diff --git a/cmd/osv-scanner/internal/helper/flags.go b/cmd/osv-scanner/internal/helper/flags.go index c7601c2906f..ff0f362e32f 100644 --- a/cmd/osv-scanner/internal/helper/flags.go +++ b/cmd/osv-scanner/internal/helper/flags.go @@ -207,5 +207,19 @@ func BuildCommonScanFlags(defaultExtractors []string) []cli.Flag { Name: "experimental-no-default-plugins", Usage: "disable default plugins, instead using only those enabled by --experimental-plugins", }, + &cli.StringFlag{ + Name: "experimental-update-config-ignores", + Usage: "update config file(s) to ignore vulnerabilities - must be one of: none, unused, or all", + Action: func(_ context.Context, _ *cli.Command, s string) error { + // todo: can we do something other than "none"? + // - feels like that might mean "remove all ignores" + // - ideally empty string would be nice, but might not work properly as a flag default? + if s == "none" || s == "unused" || s == "all" { + return nil + } + + return fmt.Errorf("unsupported option \"%s\" - must be none, unused, or all", s) + }, + }, } } diff --git a/cmd/osv-scanner/internal/helper/getters.go b/cmd/osv-scanner/internal/helper/getters.go index c1fc053e94f..847252b8877 100644 --- a/cmd/osv-scanner/internal/helper/getters.go +++ b/cmd/osv-scanner/internal/helper/getters.go @@ -56,5 +56,6 @@ func GetExperimentalScannerActions(cmd *cli.Command, client *http.Client) osvsca PluginsNoDefaults: cmd.Bool("experimental-no-default-plugins"), HTTPClient: client, FlagDeprecatedPackages: cmd.Bool("experimental-flag-deprecated-packages"), + UpdateConfigIgnores: cmd.String("experimental-update-config-ignores"), } } diff --git a/cmd/osv-scanner/internal/testcmd/copy.go b/cmd/osv-scanner/internal/testcmd/copy.go index 68f850e8888..15cf08aeb5b 100644 --- a/cmd/osv-scanner/internal/testcmd/copy.go +++ b/cmd/osv-scanner/internal/testcmd/copy.go @@ -8,7 +8,7 @@ import ( "testing" ) -func copyFile(from, to string) (string, error) { +func CopyFile(from, to string) (string, error) { b, err := os.ReadFile(from) if err != nil { return "", fmt.Errorf("could not read test file: %w", err) @@ -37,7 +37,7 @@ func CopyFileFlagTo(t *testing.T, tc Case, flagName string, dir string) string { return "" } - newPath, err := copyFile(flagValue, filepath.Join(dir, filepath.Base(flagValue))) + newPath, err := CopyFile(flagValue, filepath.Join(dir, filepath.Base(flagValue))) if err != nil { t.Fatalf("%v", err) diff --git a/cmd/osv-scanner/internal/testcmd/git.go b/cmd/osv-scanner/internal/testcmd/git.go index e8035415736..8a7c41946be 100644 --- a/cmd/osv-scanner/internal/testcmd/git.go +++ b/cmd/osv-scanner/internal/testcmd/git.go @@ -43,7 +43,7 @@ func SetupGitFixtures() (func(), error) { } for _, f := range gitIgnoreFiles { - gitignoreFile, err := copyFile(f, filepath.Join(filepath.Dir(f), ".gitignore")) + gitignoreFile, err := CopyFile(f, filepath.Join(filepath.Dir(f), ".gitignore")) if err != nil { return cleaner, err diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 5d72adfe495..16795ce4f44 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -1206,6 +1206,7 @@ OPTIONS: --experimental-plugins string [ --experimental-plugins string ] list of specific plugins and presets of plugins to use (default: "lockfile", "sbom", "directory") --experimental-disable-plugins string [ --experimental-disable-plugins string ] list of specific plugins and presets of plugins to not use --experimental-no-default-plugins disable default plugins, instead using only those enabled by --experimental-plugins + --experimental-update-config-ignores string update config file(s) to ignore vulnerabilities - must be one of: none, unused, or all --help, -h show help --- @@ -5873,6 +5874,2229 @@ Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Me --- +[TestCommand_UpdateConfigIgnores_All/deep - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +Loaded filter from: /nested-1/osv-scanner-test.toml +warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! +Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. +/nested-1/osv-scanner-test.toml has been updated to ignore 3 vulnerabilities +/nested-2/osv-scanner-test.toml has been updated to ignore 3 vulnerabilities +/nested-3/osv-scanner-test.toml has been updated to ignore 1 vulnerability +/osv-scanner-test.toml has been updated to ignore 2 vulnerabilities + +Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +11 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_All/deep - 2] + +--- + +[TestCommand_UpdateConfigIgnores_All/deep - 3] +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +[[IgnoredVulns]] +id = "GHSA-wx95-c6cv-8532" + +--- + +[TestCommand_UpdateConfigIgnores_All/deep - 4] +GoVersionOverride = "1.20.0" + +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/deep - 5] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-v88g-cgmw-v5xw" + +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +--- + +[TestCommand_UpdateConfigIgnores_All/deep - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-v88g-cgmw-v5xw" + +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +--- + +[TestCommand_UpdateConfigIgnores_All/deep - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +--- + +[TestCommand_UpdateConfigIgnores_All/deep - 8] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +Loaded filter from: /nested-1/osv-scanner-test.toml +Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. +GHSA-wx95-c6cv-8532 has been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +Filtered 11 vulnerabilities from output +No issues found + +--- + +[TestCommand_UpdateConfigIgnores_All/deep - 9] + +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. +/nested-3/osv-scanner-test.toml has been updated to ignore 1 vulnerability + +Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +11 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 2] + +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 3] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 4] +GoVersionOverride = "1.20.0" + +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 5] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 6] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 8] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +Filtered 1 vulnerability from output + +Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +10 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 9] + +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! +Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. +/nested-2/osv-scanner-test.toml has been updated to ignore 3 vulnerabilities +/nested-3/osv-scanner-test.toml has been updated to ignore 1 vulnerability +/osv-scanner-test.toml has been updated to ignore 2 vulnerabilities + +Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +11 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 2] + +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 3] +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +[[IgnoredVulns]] +id = "GHSA-wx95-c6cv-8532" + +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 4] +GoVersionOverride = "1.20.0" + +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 5] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-v88g-cgmw-v5xw" + +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 8] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. +GHSA-wx95-c6cv-8532 has been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +Filtered 7 vulnerabilities from output + +Total 3 packages affected by 4 known vulnerabilities (0 Critical, 1 High, 3 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +4 vulnerabilities can be fixed. + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 9] + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +/custom-config.toml has been updated to ignore 4 vulnerabilities + +Total 11 packages affected by 14 known vulnerabilities (0 Critical, 4 High, 10 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +14 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/nested-3/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-3/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 2] + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 3] + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 4] +GoVersionOverride = "1.20.0" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-v88g-cgmw-v5xw" + +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +[[IgnoredVulns]] +id = "GHSA-wx95-c6cv-8532" + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 8] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +GHSA-wx95-c6cv-8532 has been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +Filtered 14 vulnerabilities from output +No issues found + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 9] + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +/custom-config.toml has been updated to ignore 2 vulnerabilities + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 2] + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 3] + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 4] +GoVersionOverride = "1.20.0" + +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +[[IgnoredVulns]] +id = "GHSA-wx95-c6cv-8532" + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 8] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +GHSA-wx95-c6cv-8532 has been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +Filtered 2 vulnerabilities from output +No issues found + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 9] + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +/osv-scanner-test.toml has been updated to ignore 2 vulnerabilities + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow - 2] + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow - 3] +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +[[IgnoredVulns]] +id = "GHSA-wx95-c6cv-8532" + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow - 4] +GoVersionOverride = "1.20.0" + +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow - 8] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +GHSA-wx95-c6cv-8532 has been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +Filtered 2 vulnerabilities from output +No issues found + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow - 9] + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 2] + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 3] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 4] +GoVersionOverride = "1.20.0" + +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 8] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 9] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +Loaded filter from: /nested-1/osv-scanner-test.toml +warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! +Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. +CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 3 vulnerabilities from output +/nested-2/osv-scanner-test.toml had unused ignores that were removed: + - GHSA-2g4f-4pwh-qvx6 +/nested-3/osv-scanner-test.toml had unused ignores that were removed: + - GHSA-2g4f-4pwh-qvx6 + +Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +8 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + + 3 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 2] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 3] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 4] +GoVersionOverride = "1.20.0" + +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 8] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +Loaded filter from: /nested-1/osv-scanner-test.toml +Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. +CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 3 vulnerabilities from output + +Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +8 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + + 3 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 9] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. +/nested-3/osv-scanner-test.toml had unused ignores that were removed: + - GHSA-2g4f-4pwh-qvx6 + +Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +11 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 2] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 3] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 4] +GoVersionOverride = "1.20.0" + +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 5] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 6] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 8] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. + +Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +11 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 9] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! +Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 2 vulnerabilities from output +/nested-2/osv-scanner-test.toml had unused ignores that were removed: + - GHSA-2g4f-4pwh-qvx6 +/nested-3/osv-scanner-test.toml had unused ignores that were removed: + - GHSA-2g4f-4pwh-qvx6 + +Total 8 packages affected by 9 known vulnerabilities (0 Critical, 4 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +9 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 2] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 3] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 4] +GoVersionOverride = "1.20.0" + +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 5] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 8] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 2 vulnerabilities from output + +Total 8 packages affected by 9 known vulnerabilities (0 Critical, 4 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +9 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 9] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 6 vulnerabilities from output +/custom-config.toml had unused ignores that were removed: + - CVE-123-456-789 + +Total 8 packages affected by 8 known vulnerabilities (0 Critical, 4 High, 4 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +8 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/nested-3/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-3/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 2] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 3] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 4] +GoVersionOverride = "1.20.0" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 8] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 6 vulnerabilities from output + +Total 8 packages affected by 8 known vulnerabilities (0 Critical, 4 High, 4 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +8 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/nested-3/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-3/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 9] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +/custom-config.toml had unused ignores that were removed: + - CVE-123-456-789 + - GHSA-2g4f-4pwh-qvx6 + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 2] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 3] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 4] +GoVersionOverride = "1.20.0" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 8] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 9] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 2] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 3] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 4] +GoVersionOverride = "1.20.0" + +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 8] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 9] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 2] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 3] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 4] +GoVersionOverride = "1.20.0" + +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 8] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 9] + +--- + [TestCommand_WithDetector_OffLinux/ssh_version_errors - 1] Scanning dir /composer.lock Scanned /composer.lock file and found 1 package diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 3febffb55d7..190e94d4558 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1,6 +1,7 @@ package source_test import ( + "errors" "net/http" "os" "path/filepath" @@ -1743,3 +1744,271 @@ func TestCommand_FlagDeprecatedPackages(t *testing.T) { }) } } + +func TestCommand_UpdateConfigIgnores_All(t *testing.T) { + t.Parallel() + + client := testcmd.InsertCassette(t) + + type withFilesToRemove struct { + Name string + Args []string + + Remove []string + } + + tests := []withFilesToRemove{ + { + Name: "shallow", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=all", + }, + }, + { + Name: "shallow_with_removed_config", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=all", + }, + Remove: []string{"osv-scanner-test.toml"}, + }, + { + Name: "deep", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=all", "-r", + }, + }, + { + Name: "deep_with_removed_config", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=all", "-r", + }, + Remove: []string{"nested-1/osv-scanner-test.toml"}, + }, + { + Name: "deep_with_no_configs", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=all", "-r", + }, + Remove: []string{ + "osv-scanner-test.toml", + "nested-1/osv-scanner-test.toml", + "nested-2/osv-scanner-test.toml", + }, + }, + { + Name: "global_config_shallow", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=all", "--config", "./testdata/locks-with-many-configs/custom-config.toml", + }, + }, + { + Name: "global_config_deep", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=all", "-r", "--config", "./testdata/locks-with-many-configs/custom-config.toml", + }, + }, + } + for _, tt := range tests { + t.Run(tt.Name, func(t *testing.T) { + t.Parallel() + + // action overwrites files, copy them to a temporary directory. + testDir := testutility.CreateTestDir(t) + + err := os.CopyFS(testDir, os.DirFS("./testdata/locks-with-many-configs")) + if err != nil { + t.Fatal(err) + } + + // remove specified files + for _, file := range tt.Remove { + err = os.Remove(testDir + "/" + file) + if err != nil { + t.Fatal(err) + } + } + + tc := testcmd.Case{ + Name: tt.Name, + Args: tt.Args, + Exit: 1, + + HTTPClient: testcmd.WithTestNameHeader(t, *client), + } + + tc.Args = append(tc.Args, testDir) + + testcmd.CopyFileFlagTo(t, tc, "--config", testDir) + + testcmd.RunAndMatchSnapshots(t, tc) + + for _, file := range []string{ + "osv-scanner-test.toml", + "custom-config.toml", + "nested-1/osv-scanner-test.toml", + "nested-2/osv-scanner-test.toml", + "nested-3/osv-scanner-test.toml", + } { + b, err := os.ReadFile(testDir + "/" + file) + + if err != nil { + if !errors.Is(err, os.ErrNotExist) { + t.Fatal(err) + } + + b = []byte("(does not exist)") + } + + testutility.NewSnapshot().MatchText(t, string(b)) + } + + for i, arg := range tc.Args { + if arg == "--experimental-update-config-ignores=all" { + tc.Args[i] = "--experimental-update-config-ignores=none" + } + } + + // if there were no (config) files removed, then re-running the cli + // should have no vulnerabilities as everything should be ignored + if len(tt.Remove) == 0 { + tc.Exit = 0 + } + + testcmd.RunAndMatchSnapshots(t, tc) + }) + } +} + +func TestCommand_UpdateConfigIgnores_Unused(t *testing.T) { + t.Parallel() + + client := testcmd.InsertCassette(t) + + type withFilesToRemove struct { + Name string + Args []string + + Remove []string + } + + tests := []withFilesToRemove{ + { + Name: "shallow", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", + }, + }, + { + Name: "shallow_with_removed_config", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", + }, + Remove: []string{"osv-scanner-test.toml"}, + }, + { + Name: "deep", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", + "-r", + }, + }, + { + Name: "deep_with_removed_config", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", + "-r", + }, + Remove: []string{"nested-1/osv-scanner-test.toml"}, + }, + { + Name: "deep_with_no_configs", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", + "-r", + }, + Remove: []string{ + "osv-scanner-test.toml", + "nested-1/osv-scanner-test.toml", + "nested-2/osv-scanner-test.toml", + }, + }, + { + Name: "global_config_shallow", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", + "--config", "./testdata/locks-with-many-configs/custom-config.toml", + }, + }, + { + Name: "global_config_deep", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", + "-r", "--config", "./testdata/locks-with-many-configs/custom-config.toml", + }, + }, + } + for _, tt := range tests { + t.Run(tt.Name, func(t *testing.T) { + t.Parallel() + + // action overwrites files, copy them to a temporary directory. + testDir := testutility.CreateTestDir(t) + + err := os.CopyFS(testDir, os.DirFS("./testdata/locks-with-many-configs")) + if err != nil { + t.Fatal(err) + } + + // remove specified files + for _, file := range tt.Remove { + err = os.Remove(testDir + "/" + file) + if err != nil { + t.Fatal(err) + } + } + + tc := testcmd.Case{ + Name: tt.Name, + Args: tt.Args, + Exit: 1, + + HTTPClient: testcmd.WithTestNameHeader(t, *client), + } + + tc.Args = append(tc.Args, testDir) + + testcmd.CopyFileFlagTo(t, tc, "--config", testDir) + + testcmd.RunAndMatchSnapshots(t, tc) + + for _, file := range []string{ + "osv-scanner-test.toml", + "custom-config.toml", + "nested-1/osv-scanner-test.toml", + "nested-2/osv-scanner-test.toml", + "nested-3/osv-scanner-test.toml", + } { + b, err := os.ReadFile(testDir + "/" + file) + + if err != nil { + if !errors.Is(err, os.ErrNotExist) { + t.Fatal(err) + } + + b = []byte("(does not exist)") + } + + testutility.NewSnapshot().MatchText(t, string(b)) + } + + for i, arg := range tc.Args { + if arg == "--experimental-update-config-ignores=unused" { + tc.Args[i] = "--experimental-update-config-ignores=none" + } + } + + // re-running the cli should have vulnerabilities as not everything was ignored + testcmd.RunAndMatchSnapshots(t, tc) + }) + } +} diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_All.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_All.yaml new file mode 100644 index 00000000000..66305f2fa66 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_All.yaml @@ -0,0 +1,4065 @@ +--- +version: 2 +interactions: + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_no_configs + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_no_configs + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_no_configs + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_no_configs + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_no_configs + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1333 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 1104 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "1104" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1333 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 1104 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "1104" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_Unused.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_Unused.yaml new file mode 100644 index 00000000000..364cfe00933 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_Unused.yaml @@ -0,0 +1,3671 @@ +--- +version: 2 +interactions: + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1333 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 1104 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "1104" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1333 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 1104 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "1104" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/Gemfile.lock b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/Gemfile.lock new file mode 100644 index 00000000000..c398b9387cd --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/Gemfile.lock @@ -0,0 +1,16 @@ +GEM + remote: https://rubygems.org/ + specs: + nokogiri (1.18.9) + +PLATFORMS + x86_64-linux + +DEPENDENCIES + nokogiri (1.18.9) + +RUBY VERSION + ruby 3.0.2p107 + +BUNDLED WITH + 2.2.28 diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/composer.lock b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/composer.lock new file mode 100644 index 00000000000..0967ef424bc --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/composer.lock @@ -0,0 +1 @@ +{} diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/custom-config.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/custom-config.toml new file mode 100644 index 00000000000..fb0e028aa23 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/custom-config.toml @@ -0,0 +1,9 @@ +GoVersionOverride = "1.20.0" + +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/osv-scanner-test.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/osv-scanner-test.toml new file mode 100644 index 00000000000..6b6d8b344ee --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/osv-scanner-test.toml @@ -0,0 +1,3 @@ +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/osv-scanner.toml new file mode 100644 index 00000000000..dfafb8fb5fe --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/osv-scanner.toml @@ -0,0 +1,2 @@ +[[PackageOverrides]] +ignore = true diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/package-lock.json b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/package-lock.json new file mode 100644 index 00000000000..45a1996e344 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/package-lock.json @@ -0,0 +1,17 @@ +{ + "requires": true, + "lockfileVersion": 1, + "dependencies": { + "ansi-html": { + "version": "0.0.1", + "dependencies": { + "ajv": { + "version": "6.0.0" + } + } + }, + "ajv": { + "version": "8.0.0" + } + } +} diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/osv-scanner-test.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/osv-scanner-test.toml new file mode 100644 index 00000000000..177dc465564 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/osv-scanner-test.toml @@ -0,0 +1,5 @@ +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/osv-scanner.toml new file mode 100644 index 00000000000..dfafb8fb5fe --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/osv-scanner.toml @@ -0,0 +1,2 @@ +[[PackageOverrides]] +ignore = true diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/package-lock.json b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/package-lock.json new file mode 100644 index 00000000000..45a1996e344 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/package-lock.json @@ -0,0 +1,17 @@ +{ + "requires": true, + "lockfileVersion": 1, + "dependencies": { + "ansi-html": { + "version": "0.0.1", + "dependencies": { + "ajv": { + "version": "6.0.0" + } + } + }, + "ajv": { + "version": "8.0.0" + } + } +} diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/osv-scanner-test.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/osv-scanner-test.toml new file mode 100644 index 00000000000..40a7b53a5b3 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/osv-scanner-test.toml @@ -0,0 +1,6 @@ +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/osv-scanner.toml new file mode 100644 index 00000000000..dfafb8fb5fe --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/osv-scanner.toml @@ -0,0 +1,2 @@ +[[PackageOverrides]] +ignore = true diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/package-lock.json b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/package-lock.json new file mode 100644 index 00000000000..45a1996e344 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/package-lock.json @@ -0,0 +1,17 @@ +{ + "requires": true, + "lockfileVersion": 1, + "dependencies": { + "ansi-html": { + "version": "0.0.1", + "dependencies": { + "ajv": { + "version": "6.0.0" + } + } + }, + "ajv": { + "version": "8.0.0" + } + } +} diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/osv-scanner-test.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/osv-scanner-test.toml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/osv-scanner.toml new file mode 100644 index 00000000000..dfafb8fb5fe --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/osv-scanner.toml @@ -0,0 +1,2 @@ +[[PackageOverrides]] +ignore = true diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/package-lock.json b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/package-lock.json new file mode 100644 index 00000000000..e3a2d44973c --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/package-lock.json @@ -0,0 +1,9 @@ +{ + "requires": true, + "lockfileVersion": 1, + "dependencies": { + "ansi-html": { + "version": "0.0.1" + } + } +} diff --git a/docs/configuration-updating.md b/docs/configuration-updating.md new file mode 100644 index 00000000000..cf9fccb04cc --- /dev/null +++ b/docs/configuration-updating.md @@ -0,0 +1,27 @@ +--- +layout: page +permalink: /experimental/configuration-updating/ +parent: Experimental Features +nav_order: 6 +--- + +# Configuration updating + +Experimental +{: .label } + +{: .no_toc } + +OSV-Scanner can automatically update ignored vulnerabilities in `osv-scanner.toml` files, either to remove unused ignore entries, or to ignore all found vulnerabilities. + +This requires that a configuration file already exists, and currently makes no attempt to preserve comments or syntax. + +## Usage + +``` +# remove only ignore entires that are not being used +osv-scanner scan --experimental-update-config-ignores=unused . + +# add ignore entries for all found vulnerabilities +osv-scanner scan --experimental-update-config-ignores=all . +``` diff --git a/internal/config/config.go b/internal/config/config.go index ce46e8b20ad..c905070ec9b 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -2,20 +2,24 @@ package config import ( + "os" "slices" "time" + "github.com/BurntSushi/toml" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scanner/v2/internal/cmdlogger" + "github.com/google/osv-scanner/v2/internal/identifiers" "github.com/google/osv-scanner/v2/internal/imodels" + "github.com/ossf/osv-schema/bindings/go/osvschema" ) var OSVScannerConfigName = "osv-scanner.toml" type Config struct { - IgnoredVulns []*IgnoreEntry `toml:"IgnoredVulns"` - PackageOverrides []PackageOverrideEntry `toml:"PackageOverrides"` - GoVersionOverride string `toml:"GoVersionOverride"` + GoVersionOverride string `toml:"GoVersionOverride,omitempty"` + PackageOverrides []PackageOverrideEntry `toml:"PackageOverrides,omitempty"` + IgnoredVulns []*IgnoreEntry `toml:"IgnoredVulns,omitempty"` // The path to config file that this config was loaded from, // set by the scanner after having successfully parsed the file LoadPath string `toml:"-"` @@ -23,8 +27,8 @@ type Config struct { type IgnoreEntry struct { ID string `toml:"id"` - IgnoreUntil time.Time `toml:"ignoreUntil"` - Reason string `toml:"reason"` + IgnoreUntil time.Time `toml:"ignoreUntil,omitempty"` + Reason string `toml:"reason,omitempty"` Used bool `toml:"-"` } @@ -34,16 +38,16 @@ func (ie *IgnoreEntry) MarkAsUsed() { } type PackageOverrideEntry struct { - Name string `toml:"name"` + Name string `toml:"name,omitempty"` // If the version is empty, the entry applies to all versions. - Version string `toml:"version"` - Ecosystem string `toml:"ecosystem"` - Group string `toml:"group"` - Ignore bool `toml:"ignore"` - Vulnerability Vulnerability `toml:"vulnerability"` - License License `toml:"license"` - EffectiveUntil time.Time `toml:"effectiveUntil"` - Reason string `toml:"reason"` + Version string `toml:"version,omitempty"` + Ecosystem string `toml:"ecosystem,omitempty"` + Group string `toml:"group,omitempty"` + Ignore bool `toml:"ignore,omitempty"` + Vulnerability Vulnerability `toml:"vulnerability,omitempty"` + License License `toml:"license,omitempty"` + EffectiveUntil time.Time `toml:"effectiveUntil,omitempty"` + Reason string `toml:"reason,omitempty"` } func (e PackageOverrideEntry) matches(pkg *extractor.Package) bool { @@ -75,6 +79,53 @@ type License struct { Ignore bool `toml:"ignore"` } +// IgnoreVulns updates Config.IgnoredVulns to hold only the given vulnerabilities +func (c *Config) IgnoreVulns(vulns []*osvschema.Vulnerability) { + existingIgnores := make(map[string]*IgnoreEntry, len(c.IgnoredVulns)) + for _, ignoredVuln := range c.IgnoredVulns { + existingIgnores[ignoredVuln.ID] = ignoredVuln + } + + // use a fresh slice to ensure vulns that are no longer present are removed + c.IgnoredVulns = make([]*IgnoreEntry, 0, len(vulns)) + + seen := make(map[string]struct{}, len(vulns)) + + for _, vuln := range vulns { + if _, ok := seen[vuln.GetId()]; ok { + continue + } + + // if the vuln was already ignored, we want to persist its other fields + ignore, ok := existingIgnores[vuln.GetId()] + + if !ok { + ignore = &IgnoreEntry{ID: vuln.GetId()} + } + + c.IgnoredVulns = append(c.IgnoredVulns, ignore) + seen[vuln.GetId()] = struct{}{} + } + + slices.SortFunc(c.IgnoredVulns, func(a, b *IgnoreEntry) int { + return identifiers.IDSortFunc(a.ID, b.ID) + }) +} + +// Save writes the configuration file to disk, overriding the existing content +func (c *Config) Save() error { + f, err := os.OpenFile(c.LoadPath, os.O_TRUNC|os.O_WRONLY, os.ModePerm) + + if err != nil { + return err + } + + encoder := toml.NewEncoder(f) + encoder.Indent = "" + + return encoder.Encode(c) +} + func (c *Config) UnusedIgnoredVulns() []*IgnoreEntry { unused := make([]*IgnoreEntry, 0, len(c.IgnoredVulns)) @@ -87,6 +138,23 @@ func (c *Config) UnusedIgnoredVulns() []*IgnoreEntry { return unused } +func (c *Config) RemoveUnusedIgnores() []*IgnoreEntry { + var removed []*IgnoreEntry + filtered := c.IgnoredVulns[:0] + + for _, iv := range c.IgnoredVulns { + if iv.Used { + filtered = append(filtered, iv) + } else { + removed = append(removed, iv) + } + } + + c.IgnoredVulns = filtered + + return removed +} + func (c *Config) ShouldIgnore(vulnID string) (bool, *IgnoreEntry) { index := slices.IndexFunc(c.IgnoredVulns, func(e *IgnoreEntry) bool { return e.ID == vulnID }) if index == -1 { diff --git a/internal/config/config_internal_test.go b/internal/config/config_internal_test.go index 751d4aa3eb0..586f076bff2 100644 --- a/internal/config/config_internal_test.go +++ b/internal/config/config_internal_test.go @@ -12,6 +12,7 @@ import ( apkmetadata "github.com/google/osv-scalibr/extractor/filesystem/os/apk/metadata" "github.com/google/osv-scalibr/extractor/filesystem/osv" "github.com/google/osv-scalibr/purl" + "github.com/ossf/osv-schema/bindings/go/osvschema" ) // Attempts to normalize any file paths in the given `output` so that they can @@ -1147,3 +1148,130 @@ func TestConfig_ShouldOverridePackageLicense(t *testing.T) { }) } } + +func TestConfig_IgnoreVulns(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + args []*osvschema.Vulnerability + existing []*IgnoreEntry + want []*IgnoreEntry + }{ + { + name: "nothing_happens_when_everything_is_empty", + args: []*osvschema.Vulnerability{}, + existing: []*IgnoreEntry{}, + want: []*IgnoreEntry{}, + }, + { + name: "empty_config_with_one_vuln", + args: []*osvschema.Vulnerability{ + {Id: "GHSA-123"}, + }, + existing: []*IgnoreEntry{}, + want: []*IgnoreEntry{{ID: "GHSA-123"}}, + }, + { + name: "empty_config_with_two_vulns", + args: []*osvschema.Vulnerability{ + {Id: "GHSA-123"}, + {Id: "GHSA-456"}, + }, + existing: []*IgnoreEntry{}, + want: []*IgnoreEntry{ + {ID: "GHSA-123"}, + {ID: "GHSA-456"}, + }, + }, + { + name: "existing_properties_are_preserved", + args: []*osvschema.Vulnerability{ + {Id: "GHSA-123"}, + {Id: "GHSA-456"}, + {Id: "GHSA-789"}, + }, + existing: []*IgnoreEntry{ + {ID: "GHSA-123", Reason: "No ssh servers are connected to or hosted in Go lang"}, + {ID: "GHSA-789", Used: true}, + }, + want: []*IgnoreEntry{ + {ID: "GHSA-123", Reason: "No ssh servers are connected to or hosted in Go lang"}, + {ID: "GHSA-456"}, + {ID: "GHSA-789", Used: true}, + }, + }, + { + name: "missing_vulns_are_removed", + args: []*osvschema.Vulnerability{ + {Id: "GHSA-123"}, + {Id: "GHSA-456"}, + }, + existing: []*IgnoreEntry{ + {ID: "GHSA-789"}, + }, + want: []*IgnoreEntry{ + {ID: "GHSA-123"}, + {ID: "GHSA-456"}, + }, + }, + { + name: "ids_are_deduplicated", + args: []*osvschema.Vulnerability{ + {Id: "GHSA-123"}, + {Id: "GHSA-123"}, + {Id: "GHSA-456"}, + }, + existing: []*IgnoreEntry{}, + want: []*IgnoreEntry{ + {ID: "GHSA-123"}, + {ID: "GHSA-456"}, + }, + }, + { + name: "ids_are_deduplicated_including_already_existing", + args: []*osvschema.Vulnerability{ + {Id: "GHSA-456"}, + {Id: "GHSA-123"}, + {Id: "GHSA-456"}, + {Id: "GHSA-789"}, + }, + existing: []*IgnoreEntry{ + {ID: "GHSA-456"}, + {ID: "GHSA-456"}, + }, + want: []*IgnoreEntry{ + {ID: "GHSA-123"}, + {ID: "GHSA-456"}, + {ID: "GHSA-789"}, + }, + }, + { + name: "aliases_are_deduplicated", + args: []*osvschema.Vulnerability{ + {Id: "GHSA-123"}, + {Id: "GHSA-456"}, + {Id: "GHSA-789", Aliases: []string{"GHSA-123", "CVE-123"}}, + }, + existing: []*IgnoreEntry{}, + want: []*IgnoreEntry{ + {ID: "GHSA-123"}, + {ID: "GHSA-456"}, + {ID: "GHSA-789"}, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + c := Config{IgnoredVulns: tt.existing} + + c.IgnoreVulns(tt.args) + + if diff := cmp.Diff(tt.want, c.IgnoredVulns); diff != "" { + t.Errorf("IgnoreVulns() (-want +got):\n%s", diff) + } + }) + } +} diff --git a/internal/config/manager.go b/internal/config/manager.go index 6b5e0acfc5d..c63a46ef0d7 100644 --- a/internal/config/manager.go +++ b/internal/config/manager.go @@ -17,7 +17,7 @@ type Manager struct { // Config to use if no config file is found alongside manifests DefaultConfig Config // Cache to store loaded configs - ConfigMap map[string]Config + ConfigMap map[string]*Config } // UseOverride updates the Manager to use the config at the given path in place @@ -48,11 +48,12 @@ func (m *Manager) Get(targetPath string) Config { config, alreadyExists := m.ConfigMap[configPath] if alreadyExists { - return config + return *config } - config, configErr := tryLoadConfig(configPath) + loadedConfig, configErr := tryLoadConfig(configPath) if configErr == nil { + config = &loadedConfig cmdlogger.Infof("Loaded filter from: %s", config.LoadPath) } else { // anything other than the config file not existing is most likely due to an invalid config file @@ -60,11 +61,11 @@ func (m *Manager) Get(targetPath string) Config { cmdlogger.Errorf("Ignored invalid config file at %s because: %v", configPath, configErr) } // If config doesn't exist, use the default config - config = m.DefaultConfig + config = &m.DefaultConfig } m.ConfigMap[configPath] = config - return config + return *config } func (m *Manager) GetUnusedIgnoreEntries() map[string][]*IgnoreEntry { diff --git a/pkg/osvscanner/configs.go b/pkg/osvscanner/configs.go new file mode 100644 index 00000000000..ffc47bbfe1f --- /dev/null +++ b/pkg/osvscanner/configs.go @@ -0,0 +1,155 @@ +package osvscanner + +import ( + "maps" + "slices" + + "github.com/google/osv-scanner/v2/internal/cmdlogger" + "github.com/google/osv-scanner/v2/internal/config" + "github.com/google/osv-scanner/v2/internal/output" + "github.com/google/osv-scanner/v2/pkg/models" + "github.com/ossf/osv-schema/bindings/go/osvschema" +) + +func addVulnConfigIgnoresAndSave( + vulnResults *models.VulnerabilityResults, + manager *config.Manager, +) (map[string][]*config.IgnoreEntry, error) { + configVulns := make(map[string][]*osvschema.Vulnerability) + configPaths := make(map[string]config.Config) + + entries := make(map[string][]*config.IgnoreEntry) + + for _, pkgSrc := range vulnResults.Results { + c := manager.Get(pkgSrc.Source.Path) + + // skip the default config + if c.LoadPath == "" { + continue + } + + configPaths[c.LoadPath] = c + + for _, pkgVulns := range pkgSrc.Packages { + configVulns[c.LoadPath] = append(configVulns[c.LoadPath], pkgVulns.Vulnerabilities...) + } + } + + // update each config to ignore all the vulnerabilities + // found across all packages that are using that config + for p, vulns := range configVulns { + c := configPaths[p] + + c.IgnoreVulns(vulns) + + err := c.Save() + if err != nil { + return entries, err + } + + entries[c.LoadPath] = c.IgnoredVulns + } + + return entries, nil +} + +func removeUnusedConfigIgnoresAndSave(conf *config.Config) ([]*config.IgnoreEntry, error) { + ignoredVulnsCount := len(conf.IgnoredVulns) + removed := conf.RemoveUnusedIgnores() + + // don't bother saving if nothing was removed + if ignoredVulnsCount == len(conf.IgnoredVulns) { + return nil, nil + } + + err := conf.Save() + if err != nil { + return nil, err + } + + return removed, nil +} + +func removeAllUnusedConfigIgnoresAndSave(manager *config.Manager) (map[string][]*config.IgnoreEntry, error) { + entries := make(map[string][]*config.IgnoreEntry) + + if manager.OverrideConfig != nil { + removed, err := removeUnusedConfigIgnoresAndSave(manager.OverrideConfig) + + if err != nil { + return entries, err + } + + if len(removed) > 0 { + entries[manager.OverrideConfig.LoadPath] = removed + } + } + + for _, c := range manager.ConfigMap { + // skip the default config + if c.LoadPath == "" { + continue + } + + removed, err := removeUnusedConfigIgnoresAndSave(c) + + if err != nil { + return entries, err + } + + if len(removed) > 0 { + entries[c.LoadPath] = removed + } + } + + return entries, nil +} + +func reportOnConfigIgnoreEntriesAction(unusedIgnoreEntries map[string][]*config.IgnoreEntry, action string) { + configFiles := slices.Collect(maps.Keys(unusedIgnoreEntries)) + slices.Sort(configFiles) + + for _, configFile := range configFiles { + // don't list the entries if we've ignored all of them, as there might be a lot + if action == "has been updated to ignore" { + cmdlogger.Warnf( + "%s has been updated to ignore %d %s", + configFile, + len(unusedIgnoreEntries[configFile]), + output.Form(len(unusedIgnoreEntries[configFile]), "vulnerability", "vulnerabilities"), + ) + + continue + } + + cmdlogger.Warnf("%s %s:", configFile, action) + + for _, iv := range unusedIgnoreEntries[configFile] { + cmdlogger.Warnf(" - %s", iv.ID) + } + } +} + +func handleUnusedIgnoreEntries(manager *config.Manager, remove bool) error { + if remove { + removedIgnoreEntries, err := removeAllUnusedConfigIgnoresAndSave(manager) + + // for once, we do this before checking the error as we might have successfully + // updated some configs before hitting an error saving, if running recursively + if len(removedIgnoreEntries) != 0 { + reportOnConfigIgnoreEntriesAction(removedIgnoreEntries, "had unused ignores that were removed") + } + + if err != nil { + return err + } + + return nil + } + + if unusedIgnoredEntries := manager.GetUnusedIgnoreEntries(); len(unusedIgnoredEntries) != 0 { + reportOnConfigIgnoreEntriesAction(unusedIgnoredEntries, "has unused ignores") + } + + return nil +} diff --git a/pkg/osvscanner/filter_internal_test.go b/pkg/osvscanner/filter_internal_test.go index 3f86739129b..e4227699131 100644 --- a/pkg/osvscanner/filter_internal_test.go +++ b/pkg/osvscanner/filter_internal_test.go @@ -40,7 +40,7 @@ func Test_filterResults(t *testing.T) { // Sources in the test input should point to files/folders in the testdata folder for this to work correctly. configManager := config.Manager{ DefaultConfig: config.Config{}, - ConfigMap: make(map[string]config.Config), + ConfigMap: make(map[string]*config.Config), } got := testutility.LoadJSONFixture[models.VulnerabilityResults](t, filepath.Join(tt.path, "input.json")) diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 430d40cfd84..d3c8a24fddb 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -83,6 +83,9 @@ type ExperimentalScannerActions struct { // Report deprecated packages as findings FlagDeprecatedPackages bool + // Update config file(s) to ignore all found vulnerabilities + UpdateConfigIgnores string + // Allows specifying user agent RequestUserAgent string } @@ -178,7 +181,7 @@ func DoScan(actions ScannerActions) (models.VulnerabilityResults, error) { scanResult := results.ScanResults{ ConfigManager: config.Manager{ DefaultConfig: config.Config{}, - ConfigMap: make(map[string]config.Config), + ConfigMap: make(map[string]*config.Config), }, } @@ -240,7 +243,7 @@ func DoContainerScan(actions ScannerActions) (models.VulnerabilityResults, error scanResult := results.ScanResults{ ConfigManager: config.Manager{ DefaultConfig: config.Config{}, - ConfigMap: make(map[string]config.Config), + ConfigMap: make(map[string]*config.Config), }, } @@ -388,25 +391,34 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) vulnerabilityResults.LicenseSummary = buildLicenseSummary(&scanResult) } - filtered := filterResults(&vulnerabilityResults, &scanResult.ConfigManager, actions.ShowAllPackages) - if filtered > 0 { - cmdlogger.Infof( - "Filtered %d %s from output", - filtered, - output.Form(filtered, "vulnerability", "vulnerabilities"), - ) - } + // we skip filtering vulns if we're going to ignore everything, + // as the output will serve as a list of what actually got ignored + if actions.UpdateConfigIgnores == "all" { + ignoreEntries, err := addVulnConfigIgnoresAndSave(&vulnerabilityResults, &scanResult.ConfigManager) + + // for once, we do this before checking the error as we might have successfully + // updated some configs before hitting an error saving, if running recursively + if len(ignoreEntries) != 0 { + reportOnConfigIgnoreEntriesAction(ignoreEntries, "has been updated to ignore") + } - if unusedIgnoredEntries := scanResult.ConfigManager.GetUnusedIgnoreEntries(); len(unusedIgnoredEntries) != 0 { - configFiles := slices.Collect(maps.Keys(unusedIgnoredEntries)) - slices.Sort(configFiles) + if err != nil { + return models.VulnerabilityResults{}, err + } + } else { + filtered := filterResults(&vulnerabilityResults, &scanResult.ConfigManager, actions.ShowAllPackages) + if filtered > 0 { + cmdlogger.Infof( + "Filtered %d %s from output", + filtered, + output.Form(filtered, "vulnerability", "vulnerabilities"), + ) + } - for _, configFile := range configFiles { - cmdlogger.Warnf("%s has unused ignores:", configFile) + err := handleUnusedIgnoreEntries(&scanResult.ConfigManager, actions.UpdateConfigIgnores == "unused") - for _, iv := range unusedIgnoredEntries[configFile] { - cmdlogger.Warnf(" - %s", iv.ID) - } + if err != nil { + return models.VulnerabilityResults{}, err } }