From 597994cc923f674a4ded01e45fc67004135af1ae Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Fri, 9 Jan 2026 11:35:51 +1300 Subject: [PATCH 1/2] feat: remove deprecated `sbom` flag --- .../source/__snapshots__/command_test.snap | 77 +------------------ cmd/osv-scanner/scan/source/command.go | 13 ---- cmd/osv-scanner/scan/source/command_test.go | 25 +----- pkg/osvscanner/osvscanner.go | 3 - pkg/osvscanner/scan.go | 29 +------ 5 files changed, 7 insertions(+), 140 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index c66bc6017f9..f261ccea41c 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -1133,7 +1133,6 @@ DESCRIPTION: OPTIONS: --lockfile string, -L string [ --lockfile string, -L string ] scan package lockfile on this path - --sbom string, -S string [ --sbom string, -S string ] [DEPRECATED] scan sbom file on this path, the sbom file name must follow the relevant spec --recursive, -r check subdirectories --no-ignore also scan files that would be ignored by .gitignore --include-git-root include scanning git root (non-submoduled) repositories @@ -1299,22 +1298,10 @@ No package sources found, --help for usage information. --- [TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names - 1] -Warning: --sbom has been deprecated in favor of -L --- [TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names - 2] -Failed to parse SBOM "./testdata/locks-many/composer.lock": Invalid SBOM filename. -If you believe this is a valid SBOM, make sure the filename follows format per your SBOMs specification. -invalid SBOM filename: ./testdata/locks-many/composer.lock - ---- - -[TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names_using_-L_flag - 1] - ---- - -[TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names_using_-L_flag - 2] could not determine extractor, requested spdx --- @@ -1357,8 +1344,7 @@ No issues found --- -[TestCommand/one_specific_supported_sbom_with_duplicate_PURLs - 1] -Warning: --sbom has been deprecated in favor of -L +[TestCommand/one_specific_supported_sbom_with_duplicate_purls - 1] Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages Filtered 1 local/unscannable package/s from the scan. @@ -1375,73 +1361,18 @@ Total 2 packages affected by 3 known vulnerabilities (1 Critical, 2 High, 0 Medi --- -[TestCommand/one_specific_supported_sbom_with_duplicate_PURLs - 2] +[TestCommand/one_specific_supported_sbom_with_duplicate_purls - 2] --- -[TestCommand/one_specific_supported_sbom_with_duplicate_PURLs_using_-L_flag - 1] -Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages -Filtered 1 local/unscannable package/s from the scan. - -Total 2 packages affected by 3 known vulnerabilities (1 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. -0 vulnerabilities can be fixed. - -+---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | -+---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+ -| https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | -| https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | -| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | -+---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+ - ---- - -[TestCommand/one_specific_supported_sbom_with_duplicate_PURLs_using_-L_flag - 2] - ---- - -[TestCommand/one_specific_supported_sbom_with_invalid_PURLs - 1] -Warning: --sbom has been deprecated in favor of -L +[TestCommand/one_specific_supported_sbom_with_invalid_purls - 1] Scanned /testdata/sbom-insecure/bad-purls.cdx.xml file and found 15 packages Filtered 7 local/unscannable package/s from the scan. No issues found --- -[TestCommand/one_specific_supported_sbom_with_invalid_PURLs - 2] - ---- - -[TestCommand/one_specific_supported_sbom_with_invalid_PURLs_using_-L_flag - 1] -Scanned /testdata/sbom-insecure/bad-purls.cdx.xml file and found 15 packages -Filtered 7 local/unscannable package/s from the scan. -No issues found - ---- - -[TestCommand/one_specific_supported_sbom_with_invalid_PURLs_using_-L_flag - 2] - ---- - -[TestCommand/one_specific_supported_sbom_with_vulns - 1] -Warning: --sbom has been deprecated in favor of -L -Scanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages -Filtered 1 local/unscannable package/s from the scan. - -Total 2 packages affected by 3 known vulnerabilities (1 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. -0 vulnerabilities can be fixed. - -+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | -+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ -| https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml | -| https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | -| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | -+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ - ---- - -[TestCommand/one_specific_supported_sbom_with_vulns - 2] +[TestCommand/one_specific_supported_sbom_with_invalid_purls - 2] --- diff --git a/cmd/osv-scanner/scan/source/command.go b/cmd/osv-scanner/scan/source/command.go index 06301571ae3..c5ae792a75f 100644 --- a/cmd/osv-scanner/scan/source/command.go +++ b/cmd/osv-scanner/scan/source/command.go @@ -30,17 +30,6 @@ func Command(stdout, stderr io.Writer, client *http.Client) *cli.Command { Usage: "scan package lockfile on this path", TakesFile: true, }, - &cli.StringSliceFlag{ - Name: "sbom", - Aliases: []string{"S"}, - Usage: "[DEPRECATED] scan sbom file on this path, the sbom file name must follow the relevant spec", - Action: func(_ context.Context, _ *cli.Command, _ []string) error { - cmdlogger.Warnf("Warning: --sbom has been deprecated in favor of -L") - - return nil - }, - TakesFile: true, - }, &cli.BoolFlag{ Name: "recursive", Aliases: []string{"r"}, @@ -128,8 +117,6 @@ func action(_ context.Context, cmd *cli.Command, stdout, stderr io.Writer, clien scannerAction := helper.GetCommonScannerActions(cmd, scanLicensesAllowlist) scannerAction.LockfilePaths = cmd.StringSlice("lockfile") - //nolint:staticcheck // ignore our own deprecated field - scannerAction.SBOMPaths = cmd.StringSlice("sbom") scannerAction.Recursive = cmd.Bool("recursive") scannerAction.NoIgnore = cmd.Bool("no-ignore") scannerAction.DirectoryPaths = cmd.Args().Slice() diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 662b5a6236f..2ea8cf21e38 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -47,12 +47,6 @@ func TestCommand(t *testing.T) { Args: []string{"", "source", "--all-vulns", "./testdata/sbom-insecure/only-unimportant.spdx.json"}, Exit: 1, }, - // one specific supported sbom with vulns - { - Name: "one_specific_supported_sbom_with_vulns", - Args: []string{"", "source", "--sbom", "./testdata/sbom-insecure/alpine.cdx.xml"}, - Exit: 1, - }, { Name: "one_specific_supported_sbom_with_vulns_using_-L_flag", Args: []string{"", "source", "-L", "./testdata/sbom-insecure/alpine.cdx.xml"}, @@ -60,34 +54,19 @@ func TestCommand(t *testing.T) { }, // one specific supported sbom with vulns and invalid PURLs { - Name: "one_specific_supported_sbom_with_invalid_PURLs", - Args: []string{"", "source", "--sbom", "./testdata/sbom-insecure/bad-purls.cdx.xml"}, - Exit: 0, - }, - { - Name: "one_specific_supported_sbom_with_invalid_PURLs_using_-L_flag", + Name: "one_specific_supported_sbom_with_invalid_purls", Args: []string{"", "source", "-L", "./testdata/sbom-insecure/bad-purls.cdx.xml"}, Exit: 0, }, // one specific supported sbom with duplicate PURLs { - Name: "one_specific_supported_sbom_with_duplicate_PURLs", - Args: []string{"", "source", "--sbom", "./testdata/sbom-insecure/with-duplicates.cdx.xml"}, - Exit: 1, - }, - { - Name: "one_specific_supported_sbom_with_duplicate_PURLs_using_-L_flag", + Name: "one_specific_supported_sbom_with_duplicate_purls", Args: []string{"", "source", "-L", "./testdata/sbom-insecure/with-duplicates.cdx.xml"}, Exit: 1, }, // one file that does not match the supported sbom file names { Name: "one_file_that_does_not_match_the_supported_sbom_file_names", - Args: []string{"", "source", "--sbom", "./testdata/locks-many/composer.lock"}, - Exit: 127, - }, - { - Name: "one_file_that_does_not_match_the_supported_sbom_file_names_using_-L_flag", Args: []string{"", "source", "-L", "spdx:./testdata/locks-many/composer.lock"}, Exit: 127, }, diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 95c53fabdf4..5f4d73abf85 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -63,9 +63,6 @@ type ScannerActions struct { // license scanning ScanLicensesSummary bool ScanLicensesAllowlist []string - - // Deprecated: in favor of LockfilePaths - SBOMPaths []string } type ExperimentalScannerActions struct { diff --git a/pkg/osvscanner/scan.go b/pkg/osvscanner/scan.go index 5c53d8917bb..c4283bf732b 100644 --- a/pkg/osvscanner/scan.go +++ b/pkg/osvscanner/scan.go @@ -17,7 +17,6 @@ import ( "github.com/google/osv-scalibr/enricher/reachability/java" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/extractor/filesystem" - "github.com/google/osv-scalibr/extractor/filesystem/simplefileapi" "github.com/google/osv-scalibr/fs" "github.com/google/osv-scalibr/inventory" "github.com/google/osv-scalibr/log" @@ -142,7 +141,7 @@ func scan(accessors ExternalAccessors, actions ScannerActions) (*inventory.Inven // map[path]parseAs overrideMap := map[string]filesystem.Extractor{} // List of specific paths the user passes in so that we can check that they all get processed. - specificPaths := make([]string, 0, len(actions.LockfilePaths)+len(actions.SBOMPaths)) + specificPaths := make([]string, 0, len(actions.LockfilePaths)) statsCollector := fileOpenedPrinter{ filesExtracted: make(map[string]struct{}), @@ -175,32 +174,6 @@ func scan(accessors ExternalAccessors, actions ScannerActions) (*inventory.Inven } } - // --- SBOMs (Deprecated) --- - // none of the SBOM extractors need configuring - sbomExtractors := scalibrplugin.Resolve([]string{"sbom"}, []string{}, &cpb.PluginConfig{}) - -SBOMLoop: - for _, sbomPath := range actions.SBOMPaths { - absPath, err := pathToRootMap(rootMap, sbomPath, actions.Recursive) - if err != nil { - return nil, err - } - specificPaths = append(specificPaths, absPath) - - for _, se := range sbomExtractors { - // All sbom extractors are filesystem extractors - sbomExtractor := se.(filesystem.Extractor) - if sbomExtractor.FileRequired(simplefileapi.New(absPath, nil)) { - overrideMap[absPath] = sbomExtractor - continue SBOMLoop - } - } - cmdlogger.Errorf("Failed to parse SBOM %q: Invalid SBOM filename.", sbomPath) - cmdlogger.Errorf("If you believe this is a valid SBOM, make sure the filename follows format per your SBOMs specification.") - - return nil, fmt.Errorf("invalid SBOM filename: %s", sbomPath) - } - // --- Add git commits directly --- gitDirectPlugin := gitcommitdirect.New(actions.GitCommits) From e2630a05975a10c15407dd6378f6c03641f404b3 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Fri, 9 Jan 2026 14:34:30 +1300 Subject: [PATCH 2/2] test: update cassette --- .../TestCommand_OCIImage_JSONFormat.yaml | 513 ++++++++++++++++++ .../testdata/cassettes/TestCommand.yaml | 266 +++++++++ 2 files changed, 779 insertions(+) diff --git a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml index 48db4a2822b..fe27e55e897 100644 --- a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml +++ b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml @@ -1922,6 +1922,519 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 6214 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "Alpine:v3.20", + "name": "alpine-baselayout" + }, + "version": "3.6.5-r0" + }, + { + "package": { + "ecosystem": "Alpine:v3.20", + "name": "alpine-baselayout" + }, + "version": "3.6.5-r0" + }, + { + "package": { + "ecosystem": "Alpine:v3.20", + "name": "alpine-keys" + }, + "version": "2.4-r1" + }, + { + "package": { + "ecosystem": "Alpine:v3.20", + "name": "apk-tools" + }, + "version": "2.14.4-r0" + }, + { + "package": { + "ecosystem": "Alpine:v3.20", + "name": "busybox" + }, + "version": "1.36.1-r29" + }, + { + "package": { + "ecosystem": "Alpine:v3.20", + "name": "busybox" + }, + "version": "1.36.1-r29" + }, + { + "package": { + "ecosystem": "Alpine:v3.20", + "name": "ca-certificates" + }, + "version": "20240705-r0" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "displaydoc" + }, + "version": "0.2.5" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "form_urlencoded" + }, + "version": "1.2.2" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "icu_collections" + }, + "version": "2.1.1" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "icu_locale_core" + }, + "version": "2.1.1" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "icu_normalizer" + }, + "version": "2.1.1" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "icu_normalizer_data" + }, + "version": "2.1.1" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "icu_properties" + }, + "version": "2.1.1" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "icu_properties_data" + }, + "version": "2.1.1" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "icu_provider" + }, + "version": "2.1.1" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "idna" + }, + "version": "1.1.0" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "idna_adapter" + }, + "version": "1.2.1" + }, + { + "package": { + "ecosystem": "Alpine:v3.20", + "name": "openssl" + }, + "version": "3.3.2-r0" + }, + { + "package": { + "ecosystem": "Alpine:v3.20", + "name": "openssl" + }, + "version": "3.3.2-r0" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "litemap" + }, + "version": "0.8.1" + }, + { + "package": { + "ecosystem": "Alpine:v3.20", + "name": "musl" + }, + "version": "1.2.5-r0" + }, + { + "package": { + "ecosystem": "Alpine:v3.20", + "name": "musl" + }, + "version": "1.2.5-r0" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "percent-encoding" + }, + "version": "2.3.2" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "potential_utf" + }, + "version": "0.1.4" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "proc-macro2" + }, + "version": "1.0.103" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "quote" + }, + "version": "1.0.42" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "rust_novuln_deprecated" + }, + "version": "0.1.0" + }, + { + "package": { + "ecosystem": "Alpine:v3.20", + "name": "pax-utils" + }, + "version": "1.3.7-r2" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "smallvec" + }, + "version": "1.15.1" + }, + { + "package": { + "ecosystem": "Alpine:v3.20", + "name": "busybox" + }, + "version": "1.36.1-r29" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "stable_deref_trait" + }, + "version": "1.2.1" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "syn" + }, + "version": "2.0.111" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "synstructure" + }, + "version": "0.13.2" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "tinystr" + }, + "version": "0.8.2" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "unicode-ident" + }, + "version": "1.0.22" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "url" + }, + "version": "2.5.3" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "utf8_iter" + }, + "version": "1.0.4" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "writeable" + }, + "version": "0.6.2" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "yoke" + }, + "version": "0.8.1" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "yoke-derive" + }, + "version": "0.8.1" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "zerofrom" + }, + "version": "0.1.6" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "zerofrom-derive" + }, + "version": "0.1.6" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "zerotrie" + }, + "version": "0.2.3" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "zerovec" + }, + "version": "0.11.5" + }, + { + "package": { + "ecosystem": "crates.io", + "name": "zerovec-derive" + }, + "version": "0.11.2" + }, + { + "package": { + "ecosystem": "Alpine:v3.20", + "name": "zlib" + }, + "version": "1.3.1-r1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_OCIImage_JSONFormat/scanning_image_with_deprecated_packages + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 1649 + body: | + { + "results": [ + {}, + {}, + {}, + {}, + { + "vulns": [ + { + "id": "ALPINE-CVE-2024-58251", + "modified": "2025-12-03T22:57:45.619122Z" + }, + { + "id": "ALPINE-CVE-2025-46394", + "modified": "2025-12-03T22:59:20.065296Z" + } + ] + }, + { + "vulns": [ + { + "id": "ALPINE-CVE-2024-58251", + "modified": "2025-12-03T22:57:45.619122Z" + }, + { + "id": "ALPINE-CVE-2025-46394", + "modified": "2025-12-03T22:59:20.065296Z" + } + ] + }, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + { + "vulns": [ + { + "id": "ALPINE-CVE-2024-12797", + "modified": "2025-12-03T22:55:03.634026Z" + }, + { + "id": "ALPINE-CVE-2024-13176", + "modified": "2025-12-03T22:55:07.817006Z" + }, + { + "id": "ALPINE-CVE-2024-9143", + "modified": "2025-12-03T22:57:50.413061Z" + }, + { + "id": "ALPINE-CVE-2025-9230", + "modified": "2025-12-03T23:00:22.789476Z" + }, + { + "id": "ALPINE-CVE-2025-9231", + "modified": "2025-12-03T23:00:26.184987Z" + }, + { + "id": "ALPINE-CVE-2025-9232", + "modified": "2025-12-03T23:00:27.900024Z" + } + ] + }, + { + "vulns": [ + { + "id": "ALPINE-CVE-2024-12797", + "modified": "2025-12-03T22:55:03.634026Z" + }, + { + "id": "ALPINE-CVE-2024-13176", + "modified": "2025-12-03T22:55:07.817006Z" + }, + { + "id": "ALPINE-CVE-2024-9143", + "modified": "2025-12-03T22:57:50.413061Z" + }, + { + "id": "ALPINE-CVE-2025-9230", + "modified": "2025-12-03T23:00:22.789476Z" + }, + { + "id": "ALPINE-CVE-2025-9231", + "modified": "2025-12-03T23:00:26.184987Z" + }, + { + "id": "ALPINE-CVE-2025-9232", + "modified": "2025-12-03T23:00:27.900024Z" + } + ] + }, + {}, + { + "vulns": [ + { + "id": "ALPINE-CVE-2025-26519", + "modified": "2025-12-11T11:16:21.978419Z" + } + ] + }, + { + "vulns": [ + { + "id": "ALPINE-CVE-2025-26519", + "modified": "2025-12-11T11:16:21.978419Z" + } + ] + }, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + { + "vulns": [ + { + "id": "ALPINE-CVE-2024-58251", + "modified": "2025-12-03T22:57:45.619122Z" + }, + { + "id": "ALPINE-CVE-2025-46394", + "modified": "2025-12-03T22:59:20.065296Z" + } + ] + }, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {} + ] + } + headers: + Content-Length: + - "1649" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s - request: proto: HTTP/1.1 proto_major: 1 diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml index a762d7b8294..21b14f2f2dc 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml @@ -6016,6 +6016,172 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1852 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "Alpine", + "name": "alpine-baselayout" + }, + "version": "3.4.0-r0" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "alpine-baselayout-data" + }, + "version": "3.4.0-r0" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "alpine-keys" + }, + "version": "2.4-r1" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "apk-tools" + }, + "version": "2.12.10-r1" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "busybox-binsh" + }, + "version": "1.36.1-r27" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "ca-certificates-bundle" + }, + "version": "20220614-r4" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "libc-utils" + }, + "version": "0.7.2-r3" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "libcrypto3" + }, + "version": "3.0.8-r0" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "libssl3" + }, + "version": "3.0.8-r0" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "musl" + }, + "version": "1.2.3-r4" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "musl-utils" + }, + "version": "1.2.3-r4" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "scanelf" + }, + "version": "1.3.5-r1" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "ssl_client" + }, + "version": "1.36.1-r27" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "zlib" + }, + "version": "1.2.10-r0" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand/one_specific_supported_sbom_with_duplicate_purls + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 289 + body: | + { + "results": [ + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + { + "vulns": [ + { + "id": "ALPINE-CVE-2025-26519", + "modified": "2025-12-11T11:16:21.978419Z" + } + ] + }, + {}, + {}, + {}, + { + "vulns": [ + { + "id": "ALPINE-CVE-2018-25032", + "modified": "2025-12-03T22:47:03.844688Z" + }, + { + "id": "ALPINE-CVE-2022-37434", + "modified": "2025-12-03T22:50:43.469206Z" + } + ] + } + ] + } + headers: + Content-Length: + - "289" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s - request: proto: HTTP/1.1 proto_major: 1 @@ -6216,6 +6382,106 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1073 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "Alpine", + "name": "alpine-baselayout" + }, + "version": "3.4.0-r0" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "alpine-baselayout-data" + }, + "version": "3.4.0-r0" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "apk-tools" + }, + "version": "2.12.10-r1" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "busybox-binsh" + }, + "version": "1.36.1-r27" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "libcrypto3" + }, + "version": "3.0.8-r0" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "libssl3" + }, + "version": "3.0.8-r0" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "musl-utils" + }, + "version": "1.2.3-r4" + }, + { + "package": { + "ecosystem": "Alpine", + "name": "scanelf" + }, + "version": "1.3.5-r1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand/one_specific_supported_sbom_with_invalid_purls + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 37 + body: | + { + "results": [ + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {} + ] + } + headers: + Content-Length: + - "37" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s - request: proto: HTTP/1.1 proto_major: 1