(&matcher.HTTPClient) - - // Don't retry, since deadline has already been exceeded - if errors.Is(err, context.DeadlineExceeded) { - return nil, err - } - - // The network request itself failed, did not even get a response - if err != nil { - lastErr = fmt.Errorf("attempt %d: request failed: %w", i+1, err) - continue - } - - // Everything is fine, including 404 which is one of the expected results - if resp.StatusCode >= 200 && resp.StatusCode < 300 || resp.StatusCode == http.StatusNotFound { - return resp, nil - } - - errBody, err := io.ReadAll(resp.Body) - resp.Body.Close() - if err != nil { - lastErr = fmt.Errorf("attempt %d: failed to read response: %w", i+1, err) - continue - } - - // Special case for too many requests, it should try again after a delay. - if resp.StatusCode == http.StatusTooManyRequests { - lastErr = fmt.Errorf("attempt %d: too many requests: status=%q body=%s", i+1, resp.Status, errBody) - continue - } - - // Otherwise any other 400 error should be fatal, as the request we are sending is incorrect - // Retrying won't make a difference - if resp.StatusCode >= 400 && resp.StatusCode < 500 { - return nil, fmt.Errorf("client error: status=%q body=%s", resp.Status, errBody) - } - - // Most likely a 500 >= error - lastErr = fmt.Errorf("server error: status=%q body=%s", resp.Status, errBody) - } - - return nil, fmt.Errorf("max retries exceeded: %w", lastErr) -} - -func (matcher *DepsDevBaseImageMatcher) queryBaseImagesForChainID(ctx context.Context, chainID digest.Digest) ([]models.BaseImageDetails, error) { - resp, err := matcher.makeRetryRequest(func(client *http.Client) (*http.Response, error) { - req, err := http.NewRequestWithContext(ctx, http.MethodGet, APIEndpoint+chainID.String(), nil) - if err != nil { - // This error should be impossible - return nil, err - } - - if matcher.Config.UserAgent != "" { - req.Header.Set("User-Agent", matcher.Config.UserAgent) - } - - return client.Do(req) - }) - - if err != nil { - cmdlogger.Errorf("deps.dev API error, you may need to update osv-scanner: %s", err) - return nil, err - } - defer resp.Body.Close() - - if resp.StatusCode == http.StatusNotFound { - return nil, nil - } - - var results struct { - Results []struct { - Repository string `json:"repository"` - } `json:"results"` - } - - d := json.NewDecoder(resp.Body) - err = d.Decode(&results) - if err != nil { - cmdlogger.Errorf("Unexpected return type from deps.dev base image endpoint: %s", err) - return nil, err - } - - // Found some base images! - baseImagePossibilities := []models.BaseImageDetails{} - for _, r := range results.Results { - baseImagePossibilities = append(baseImagePossibilities, models.BaseImageDetails{ - Name: r.Repository, - }) - } - - // TODO(v2): Temporary heuristic for what is more popular - // Ideally this is done by deps.dev before release - slices.SortFunc(baseImagePossibilities, func(a, b models.BaseImageDetails) int { - lengthDiff := len(a.Name) - len(b.Name) - if lengthDiff != 0 { - return lengthDiff - } - - // Apply deterministic ordering to same length base images - return strings.Compare(a.Name, b.Name) - }) - - return baseImagePossibilities, nil -} - -func buildBaseImageDetails(layerMetadata []models.LayerMetadata, baseImagesToLayersMap [][]models.BaseImageDetails) [][]models.BaseImageDetails { - allBaseImages := [][]models.BaseImageDetails{ - // The base image at index 0 is a placeholder representing your image, so always empty - // This is the case even if your image is a base image, in that case no layers point to index 0 - {}, - } - - currentBaseImageIndex := 0 - for i, baseImages := range slices.Backward(baseImagesToLayersMap) { - if len(baseImages) == 0 { - layerMetadata[i].BaseImageIndex = currentBaseImageIndex - continue - } - - // Is the current set of baseImages the same as the previous? - if cmp.Equal(baseImages, allBaseImages[len(allBaseImages)-1]) { - // If so, merge them - layerMetadata[i].BaseImageIndex = currentBaseImageIndex - continue - } - - // This layer is a new base image boundary - allBaseImages = append(allBaseImages, baseImages) - currentBaseImageIndex += 1 - layerMetadata[i].BaseImageIndex = currentBaseImageIndex - } - - return allBaseImages -} diff --git a/internal/clients/clientimpl/baseimagematcher/config.go b/internal/clients/clientimpl/baseimagematcher/config.go deleted file mode 100644 index 0b7f4f27da9..00000000000 --- a/internal/clients/clientimpl/baseimagematcher/config.go +++ /dev/null @@ -1,24 +0,0 @@ -package baseimagematcher - -import "github.com/google/osv-scanner/v2/internal/version" - -type ClientConfig struct { - MaxConcurrentBatchRequests int - MaxRetryAttempts int - JitterMultiplier float64 - BackoffDurationExponential float64 - BackoffDurationMultiplier float64 - UserAgent string -} - -// DefaultConfig make a default client config -func DefaultConfig() ClientConfig { - return ClientConfig{ - MaxRetryAttempts: 4, - JitterMultiplier: 2, - BackoffDurationExponential: 2, - BackoffDurationMultiplier: 1, - UserAgent: "osv-scanner_scan/" + version.OSVVersion, - MaxConcurrentBatchRequests: 10, - } -} diff --git a/internal/clients/clientimpl/licensematcher/licensematcher.go b/internal/clients/clientimpl/licensematcher/licensematcher.go index 0973fd51ea4..9780f9d1363 100644 --- a/internal/clients/clientimpl/licensematcher/licensematcher.go +++ b/internal/clients/clientimpl/licensematcher/licensematcher.go @@ -96,7 +96,7 @@ func (matcher *DepsDevLicenseMatcher) makeVersionRequest(ctx context.Context, qu } func versionQuery(system depsdevpb.System, name string, version string) *depsdevpb.GetVersionRequest { - if system == depsdevpb.System_GO { + if system == depsdevpb.System_GO && name != "stdlib" { version = "v" + version } diff --git a/internal/clients/clientimpl/localmatcher/zip.go b/internal/clients/clientimpl/localmatcher/zip.go index 3fdd1e4aa86..9409dc48522 100644 --- a/internal/clients/clientimpl/localmatcher/zip.go +++ b/internal/clients/clientimpl/localmatcher/zip.go @@ -157,7 +157,7 @@ func mightAffectPackages(v osvschema.Vulnerability, names []string) bool { // "name" will be the git repository in the case of the GIT ecosystem for _, ran := range affected.Ranges { - if ran.Repo == name { + if vulns.NormalizeRepo(ran.Repo) == vulns.NormalizeRepo(name) { return true } } diff --git a/internal/clients/clientinterfaces/baseimagematcher.go b/internal/clients/clientinterfaces/baseimagematcher.go deleted file mode 100644 index eda2b2805c7..00000000000 --- a/internal/clients/clientinterfaces/baseimagematcher.go +++ /dev/null @@ -1,12 +0,0 @@ -// Package clientinterfaces defines interfaces for external accessors used in osv-scanner. -package clientinterfaces - -import ( - "context" - - "github.com/google/osv-scanner/v2/pkg/models" -) - -type BaseImageMatcher interface { - MatchBaseImages(ctx context.Context, layerMetadata []models.LayerMetadata) ([][]models.BaseImageDetails, error) -} diff --git a/internal/clients/clientinterfaces/licensematcher.go b/internal/clients/clientinterfaces/licensematcher.go index a7a787f3f76..3208a9dfbc5 100644 --- a/internal/clients/clientinterfaces/licensematcher.go +++ b/internal/clients/clientinterfaces/licensematcher.go @@ -1,3 +1,4 @@ +// Package clientinterfaces defines interfaces for external accessors used in osv-scanner. package clientinterfaces import ( diff --git a/internal/cmdlogger/fmt.go b/internal/cmdlogger/fmt.go index 1f87441b379..ccd34696ee8 100644 --- a/internal/cmdlogger/fmt.go +++ b/internal/cmdlogger/fmt.go @@ -2,22 +2,27 @@ package cmdlogger import ( + "cmp" "fmt" "log/slog" ) func Debugf(msg string, args ...any) { - slog.Debug(fmt.Sprintf(msg, args...)) + logger := cmp.Or(GlobalLogger, slog.Default()) + logger.Debug(fmt.Sprintf(msg, args...)) } func Infof(msg string, args ...any) { - slog.Info(fmt.Sprintf(msg, args...)) + logger := cmp.Or(GlobalLogger, slog.Default()) + logger.Info(fmt.Sprintf(msg, args...)) } func Warnf(msg string, args ...any) { - slog.Warn(fmt.Sprintf(msg, args...)) + logger := cmp.Or(GlobalLogger, slog.Default()) + logger.Warn(fmt.Sprintf(msg, args...)) } func Errorf(msg string, args ...any) { - slog.Error(fmt.Sprintf(msg, args...)) + logger := cmp.Or(GlobalLogger, slog.Default()) + logger.Error(fmt.Sprintf(msg, args...)) } diff --git a/internal/cmdlogger/handler.go b/internal/cmdlogger/handler.go index 71da7938a5c..3fc2c326505 100644 --- a/internal/cmdlogger/handler.go +++ b/internal/cmdlogger/handler.go @@ -8,14 +8,17 @@ import ( "strings" ) -var GlobalHandler slog.Handler +var ( + GlobalLogger *slog.Logger +) type Handler struct { stdout io.Writer stderr io.Writer hasErrored bool everythingToStderr bool - Level slog.Leveler + level slog.Leveler + overrideHandler slog.Handler hasErroredBecauseInvalidConfig bool } @@ -30,7 +33,7 @@ func (c *Handler) SendEverythingToStderr() { } func (c *Handler) SetLevel(level slog.Leveler) { - c.Level = level + c.level = level } func (c *Handler) writer(level slog.Level) io.Writer { @@ -46,11 +49,11 @@ func (c *Handler) Enabled(ctx context.Context, level slog.Level) bool { c.hasErrored = true } - if GlobalHandler != nil { - return GlobalHandler.Enabled(ctx, level) + if c.overrideHandler != nil { + return c.overrideHandler.Enabled(ctx, level) } - return level >= c.Level.Level() + return level >= c.level.Level() } func (c *Handler) Handle(ctx context.Context, record slog.Record) error { @@ -62,8 +65,8 @@ func (c *Handler) Handle(ctx context.Context, record slog.Record) error { } } - if GlobalHandler != nil { - return GlobalHandler.Handle(ctx, record) + if c.overrideHandler != nil { + return c.overrideHandler.Handle(ctx, record) } _, err := fmt.Fprint(c.writer(record.Level), record.Message+"\n") @@ -84,15 +87,15 @@ func (c *Handler) HasErroredBecauseInvalidConfig() bool { } func (c *Handler) WithAttrs(a []slog.Attr) slog.Handler { - if GlobalHandler != nil { - return GlobalHandler.WithAttrs(a) + if c.overrideHandler != nil { + return c.overrideHandler.WithAttrs(a) } panic("not supported") } func (c *Handler) WithGroup(g string) slog.Handler { - if GlobalHandler != nil { - return GlobalHandler.WithGroup(g) + if c.overrideHandler != nil { + return c.overrideHandler.WithGroup(g) } panic("not supported") } @@ -103,6 +106,12 @@ func New(stdout, stderr io.Writer) CmdLogger { return &Handler{ stdout: stdout, stderr: stderr, - Level: slog.LevelInfo, + level: slog.LevelInfo, + } +} + +func NewOverride(overrideHandler slog.Handler) CmdLogger { + return &Handler{ + overrideHandler: overrideHandler, } } diff --git a/internal/cmdlogger/scalibr.go b/internal/cmdlogger/scalibr.go new file mode 100644 index 00000000000..6c23a8ab41d --- /dev/null +++ b/internal/cmdlogger/scalibr.go @@ -0,0 +1,46 @@ +package cmdlogger + +import ( + "fmt" + "log/slog" + + "github.com/google/osv-scalibr/log" +) + +var _ log.Logger = &ScalibrAdapter{} + +type ScalibrAdapter struct { + Logger *slog.Logger +} + +func (s *ScalibrAdapter) Errorf(format string, args ...any) { + s.Logger.Error(fmt.Sprintf(format, args...)) +} + +func (s *ScalibrAdapter) Error(args ...any) { + s.Logger.Error(fmt.Sprint(args...)) +} + +func (s *ScalibrAdapter) Warnf(format string, args ...any) { + s.Logger.Warn(fmt.Sprintf(format, args...)) +} + +func (s *ScalibrAdapter) Warn(args ...any) { + s.Logger.Warn(fmt.Sprint(args...)) +} + +func (s *ScalibrAdapter) Infof(format string, args ...any) { + s.Logger.Info(fmt.Sprintf(format, args...)) +} + +func (s *ScalibrAdapter) Info(args ...any) { + s.Logger.Info(fmt.Sprint(args...)) +} + +func (s *ScalibrAdapter) Debugf(format string, args ...any) { + s.Logger.Debug(fmt.Sprintf(format, args...)) +} + +func (s *ScalibrAdapter) Debug(args ...any) { + s.Logger.Debug(fmt.Sprint(args...)) +} diff --git a/internal/config/config.go b/internal/config/config.go index 58a1b751f1f..f6147e77100 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -15,7 +15,7 @@ import ( "github.com/google/osv-scanner/v2/internal/imodels" ) -const osvScannerConfigName = "osv-scanner.toml" +var OSVScannerConfigName = "osv-scanner.toml" type Manager struct { // Override to replace all other configs @@ -35,10 +35,28 @@ type Config struct { LoadPath string `toml:"-"` } +func (c *Config) UnusedIgnoredVulns() []IgnoreEntry { + unused := make([]IgnoreEntry, 0, len(c.IgnoredVulns)) + + for _, entry := range c.IgnoredVulns { + if !entry.Used { + unused = append(unused, entry) + } + } + + return unused +} + type IgnoreEntry struct { ID string `toml:"id"` IgnoreUntil time.Time `toml:"ignoreUntil"` Reason string `toml:"reason"` + + Used bool `toml:"-"` +} + +func (ie *IgnoreEntry) MarkAsUsed() { + ie.Used = true } type PackageOverrideEntry struct { @@ -185,6 +203,28 @@ func (c *Manager) Get(targetPath string) Config { return config } +func (c *Manager) GetUnusedIgnoreEntries() map[string][]IgnoreEntry { + m := make(map[string][]IgnoreEntry) + + for _, config := range c.ConfigMap { + unusedEntries := config.UnusedIgnoredVulns() + + if len(unusedEntries) > 0 { + m[config.LoadPath] = unusedEntries + } + } + + if c.OverrideConfig != nil { + unusedEntries := c.OverrideConfig.UnusedIgnoredVulns() + + if len(unusedEntries) > 0 { + m[c.OverrideConfig.LoadPath] = unusedEntries + } + } + + return m +} + // Finds the containing folder of `target`, then appends osvScannerConfigName func normalizeConfigLoadPath(target string) (string, error) { stat, err := os.Stat(target) @@ -198,7 +238,7 @@ func normalizeConfigLoadPath(target string) (string, error) { } else { containingFolder = target } - configPath := filepath.Join(containingFolder, osvScannerConfigName) + configPath := filepath.Join(containingFolder, OSVScannerConfigName) return configPath, nil } diff --git a/internal/datasource/insightsalpha.go b/internal/datasource/insightsalpha.go new file mode 100644 index 00000000000..1b154a67577 --- /dev/null +++ b/internal/datasource/insightsalpha.go @@ -0,0 +1,31 @@ +package datasource + +import ( + "crypto/x509" + "fmt" + + pb "deps.dev/api/v3alpha" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" +) + +// NewInsightsAlphaClient creates a deps.dev v3alpha InsightsClient with a custom address and userAgent. +func NewInsightsAlphaClient(addr string, userAgent string) (pb.InsightsClient, error) { + certPool, err := x509.SystemCertPool() + if err != nil { + return nil, fmt.Errorf("getting system cert pool: %w", err) + } + creds := credentials.NewClientTLSFromCert(certPool, "") + dialOpts := []grpc.DialOption{grpc.WithTransportCredentials(creds)} + + if userAgent != "" { + dialOpts = append(dialOpts, grpc.WithUserAgent(userAgent)) + } + + conn, err := grpc.NewClient(addr, dialOpts...) + if err != nil { + return nil, fmt.Errorf("dialling %q: %w", addr, err) + } + + return pb.NewInsightsClient(conn), nil +} diff --git a/internal/imodels/imodels.go b/internal/imodels/imodels.go index aa207a2725e..7e11fc544c8 100644 --- a/internal/imodels/imodels.go +++ b/internal/imodels/imodels.go @@ -218,7 +218,6 @@ type PackageScanResult struct { // TODO: Use osvschema.Vulnerability instead Vulnerabilities []*osvschema.Vulnerability Licenses []models.License - LayerDetails *extractor.LayerDetails // TODO(v2): // SourceAnalysis *SourceAnalysis diff --git a/internal/imodels/results/scanresults.go b/internal/imodels/results/scanresults.go index 8b88e5548ab..c3c6695927f 100644 --- a/internal/imodels/results/scanresults.go +++ b/internal/imodels/results/scanresults.go @@ -2,10 +2,10 @@ package results import ( + spb "github.com/google/osv-scalibr/binary/proto/scan_result_go_proto" "github.com/google/osv-scalibr/inventory" "github.com/google/osv-scanner/v2/internal/config" "github.com/google/osv-scanner/v2/internal/imodels" - "github.com/google/osv-scanner/v2/pkg/models" ) // ScanResults represents the complete results of a scan. @@ -22,7 +22,7 @@ type ScanResults struct { ConfigManager config.Manager // For container scanning, metadata including layer information - ImageMetadata *models.ImageMetadata + ImageMetadata *spb.ContainerImageMetadata GenericFindings []*inventory.GenericFinding } diff --git a/internal/output/__snapshots__/sarif_test.snap b/internal/output/__snapshots__/sarif_test.snap index 7154d847ab5..a5e20ba5248 100755 --- a/internal/output/__snapshots__/sarif_test.snap +++ b/internal/output/__snapshots__/sarif_test.snap @@ -203,7 +203,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -253,7 +253,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -303,7 +303,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -353,7 +353,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -403,7 +403,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -453,7 +453,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -503,7 +503,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -553,7 +553,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -603,7 +603,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -653,7 +653,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -703,7 +703,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -753,7 +753,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -803,7 +803,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -853,7 +853,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -903,7 +903,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -953,7 +953,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -1003,7 +1003,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -1053,7 +1053,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -1273,7 +1273,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -1493,7 +1493,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -1713,7 +1713,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -1829,7 +1829,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -1945,7 +1945,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -2061,7 +2061,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -2177,7 +2177,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -2293,7 +2293,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -2643,7 +2643,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -2993,7 +2993,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -3043,7 +3043,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -3263,7 +3263,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -3613,7 +3613,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -3963,7 +3963,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -4313,7 +4313,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -4363,7 +4363,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -4413,7 +4413,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -4463,7 +4463,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -4513,7 +4513,7 @@ "rules": [], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -4682,7 +4682,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -4798,7 +4798,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -4914,7 +4914,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -5030,7 +5030,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -5146,7 +5146,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -5262,7 +5262,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -5412,7 +5412,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -5562,7 +5562,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -5712,7 +5712,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -5828,7 +5828,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -5944,7 +5944,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -6113,7 +6113,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -6229,7 +6229,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, @@ -6387,7 +6387,7 @@ ], "supportedTaxonomies": [], "taxa": [], - "version": "2.2.3" + "version": "2.2.4" }, "extensions": [] }, diff --git a/internal/output/__snapshots__/spdx_test.snap b/internal/output/__snapshots__/spdx_test.snap index e7ba3393783..b1a2df1a5be 100755 --- a/internal/output/__snapshots__/spdx_test.snap +++ b/internal/output/__snapshots__/spdx_test.snap @@ -29,6 +29,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -45,6 +47,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -61,6 +65,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -77,6 +83,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -93,6 +101,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -193,6 +203,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -209,6 +221,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -225,6 +239,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -241,6 +257,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -257,6 +275,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -357,6 +377,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -373,6 +395,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -389,6 +413,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -405,6 +431,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -421,6 +449,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -521,6 +551,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the php/composerlock extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -537,6 +569,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -553,6 +587,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -569,6 +605,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the dotnet/packageslockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -585,6 +623,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the php/composerlock extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -685,6 +725,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -701,6 +743,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -717,6 +761,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -733,6 +779,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -749,6 +797,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -951,6 +1001,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1011,6 +1063,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1071,6 +1125,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1131,6 +1187,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1191,6 +1249,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1251,6 +1311,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1311,6 +1373,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1405,6 +1469,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1421,6 +1487,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1491,6 +1559,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1507,6 +1577,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1523,6 +1595,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1539,6 +1613,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1555,6 +1631,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1655,6 +1733,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1671,6 +1751,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1687,6 +1769,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1703,6 +1787,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1719,6 +1805,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1819,6 +1907,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1835,6 +1925,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1851,6 +1943,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1867,6 +1961,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -1957,6 +2053,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2017,6 +2115,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2077,6 +2177,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2137,6 +2239,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2197,6 +2301,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2213,6 +2319,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2283,6 +2391,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2299,6 +2409,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2315,6 +2427,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2331,6 +2445,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2421,6 +2537,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2437,6 +2555,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2453,6 +2573,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2469,6 +2591,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2559,6 +2683,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2575,6 +2701,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2591,6 +2719,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2607,6 +2737,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2623,6 +2755,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2723,6 +2857,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2739,6 +2875,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2755,6 +2893,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2771,6 +2911,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2787,6 +2929,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2887,6 +3031,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the php/composerlock extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2903,6 +3049,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2919,6 +3067,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the dotnet/pe extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -2935,6 +3085,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3025,6 +3177,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the php/composerlock extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3041,6 +3195,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3057,6 +3213,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the dotnet/pe extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3073,6 +3231,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the php/composerlock extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3163,6 +3323,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the php/composerlock extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3179,6 +3341,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the dotnet/pe extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3195,6 +3359,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3377,6 +3543,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3437,6 +3605,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3497,6 +3667,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3557,6 +3729,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3617,6 +3791,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3677,6 +3853,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3737,6 +3915,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3797,6 +3977,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3857,6 +4039,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3917,6 +4101,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -3977,6 +4163,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -4071,6 +4259,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -4087,6 +4277,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -4157,6 +4349,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -4173,6 +4367,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -4243,6 +4439,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -4259,6 +4457,8 @@ "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", diff --git a/internal/output/__snapshots__/vertical_test.snap b/internal/output/__snapshots__/vertical_test.snap index c518f7a9d70..05d354dbe52 100755 --- a/internal/output/__snapshots__/vertical_test.snap +++ b/internal/output/__snapshots__/vertical_test.snap @@ -367,7 +367,8 @@ Hiding 1 number of vulnerabilities deemed unimportant, use --all-vulns to show t sbom:/path/to/my/second/lockfile: found 1 package with issues mine2@3.2.5 has the following known vulnerabilities: - OSV-2: Something less scary! (https://osv.dev/OSV-2) + OSV-2: Something less scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in sbom:/path/to/my/second/lockfile no license violations found @@ -394,7 +395,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -406,7 +408,8 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues sbom:/path/to/my/second/lockfile: found 1 package with issues mine2@3.2.5 has the following known vulnerabilities: - OSV-2: Something less scary! (https://osv.dev/OSV-2) + OSV-2: Something less scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in sbom:/path/to/my/second/lockfile no license violations found @@ -414,7 +417,8 @@ sbom:/path/to/my/second/lockfile: found 1 package with issues unknown:/path/to/my/third/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in unknown:/path/to/my/third/lockfile @@ -437,7 +441,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -449,7 +454,8 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues sbom:/path/to/my/second/lockfile: found 1 package with issues mine2@ has the following known vulnerabilities: - OSV-2: Something less scary! (https://osv.dev/OSV-2) + OSV-2: Something less scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in sbom:/path/to/my/second/lockfile no license violations found @@ -457,7 +463,8 @@ sbom:/path/to/my/second/lockfile: found 1 package with issues unknown:/path/to/my/third/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in unknown:/path/to/my/third/lockfile @@ -480,7 +487,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -502,7 +510,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -542,7 +551,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -564,7 +574,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile no license violations found @@ -590,20 +601,26 @@ npm lockfile:/path/to/my/first/lockfile: found 2 packages with issues mine1@1.2.2 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) - OSV-5: Something scarier! (https://osv.dev/OSV-5) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; + OSV-5: Something scarier! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 3 known vulnerabilities found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 2 packages with issues mine2@3.2.5 has the following known vulnerabilities: - OSV-2: Something less scary! (https://osv.dev/OSV-2) + OSV-2: Something less scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; mine3@0.4.1 has the following known vulnerabilities: - OSV-3: Something mildly scary! (https://osv.dev/OSV-3) - OSV-5: Something scarier! (https://osv.dev/OSV-5) + OSV-3: Something mildly scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; + OSV-5: Something scarier! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 3 known vulnerabilities found in sbom:/path/to/my/second/lockfile @@ -620,20 +637,26 @@ npm lockfile:/path/to/my/first/lockfile: found 2 packages with issues mine1@1.2.2 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) - OSV-5: Something scarier! (https://osv.dev/OSV-5) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; + OSV-5: Something scarier! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 3 known vulnerabilities found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 2 packages with issues mine2@3.2.5 has the following known vulnerabilities: - OSV-2: Something less scary! (https://osv.dev/OSV-2) + OSV-2: Something less scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; mine3@0.4.1 has the following known vulnerabilities: - OSV-3: Something mildly scary! (https://osv.dev/OSV-3) - OSV-5: Something scarier! (https://osv.dev/OSV-5) + OSV-3: Something mildly scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; + OSV-5: Something scarier! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 3 known vulnerabilities found in sbom:/path/to/my/second/lockfile @@ -669,21 +692,24 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 1 package with issues mine2@3.2.5 has the following known vulnerabilities: - OSV-2: Something less scary! (https://osv.dev/OSV-2) + OSV-2: Something less scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in sbom:/path/to/my/second/lockfile unknown:/path/to/my/third/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in unknown:/path/to/my/third/lockfile @@ -700,7 +726,8 @@ NuGet sbom:/path/to/my/second/lockfile: found 1 package with issues mine2@3.2.5 has the following known vulnerabilities: - OSV-2: Something less scary! (https://osv.dev/OSV-2) + OSV-2: Something less scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in sbom:/path/to/my/second/lockfile @@ -709,16 +736,20 @@ Packagist lockfile:/path/to/my/first/lockfile: found 1 package with issues author1/mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) - OSV-5: Something scarier! (https://osv.dev/OSV-5) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; + OSV-5: Something scarier! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 2 known vulnerabilities found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 1 package with issues author3/mine3@0.4.1 has the following known vulnerabilities: - OSV-3: Something mildly scary! (https://osv.dev/OSV-3) - OSV-5: Something scarier! (https://osv.dev/OSV-5) + OSV-3: Something mildly scary! + Severity: '4.3'; Minimal Fix Version: 'No fix available'; + OSV-5: Something scarier! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 2 known vulnerabilities found in sbom:/path/to/my/second/lockfile @@ -727,7 +758,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.2 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -744,7 +776,8 @@ NuGet sbom:/path/to/my/second/lockfile: found 1 package with issues mine2@3.2.5 has the following known vulnerabilities: - OSV-2: Something less scary! (https://osv.dev/OSV-2) + OSV-2: Something less scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in sbom:/path/to/my/second/lockfile @@ -753,20 +786,24 @@ Packagist lockfile:/path/to/my/first/lockfile: found 1 package with issues author1/mine1@1.2.3 has the following known vulnerabilities: - OSV-5: Something scarier! (https://osv.dev/OSV-5) + OSV-5: Something scarier! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile author1/mine1@1.2.3 has the following uncalled vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out) sbom:/path/to/my/second/lockfile: found 1 package with issues author3/mine3@0.4.1 has the following known vulnerabilities: - OSV-3: Something mildly scary! (https://osv.dev/OSV-3) - OSV-5: Something scarier! (https://osv.dev/OSV-5) + OSV-3: Something mildly scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; + OSV-5: Something scarier! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 2 known vulnerabilities found in sbom:/path/to/my/second/lockfile @@ -775,7 +812,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.2 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -792,7 +830,8 @@ NuGet sbom:/path/to/my/second/lockfile: found 1 package with issues mine2@3.2.5 has the following known vulnerabilities: - OSV-2: Something less scary! (https://osv.dev/OSV-2) + OSV-2: Something less scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in sbom:/path/to/my/second/lockfile @@ -801,16 +840,20 @@ Packagist lockfile:/path/to/my/first/lockfile: found 1 package with issues author1/mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) - OSV-5: Something scarier! (https://osv.dev/OSV-5) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; + OSV-5: Something scarier! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 2 known vulnerabilities found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 1 package with issues author3/mine3@0.4.1 has the following known vulnerabilities: - OSV-3: Something mildly scary! (https://osv.dev/OSV-3) - OSV-5: Something scarier! (https://osv.dev/OSV-5) + OSV-3: Something mildly scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; + OSV-5: Something scarier! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 2 known vulnerabilities found in sbom:/path/to/my/second/lockfile @@ -819,7 +862,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@ has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -890,12 +934,14 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile mine1@1.2.3 has the following uncalled vulnerabilities: - GHSA-123: Something scarier! (https://osv.dev/GHSA-123) + GHSA-123: Something scarier! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out) @@ -912,7 +958,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: '9'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -929,7 +976,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -946,7 +994,8 @@ npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues mine1@1.2.3 has the following uncalled vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out) @@ -963,7 +1012,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -980,7 +1030,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -997,7 +1048,8 @@ npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues mine1@1.2.3 has the following uncalled vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out) @@ -1014,7 +1066,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: '8.3'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -1031,7 +1084,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -1048,7 +1102,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -1065,7 +1120,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@ has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -1082,9 +1138,11 @@ npm lockfile:/path/to/my/first/lockfile: found 2 packages with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: This vulnerability allows for some very scary stuff to happen - seriously,... (https://osv.dev/OSV-1) + OSV-1: This vulnerability allows for some very scary stuff to happen - seriously,... + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; mine3@0.10.2-rc has the following known vulnerabilities: - OSV-2: (no details available) (https://osv.dev/OSV-2) + OSV-2: (no details available) + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 2 known vulnerabilities found in lockfile:/path/to/my/first/lockfile @@ -1101,7 +1159,8 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile @@ -1121,14 +1180,16 @@ npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: - OSV-1: Something scary! (https://osv.dev/OSV-1) + OSV-1: Something scary! + Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in sbom:/path/to/my/second/lockfile diff --git a/internal/output/spdx.go b/internal/output/spdx.go index 9514c70482c..781a9e29092 100644 --- a/internal/output/spdx.go +++ b/internal/output/spdx.go @@ -5,7 +5,7 @@ import ( "io" scalibr "github.com/google/osv-scalibr" - "github.com/google/osv-scalibr/converter" + "github.com/google/osv-scalibr/converter/spdx" "github.com/google/osv-scanner/v2/pkg/models" ) @@ -20,7 +20,7 @@ func PrintSPDXResults(vulnResult *models.VulnerabilityResults, outputWriter io.W } // TODO(#1783): Allow user configuration - doc := converter.ToSPDX23(scanResult, converter.SPDXConfig{}) + doc := spdx.ToSPDX23(scanResult, spdx.Config{}) encoder := json.NewEncoder(outputWriter) encoder.SetIndent("", " ") diff --git a/internal/output/vertical.go b/internal/output/vertical.go index c989925e0a8..43a7ff0de83 100644 --- a/internal/output/vertical.go +++ b/internal/output/vertical.go @@ -213,6 +213,12 @@ func printVerticalVulnerabilitiesForPackages(packages []PackageResult, out io.Wr text.FgCyan.Sprintf("%s:", vulnerability.ID), describe(vulnerability), ) + + fmt.Fprintf(out, + " Severity: '%s'; Minimal Fix Version: '%s';\n", + vulnerability.SeverityScore, + vulnerability.FixedVersion, + ) } } } @@ -281,14 +287,12 @@ func truncate(str string, limit int) string { } func describe(vulnerability VulnResult) string { - description := vulnerability.Description - if description == "" { - description += "(no details available)" + builder := strings.Builder{} + if vulnerability.Description == "" { + builder.WriteString("(no details available)") } else { - description = truncate(vulnerability.Description, 80) + builder.WriteString(truncate(vulnerability.Description, 80)) } - description += " (" + OSVBaseVulnerabilityURL + vulnerability.ID + ")" - - return description + return builder.String() } diff --git a/internal/scalibrplugin/__snapshots__/resolve_test.snap b/internal/scalibrplugin/__snapshots__/resolve_test.snap index 0666032d9df..29ae8cfda50 100755 --- a/internal/scalibrplugin/__snapshots__/resolve_test.snap +++ b/internal/scalibrplugin/__snapshots__/resolve_test.snap @@ -24,6 +24,7 @@ weakcredentials/winlocal --- [TestResolve_Extractors_Presets/artifact - 1] +baseimage go/binary java/archive javascript/nodemodules diff --git a/internal/scalibrplugin/presets.go b/internal/scalibrplugin/presets.go index 904996e50c9..e786bd0c0f1 100644 --- a/internal/scalibrplugin/presets.go +++ b/internal/scalibrplugin/presets.go @@ -2,6 +2,9 @@ package scalibrplugin import ( detectors "github.com/google/osv-scalibr/detector/list" + "github.com/google/osv-scalibr/enricher" + "github.com/google/osv-scalibr/enricher/baseimage" + "github.com/google/osv-scalibr/enricher/enricherlist" "github.com/google/osv-scalibr/extractor/filesystem/language/cpp/conanlock" "github.com/google/osv-scalibr/extractor/filesystem/language/dart/pubspec" "github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/depsjson" @@ -34,12 +37,15 @@ import ( "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx" "github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx" + "github.com/google/osv-scanner/v2/internal/datasource" + "github.com/google/osv-scanner/v2/internal/depsdev" "github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/java/pomxmlenhanceable" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/javascript/nodemodules" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/python/requirementsenhancable" "github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo" + "github.com/google/osv-scanner/v2/internal/version" ) var detectorPresets = map[string]detectors.InitMap{ @@ -132,3 +138,32 @@ var ExtractorPresets = map[string]extractors.InitMap{ dpkg.Name: {dpkg.NewDefault}, }, } + +var enricherPresets = map[string]enricherlist.InitMap{ + "artifact": { + baseimage.Name: {baseImageEnricher}, + }, + "vulns": enricherlist.VulnMatching, + "licenses": enricherlist.License, +} + +func baseImageEnricher() enricher.Enricher { + // The grpc client **does not** make any requests. It starts in an IDLE state until + // the first function call is made. This means we can safely initialize the client even in offline mode, + // and the enricher plugin will be filtered out in offline mode. + insightsClient, err := datasource.NewInsightsAlphaClient(depsdev.DepsdevAPI, "osv-scanner_scan/"+version.OSVVersion) + if err != nil { + panic("unable to connect to insights server") + } + + baseImageEnricher, err := baseimage.New(&baseimage.Config{ + Client: baseimage.NewClientGRPC(insightsClient), + }) + + // These panics should be very unlikely to happen. Does **not** happen when network is not available. + if err != nil { + panic("unable to initialize base image enricher") + } + + return baseImageEnricher +} diff --git a/internal/scalibrplugin/resolve.go b/internal/scalibrplugin/resolve.go index 2d9640be5fa..bb6de8ed8b6 100644 --- a/internal/scalibrplugin/resolve.go +++ b/internal/scalibrplugin/resolve.go @@ -51,23 +51,31 @@ func Resolve(enabledPlugins []string, disabledPlugins []string) []plugin.Plugin enabled := i == 0 for _, pluginOrPreset := range exts { + wasAPreset := false if names, ok := ExtractorPresets[pluginOrPreset]; ok { for name := range names { plugins[name] = enabled } - - continue + wasAPreset = true } if names, ok := detectorPresets[pluginOrPreset]; ok { for name := range names { plugins[name] = enabled } + wasAPreset = true + } - continue + if names, ok := enricherPresets[pluginOrPreset]; ok { + for name := range names { + plugins[name] = enabled + } + wasAPreset = true } - plugins[pluginOrPreset] = enabled + if !wasAPreset { + plugins[pluginOrPreset] = enabled + } } } diff --git a/internal/scalibrplugin/resolve_test.go b/internal/scalibrplugin/resolve_test.go index b48d198af4e..03f50fd3741 100644 --- a/internal/scalibrplugin/resolve_test.go +++ b/internal/scalibrplugin/resolve_test.go @@ -12,6 +12,7 @@ import ( "github.com/google/osv-scalibr/detector/weakcredentials/etcshadow" "github.com/google/osv-scalibr/detector/weakcredentials/filebrowser" "github.com/google/osv-scalibr/detector/weakcredentials/winlocal" + "github.com/google/osv-scalibr/enricher/baseimage" "github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/packageslockjson" "github.com/google/osv-scalibr/extractor/filesystem/language/golang/gobinary" "github.com/google/osv-scalibr/extractor/filesystem/language/java/archive" @@ -393,6 +394,7 @@ func TestResolve_Extractors(t *testing.T) { want: []string{ apk.Name, archive.Name, + baseimage.Name, cargoauditable.Name, dpkg.Name, gobinary.Name, @@ -409,6 +411,7 @@ func TestResolve_Extractors(t *testing.T) { want: []string{ apk.Name, archive.Name, + baseimage.Name, cargoauditable.Name, dpkg.Name, gobinary.Name, @@ -432,6 +435,7 @@ func TestResolve_Extractors(t *testing.T) { }, want: []string{ apk.Name, + baseimage.Name, dpkg.Name, gobinary.Name, nodemodules.Name, @@ -447,6 +451,7 @@ func TestResolve_Extractors(t *testing.T) { want: []string{ apk.Name, archive.Name, + baseimage.Name, cargoauditable.Name, dpkg.Name, gitrepo.Name, diff --git a/internal/spdx/licenses.go b/internal/spdx/licenses.go index 2803ae66782..c96d07eb5bc 100644 --- a/internal/spdx/licenses.go +++ b/internal/spdx/licenses.go @@ -248,6 +248,7 @@ var IDs = map[string]bool{ "epl-2.0": true, "erlpl-1.1": true, "esa-pl-permissive-2.4": true, + "esa-pl-strong-copyleft-2.4": true, "esa-pl-weak-copyleft-2.4": true, "etalab-2.0": true, "eudatagrid": true, @@ -356,9 +357,11 @@ var IDs = map[string]bool{ "hpnd-sell-variant": true, "hpnd-sell-variant-mit-disclaimer": true, "hpnd-sell-variant-mit-disclaimer-rev": true, + "hpnd-smc": true, "hpnd-uc": true, "hpnd-uc-export-us": true, "htmltidy": true, + "hyphen-bulgarian": true, "ibm-pibs": true, "icu": true, "iec-code-components-eula": true, @@ -491,6 +494,7 @@ var IDs = map[string]bool{ "nicta-1.0": true, "nist-pd": true, "nist-pd-fallback": true, + "nist-pd-tnt": true, "nist-software": true, "nlod-1.0": true, "nlod-2.0": true, @@ -557,6 +561,7 @@ var IDs = map[string]bool{ "osl-2.0": true, "osl-2.1": true, "osl-3.0": true, + "ossp": true, "padl": true, "parity-6.0.0": true, "parity-7.0.0": true, @@ -602,6 +607,7 @@ var IDs = map[string]bool{ "sgi-b-1.1": true, "sgi-b-2.0": true, "sgi-opengl": true, + "sgmlug-pm": true, "sgp4": true, "shl-0.5": true, "shl-0.51": true, diff --git a/internal/testlogger/markers.go b/internal/testlogger/markers.go index 1204ae1880a..dcb7546be87 100644 --- a/internal/testlogger/markers.go +++ b/internal/testlogger/markers.go @@ -1,8 +1,9 @@ package testlogger import ( - "log/slog" "testing" + + "github.com/google/osv-scanner/v2/internal/cmdlogger" ) const BeginDirectoryScan = "---Begin Directory Scan---" @@ -12,13 +13,13 @@ const EndDirectoryScan = "---End Directory Scan---" // the scanning order to allow for unsorted file walks. func BeginDirScanMarker() { if testing.Testing() { - slog.Info(BeginDirectoryScan) + cmdlogger.Infof(BeginDirectoryScan) } } // EndDirScanMarker prints out a directory scanning marker during testing to mark the end of directory walks func EndDirScanMarker() { if testing.Testing() { - slog.Info(EndDirectoryScan) + cmdlogger.Infof(EndDirectoryScan) } } diff --git a/internal/utility/vulns/vulnerability.go b/internal/utility/vulns/vulnerability.go index f37128e3ff6..1f195816d6c 100644 --- a/internal/utility/vulns/vulnerability.go +++ b/internal/utility/vulns/vulnerability.go @@ -125,9 +125,23 @@ func AffectsEcosystem(v osvschema.Vulnerability, ecosystemAffected osvecosystem. return false } +// NormalizeRepo applies some reasonable transformations to repository urls to +// ensure accurate results when determining if two repository urls are referencing +// the same repository. +// +// Specifically, common protocols are removed from the start of the url and the +// ".git" suffix if present +func NormalizeRepo(repo string) string { + repo = strings.TrimPrefix(repo, "https://") + repo = strings.TrimPrefix(repo, "http://") + repo = strings.TrimPrefix(repo, "git://") + + return strings.TrimSuffix(repo, ".git") +} + func hasGitRangeForRepo(affected osvschema.Affected, repo string) bool { for _, r := range affected.Ranges { - if r.Type == "GIT" && r.Repo == repo { + if r.Type == "GIT" && NormalizeRepo(r.Repo) == NormalizeRepo(repo) { return true } } diff --git a/internal/version/version.go b/internal/version/version.go index 5f5d97e7390..50a9c6cadb8 100644 --- a/internal/version/version.go +++ b/internal/version/version.go @@ -2,4 +2,4 @@ package version // OSVVersion is the current release version, you should update this variable when doing a release -const OSVVersion = "2.2.3" +const OSVVersion = "2.2.4" diff --git a/pkg/osvscanner/filter.go b/pkg/osvscanner/filter.go index 21e24f20234..551b211472e 100644 --- a/pkg/osvscanner/filter.go +++ b/pkg/osvscanner/filter.go @@ -153,6 +153,8 @@ func filterPackageVulns(pkgVulns models.PackageVulns, configToUse config.Config) cmdlogger.Infof("%s and %d aliases have been filtered out because: %s", ignoreLine.ID, len(group.Aliases)-1, reason) } + ignoreLine.MarkAsUsed() + break } } diff --git a/pkg/osvscanner/internal/imagehelpers/imagehelpers.go b/pkg/osvscanner/internal/imagehelpers/imagehelpers.go index 8ac6e6ec144..af567db55f4 100644 --- a/pkg/osvscanner/internal/imagehelpers/imagehelpers.go +++ b/pkg/osvscanner/internal/imagehelpers/imagehelpers.go @@ -9,56 +9,46 @@ import ( "os" "os/exec" - "github.com/google/osv-scalibr/artifact/image/layerscanning/image" - "github.com/google/osv-scalibr/extractor/filesystem/os/osrelease" - "github.com/google/osv-scanner/v2/internal/clients/clientinterfaces" "github.com/google/osv-scanner/v2/internal/cmdlogger" + "github.com/google/osv-scanner/v2/internal/imodels/results" "github.com/google/osv-scanner/v2/pkg/models" + "github.com/opencontainers/go-digest" ) -func BuildImageMetadata(img *image.Image, baseImageMatcher clientinterfaces.BaseImageMatcher) (*models.ImageMetadata, error) { - chainLayers, err := img.ChainLayers() - if err != nil { - // This is very unlikely, as if this would error we would have failed the initial scan - return nil, err - } - m, err := osrelease.GetOSRelease(chainLayers[len(chainLayers)-1].FS()) - OS := "Unknown" - if err == nil { - OS = m["PRETTY_NAME"] +func BuildImageMetadata(scanResults *results.ScanResults) *models.ImageMetadata { + if scanResults.ImageMetadata == nil { + return nil } - layerMetadata := []models.LayerMetadata{} - for _, cl := range chainLayers { + layerMetadata := make([]models.LayerMetadata, 0, len(scanResults.ImageMetadata.GetLayerMetadata())) + for _, cl := range scanResults.ImageMetadata.GetLayerMetadata() { layerMetadata = append(layerMetadata, models.LayerMetadata{ - DiffID: cl.Layer().DiffID(), - Command: cl.Layer().Command(), - IsEmpty: cl.Layer().IsEmpty(), + DiffID: digest.Digest(cl.GetDiffId()), + Command: cl.GetCommand(), + IsEmpty: cl.GetIsEmpty(), + BaseImageIndex: int(cl.GetBaseImageIndex()), }) } - var baseImages [][]models.BaseImageDetails + baseImages := make([][]models.BaseImageDetails, 0, len(scanResults.ImageMetadata.GetBaseImageChains())) - if baseImageMatcher != nil { - baseImages, err = baseImageMatcher.MatchBaseImages(context.Background(), layerMetadata) - if err != nil { - return nil, fmt.Errorf("failed to query for container base images: %w", err) - } - } else { - baseImages = [][]models.BaseImageDetails{ - // The base image at index 0 is a placeholder representing your image, so always empty - // This is the case even if your image is a base image, in that case no layers point to index 0 - {}, + for _, chain := range scanResults.ImageMetadata.GetBaseImageChains() { + baseImageChain := make([]models.BaseImageDetails, 0, len(chain.GetBaseImages())) + for _, imgs := range chain.GetBaseImages() { + baseImageChain = append(baseImageChain, models.BaseImageDetails{ + Name: imgs.GetRepository(), + }) } + baseImages = append(baseImages, baseImageChain) } imgMetadata := models.ImageMetadata{ - OS: OS, + OS: scanResults.ImageMetadata.GetOsInfo()["PRETTY_NAME"], LayerMetadata: layerMetadata, BaseImages: baseImages, } - return &imgMetadata, nil + return &imgMetadata } // ExportDockerImage will execute the docker binary to export an image to a temporary file in the tarball OCI format. diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index ca440746f08..bcfe022a744 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -6,7 +6,6 @@ import ( "fmt" "log/slog" "maps" - "net/http" "os" "slices" "sort" @@ -16,12 +15,15 @@ import ( "deps.dev/util/resolve" scalibr "github.com/google/osv-scalibr" "github.com/google/osv-scalibr/artifact/image/layerscanning/image" + "github.com/google/osv-scalibr/binary/proto" "github.com/google/osv-scalibr/clients/datasource" "github.com/google/osv-scalibr/clients/resolution" "github.com/google/osv-scalibr/enricher/reachability/java" "github.com/google/osv-scalibr/extractor" + "github.com/google/osv-scalibr/inventory" + scalibrlog "github.com/google/osv-scalibr/log" "github.com/google/osv-scalibr/plugin" - "github.com/google/osv-scanner/v2/internal/clients/clientimpl/baseimagematcher" + "github.com/google/osv-scalibr/stats" "github.com/google/osv-scanner/v2/internal/clients/clientimpl/licensematcher" "github.com/google/osv-scanner/v2/internal/clients/clientimpl/localmatcher" "github.com/google/osv-scanner/v2/internal/clients/clientimpl/osvmatcher" @@ -74,6 +76,8 @@ type ExperimentalScannerActions struct { PluginsEnabled []string PluginsDisabled []string PluginsNoDefaults bool + + StatsCollector stats.Collector } type TransitiveScanningActions struct { @@ -84,9 +88,8 @@ type TransitiveScanningActions struct { type ExternalAccessors struct { // Matchers - VulnMatcher clientinterfaces.VulnerabilityMatcher - LicenseMatcher clientinterfaces.LicenseMatcher - BaseImageMatcher clientinterfaces.BaseImageMatcher + VulnMatcher clientinterfaces.VulnerabilityMatcher + LicenseMatcher clientinterfaces.LicenseMatcher // Required for pomxmlnet Extractor MavenRegistryAPIClient *datasource.MavenRegistryAPIClient @@ -148,14 +151,6 @@ func initializeExternalAccessors(actions ScannerActions) (ExternalAccessors, err } } - // --- Base Image Matcher --- - if actions.Image != "" { - externalAccessors.BaseImageMatcher = &baseimagematcher.DepsDevBaseImageMatcher{ - HTTPClient: *http.DefaultClient, - Config: baseimagematcher.DefaultConfig(), - } - } - // --- OSV.dev Client --- // We create a separate client from VulnMatcher to keep things clean. externalAccessors.OSVDevClient = osvdev.DefaultClient() @@ -169,7 +164,7 @@ func initializeExternalAccessors(actions ScannerActions) (ExternalAccessors, err externalAccessors.MavenRegistryAPIClient, err = datasource.NewMavenRegistryAPIClient(ctx, datasource.MavenRegistry{ URL: actions.MavenRegistry, ReleasesEnabled: true, - }, "") + }, "", false) if err != nil { return ExternalAccessors{}, err @@ -178,7 +173,7 @@ func initializeExternalAccessors(actions ScannerActions) (ExternalAccessors, err if !actions.NativeDataSource { externalAccessors.DependencyClients[osvschema.EcosystemMaven], err = resolution.NewDepsDevClient(depsdev.DepsdevAPI, "osv-scanner_scan/"+version.OSVVersion) } else { - externalAccessors.DependencyClients[osvschema.EcosystemMaven], err = resolution.NewMavenRegistryClient(ctx, actions.MavenRegistry, "") + externalAccessors.DependencyClients[osvschema.EcosystemMaven], err = resolution.NewMavenRegistryClient(ctx, actions.MavenRegistry, "", false) } // We only support native registry client for PyPI. @@ -259,22 +254,7 @@ func DoScan(actions ScannerActions) (models.VulnerabilityResults, error) { } } - vulnerabilityResults := buildVulnerabilityResults(actions, &scanResult) - - if actions.ScanLicensesSummary { - vulnerabilityResults.LicenseSummary = buildLicenseSummary(&scanResult) - } - - filtered := filterResults(&vulnerabilityResults, &scanResult.ConfigManager, actions.ShowAllPackages) - if filtered > 0 { - cmdlogger.Infof( - "Filtered %d %s from output", - filtered, - output.Form(filtered, "vulnerability", "vulnerabilities"), - ) - } - - return vulnerabilityResults, determineReturnErr(vulnerabilityResults, actions.ShowAllVulns) + return finalizeScanResult(scanResult, actions) } func DoContainerScan(actions ScannerActions) (models.VulnerabilityResults, error) { @@ -367,22 +347,27 @@ func DoContainerScan(actions ScannerActions) (models.VulnerabilityResults, error return models.VulnerabilityResults{}, fmt.Errorf("failed to scan container image: %w", err) } - if scalibrSR.Inventory.IsEmpty() { + if inventoryIsEmpty(scalibrSR.Inventory) { return models.VulnerabilityResults{}, ErrNoPackagesFound } // --- Save Scalibr Scan Results --- scanResult.PackageScanResults = make([]imodels.PackageScanResult, len(scalibrSR.Inventory.Packages)) - for i, inv := range scalibrSR.Inventory.Packages { - scanResult.PackageScanResults[i].PackageInfo = imodels.FromInventory(inv) - scanResult.PackageScanResults[i].LayerDetails = inv.LayerDetails - scanResult.PackageScanResults[i].PackageInfo.ExploitabilitySignals = inv.ExploitabilitySignals + for i, pkgs := range scalibrSR.Inventory.Packages { + scanResult.PackageScanResults[i].PackageInfo = imodels.FromInventory(pkgs) + scanResult.PackageScanResults[i].PackageInfo.ExploitabilitySignals = pkgs.ExploitabilitySignals } // --- Fill Image Metadata --- - scanResult.ImageMetadata, err = imagehelpers.BuildImageMetadata(img, accessors.BaseImageMatcher) - if err != nil { // Not getting image metadata is not fatal - cmdlogger.Errorf("Failed to fully get image metadata: %v", err) + pssr, err := proto.ScanResultToProto(scalibrSR) + if err != nil { + return models.VulnerabilityResults{}, fmt.Errorf("failed to serialize scan results to proto: %w", err) + } + + if len(pssr.GetInventory().GetContainerImageMetadata()) > 0 { + scanResult.ImageMetadata = pssr.GetInventory().GetContainerImageMetadata()[0] + } else { + cmdlogger.Warnf("No container image metadata found in scan results") } // ----- Filtering ----- @@ -420,6 +405,10 @@ func DoContainerScan(actions ScannerActions) (models.VulnerabilityResults, error scanResult.GenericFindings = scalibrSR.Inventory.GenericFindings + return finalizeScanResult(scanResult, actions) +} + +func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) (models.VulnerabilityResults, error) { vulnerabilityResults := buildVulnerabilityResults(actions, &scanResult) if actions.ScanLicensesSummary { @@ -435,6 +424,19 @@ func DoContainerScan(actions ScannerActions) (models.VulnerabilityResults, error ) } + if unusedIgnoredEntries := scanResult.ConfigManager.GetUnusedIgnoreEntries(); len(unusedIgnoredEntries) != 0 { + configFiles := slices.Collect(maps.Keys(unusedIgnoredEntries)) + slices.Sort(configFiles) + + for _, configFile := range configFiles { + cmdlogger.Warnf("%s has unused ignores:", configFile) + + for _, iv := range unusedIgnoredEntries[configFile] { + cmdlogger.Warnf(" - %s", iv.ID) + } + } + } + return vulnerabilityResults, determineReturnErr(vulnerabilityResults, actions.ShowAllVulns) } @@ -560,5 +562,26 @@ func overrideGoVersion(scanResults *results.ScanResults) { // SetLogger sets the global slog handler for the cmdlogger. func SetLogger(handler slog.Handler) { - cmdlogger.GlobalHandler = handler + baseHandler := cmdlogger.NewOverride(handler) + logger := slog.New(baseHandler) + cmdlogger.GlobalLogger = logger + scalibrlog.SetLogger(&cmdlogger.ScalibrAdapter{Logger: logger}) +} + +// inventoryIsEmpty ignores image metadata when checking if an inventory is empty +func inventoryIsEmpty(i inventory.Inventory) bool { + if len(i.Packages) != 0 { + return false + } + if len(i.PackageVulns) != 0 { + return false + } + if len(i.GenericFindings) != 0 { + return false + } + if len(i.Secrets) != 0 { + return false + } + + return true } diff --git a/pkg/osvscanner/osvscanner_test.go b/pkg/osvscanner/osvscanner_test.go new file mode 100644 index 00000000000..80786125921 --- /dev/null +++ b/pkg/osvscanner/osvscanner_test.go @@ -0,0 +1,54 @@ +package osvscanner_test + +import ( + "bytes" + "log/slog" + "testing" + + "github.com/google/osv-scanner/v2/pkg/osvscanner" +) + +// TestDoScan_LogHandlerOverride tests that the SetLogger override works correctly +// +//nolint:paralleltest // No parallel test since slog.SetDefault sets global behavior +func TestDoScan_LogHandlerOverride(t *testing.T) { + // Restore default slog behavior at the ned of the test + defaultHandler := slog.Default() + defer func() { + slog.SetDefault(defaultHandler) + }() + + actions := osvscanner.ScannerActions{ + DirectoryPaths: []string{"../../cmd/osv-scanner/testdata/locks-many/Gemfile.lock"}, + } + + output := bytes.NewBuffer(nil) + slog.SetDefault(slog.New(slog.NewTextHandler(output, nil))) + + _, _ = osvscanner.DoScan(actions) + + // Test that normally logging is output correctly to the default slog handler. + if output.Len() == 0 { + t.Errorf("output.Len() = %d, want %d", output.Len(), 0) + } + + // Clear output buffer for next run + output.Truncate(0) + + // Test if output is overridden + altOutput := bytes.NewBuffer(nil) + osvscanner.SetLogger(slog.NewTextHandler(altOutput, nil)) + + _, _ = osvscanner.DoScan(actions) + + // Normal slog output should be empty. + if output.Len() != 0 { + t.Errorf("output.Len() = %d, want %d", output.Len(), 0) + t.Errorf("Got: %s", output.String()) + } + + // altOutput should contain data now instead. + if altOutput.Len() == 0 { + t.Errorf("altOutput.Len() = %d, want %d", altOutput.Len(), 0) + } +} diff --git a/pkg/osvscanner/scan.go b/pkg/osvscanner/scan.go index db357b1cf27..7751b07b261 100644 --- a/pkg/osvscanner/scan.go +++ b/pkg/osvscanner/scan.go @@ -18,6 +18,7 @@ import ( "github.com/google/osv-scalibr/fs" "github.com/google/osv-scalibr/inventory" "github.com/google/osv-scalibr/plugin" + "github.com/google/osv-scalibr/stats" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/imodels" "github.com/google/osv-scanner/v2/internal/scalibrextract" @@ -171,6 +172,13 @@ func scan(accessors ExternalAccessors, actions ScannerActions) (*imodels.ScanRes testlogger.BeginDirScanMarker() osCapability := determineOS() + var statsCollector stats.Collector + if actions.StatsCollector != nil { + statsCollector = actions.StatsCollector + } else { + statsCollector = fileOpenedPrinter{} + } + // For each root, run scalibr's scan() once. for root, paths := range rootMap { capabilities := plugin.Capabilities{ @@ -194,14 +202,14 @@ func scan(accessors ExternalAccessors, actions ScannerActions) (*imodels.ScanRes SkipDirRegex: nil, SkipDirGlob: nil, UseGitignore: !actions.NoIgnore, - Stats: FileOpenedPrinter{}, + Stats: statsCollector, ReadSymlinks: false, MaxInodes: 0, StoreAbsolutePath: true, PrintDurationAnalysis: false, ErrorOnFSErrors: false, }) - if sr.Status.Status != plugin.ScanStatusSucceeded { + if sr.Status.Status == plugin.ScanStatusFailed { return nil, errors.New(sr.Status.FailureReason) } for _, status := range sr.PluginStatus { diff --git a/pkg/osvscanner/stats.go b/pkg/osvscanner/stats.go index 5f02020d3ab..0ec3a7755d5 100644 --- a/pkg/osvscanner/stats.go +++ b/pkg/osvscanner/stats.go @@ -8,13 +8,13 @@ import ( "github.com/google/osv-scanner/v2/internal/output" ) -type FileOpenedPrinter struct { +type fileOpenedPrinter struct { stats.NoopCollector } -var _ stats.Collector = &FileOpenedPrinter{} +var _ stats.Collector = &fileOpenedPrinter{} -func (c FileOpenedPrinter) AfterExtractorRun(_ string, extractorstats *stats.AfterExtractorStats) { +func (c fileOpenedPrinter) AfterExtractorRun(_ string, extractorstats *stats.AfterExtractorStats) { if extractorstats.Error != nil { // Don't log scanned if error occurred return } diff --git a/pkg/osvscanner/vulnerability_result.go b/pkg/osvscanner/vulnerability_result.go index a29bcd1a616..25d06223b95 100644 --- a/pkg/osvscanner/vulnerability_result.go +++ b/pkg/osvscanner/vulnerability_result.go @@ -17,6 +17,7 @@ import ( "github.com/google/osv-scanner/v2/internal/sourceanalysis" "github.com/google/osv-scanner/v2/internal/spdx" "github.com/google/osv-scanner/v2/pkg/models" + "github.com/google/osv-scanner/v2/pkg/osvscanner/internal/imagehelpers" "github.com/ossf/osv-schema/bindings/go/osvschema" ) @@ -30,7 +31,7 @@ func buildVulnerabilityResults( ) models.VulnerabilityResults { vulnResults := models.VulnerabilityResults{ Results: []models.PackageSource{}, - ImageMetadata: scanResults.ImageMetadata, + ImageMetadata: imagehelpers.BuildImageMetadata(scanResults), ExperimentalGenericFindings: scanResults.GenericFindings, } @@ -60,9 +61,9 @@ func buildVulnerabilityResults( pkg.Package.OSPackageName = p.OSPackageName() } - if psr.LayerDetails != nil { + if psr.PackageInfo.LayerMetadata != nil { pkg.Package.ImageOrigin = &models.ImageOriginDetails{ - Index: psr.LayerDetails.Index, + Index: psr.PackageInfo.LayerMetadata.Index, } } pkg.DepGroups = p.DepGroups()