From 2839af16e8136c04ff12d633d38bb636feb94548 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Thu, 19 Feb 2026 08:14:07 +1300 Subject: [PATCH 01/43] feat: implement ability to ignore vulns in config --- internal/config/config.go | 38 +++++++++++++++++++++++++++++++++--- pkg/osvscanner/osvscanner.go | 18 +++++++++++++++++ 2 files changed, 53 insertions(+), 3 deletions(-) diff --git a/internal/config/config.go b/internal/config/config.go index ce46e8b20ad..4608722802c 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -2,12 +2,15 @@ package config import ( + "os" "slices" "time" + "github.com/BurntSushi/toml" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/imodels" + "github.com/ossf/osv-schema/bindings/go/osvschema" ) var OSVScannerConfigName = "osv-scanner.toml" @@ -15,7 +18,7 @@ var OSVScannerConfigName = "osv-scanner.toml" type Config struct { IgnoredVulns []*IgnoreEntry `toml:"IgnoredVulns"` PackageOverrides []PackageOverrideEntry `toml:"PackageOverrides"` - GoVersionOverride string `toml:"GoVersionOverride"` + GoVersionOverride string `toml:"GoVersionOverride,omitempty"` // The path to config file that this config was loaded from, // set by the scanner after having successfully parsed the file LoadPath string `toml:"-"` @@ -23,8 +26,8 @@ type Config struct { type IgnoreEntry struct { ID string `toml:"id"` - IgnoreUntil time.Time `toml:"ignoreUntil"` - Reason string `toml:"reason"` + IgnoreUntil time.Time `toml:"ignoreUntil,omitempty"` + Reason string `toml:"reason,omitempty"` Used bool `toml:"-"` } @@ -75,6 +78,35 @@ type License struct { Ignore bool `toml:"ignore"` } +func (c *Config) UpdateFile(vulns []*osvschema.Vulnerability) error { + existingIgnores := make(map[string]*IgnoreEntry, len(c.IgnoredVulns)) + for _, ignoredVuln := range c.IgnoredVulns { + existingIgnores[ignoredVuln.ID] = ignoredVuln + } + + c.IgnoredVulns = make([]*IgnoreEntry, 0, len(vulns)) + + for _, vuln := range vulns { + ignore, ok := existingIgnores[vuln.GetId()] + + if !ok { + ignore = &IgnoreEntry{ID: vuln.GetId()} + } + + c.IgnoredVulns = append(c.IgnoredVulns, ignore) + } + + b, err := toml.Marshal(c) + + if err != nil { + return err + } + + os.WriteFile(c.LoadPath, b, 0600) + + return nil +} + func (c *Config) UnusedIgnoredVulns() []*IgnoreEntry { unused := make([]*IgnoreEntry, 0, len(c.IgnoredVulns)) diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 430d40cfd84..2de2e63ac10 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -34,6 +34,7 @@ import ( "github.com/google/osv-scanner/v2/pkg/models" "github.com/google/osv-scanner/v2/pkg/osvscanner/internal/imagehelpers" "github.com/ossf/osv-schema/bindings/go/osvconstants" + "github.com/ossf/osv-schema/bindings/go/osvschema" "osv.dev/bindings/go/osvdev" ) @@ -397,6 +398,8 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) ) } + updateConfigs(&vulnerabilityResults, &scanResult.ConfigManager) + if unusedIgnoredEntries := scanResult.ConfigManager.GetUnusedIgnoreEntries(); len(unusedIgnoredEntries) != 0 { configFiles := slices.Collect(maps.Keys(unusedIgnoredEntries)) slices.Sort(configFiles) @@ -413,6 +416,21 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) return vulnerabilityResults, determineReturnErr(vulnerabilityResults, actions.ShowAllVulns) } +func updateConfigs(vulnResults *models.VulnerabilityResults, configManager *config.Manager) { + for _, pkgSrc := range vulnResults.Results { + configToUse := configManager.Get(pkgSrc.Source.Path) + + var vulns []*osvschema.Vulnerability //nolint:prealloc + + for _, pkgVulns := range pkgSrc.Packages { + vulns = append(vulns, pkgVulns.Vulnerabilities...) + } + + // todo: is it possible to have results using the same file? + configToUse.UpdateFile(vulns) + } +} + func buildLicenseSummary(scanResult *results.ScanResults) []models.LicenseCount { var licenseSummary []models.LicenseCount From 5a3589777939d8050f6ec16d0365cd252732ed73 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Thu, 19 Feb 2026 08:44:49 +1300 Subject: [PATCH 02/43] test: write some tests --- .../__snapshots__/config_internal_test.snap | 103 +++++++++++++ internal/config/config_internal_test.go | 145 ++++++++++++++++++ internal/config/testmain_test.go | 13 ++ 3 files changed, 261 insertions(+) create mode 100755 internal/config/__snapshots__/config_internal_test.snap create mode 100644 internal/config/testmain_test.go diff --git a/internal/config/__snapshots__/config_internal_test.snap b/internal/config/__snapshots__/config_internal_test.snap new file mode 100755 index 00000000000..90791b12ad8 --- /dev/null +++ b/internal/config/__snapshots__/config_internal_test.snap @@ -0,0 +1,103 @@ + +[TestConfig_UpdateFile/aliases_are_deduplicated - 1] +[[IgnoredVulns]] + id = "GHSA-123" + +[[IgnoredVulns]] + id = "GHSA-456" + +[[IgnoredVulns]] + id = "GHSA-789" + +--- + +[TestConfig_UpdateFile/comments_are_not_preserved - 1] +[[IgnoredVulns]] + id = "GHSA-123" + +[[IgnoredVulns]] + id = "GHSA-456" + +--- + +[TestConfig_UpdateFile/empty_file_with_one_vuln - 1] +[[IgnoredVulns]] + id = "GHSA-123" + +--- + +[TestConfig_UpdateFile/empty_file_with_two_vulns - 1] +[[IgnoredVulns]] + id = "GHSA-123" + +[[IgnoredVulns]] + id = "GHSA-456" + +--- + +[TestConfig_UpdateFile/existing_properties_are_preserved - 1] +GoVersionOverride = "1.20.0" + +[[IgnoredVulns]] + id = "GHSA-123" + reason = "No ssh servers are connected to or hosted in Go lang" + +[[IgnoredVulns]] + id = "GHSA-456" + +[[PackageOverrides]] + name = "lib" + version = "1.0.0" + ecosystem = "Go" + group = "dev" + ignore = false + effectiveUntil = 0001-01-01T00:00:00Z + reason = "" + [PackageOverrides.vulnerability] + ignore = true + [PackageOverrides.license] + override = ["MIT", "0BSD"] + ignore = false + +--- + +[TestConfig_UpdateFile/ids_are_deduplicated - 1] +[[IgnoredVulns]] + id = "GHSA-123" + +[[IgnoredVulns]] + id = "GHSA-123" + +[[IgnoredVulns]] + id = "GHSA-456" + +--- + +[TestConfig_UpdateFile/ids_are_deduplicated_including_already_existing - 1] +[[IgnoredVulns]] + id = "GHSA-456" + +[[IgnoredVulns]] + id = "GHSA-123" + +[[IgnoredVulns]] + id = "GHSA-456" + +[[IgnoredVulns]] + id = "GHSA-789" + +--- + +[TestConfig_UpdateFile/missing_vulns_are_removed - 1] +[[IgnoredVulns]] + id = "GHSA-123" + +[[IgnoredVulns]] + id = "GHSA-456" + +--- + +[TestConfig_UpdateFile/nothing_happens_when_everything_is_empty - 1] +IgnoredVulns = [] + +--- diff --git a/internal/config/config_internal_test.go b/internal/config/config_internal_test.go index 751d4aa3eb0..67088ada346 100644 --- a/internal/config/config_internal_test.go +++ b/internal/config/config_internal_test.go @@ -2,6 +2,8 @@ package config import ( "fmt" + "os" + "path/filepath" "reflect" "strings" "testing" @@ -12,6 +14,8 @@ import ( apkmetadata "github.com/google/osv-scalibr/extractor/filesystem/os/apk/metadata" "github.com/google/osv-scalibr/extractor/filesystem/osv" "github.com/google/osv-scalibr/purl" + "github.com/google/osv-scanner/v2/internal/testutility" + "github.com/ossf/osv-schema/bindings/go/osvschema" ) // Attempts to normalize any file paths in the given `output` so that they can @@ -1147,3 +1151,144 @@ func TestConfig_ShouldOverridePackageLicense(t *testing.T) { }) } } + +func TestConfig_UpdateFile(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + args []*osvschema.Vulnerability + input string + wantErr bool + }{ + { + name: "nothing_happens_when_everything_is_empty", + args: []*osvschema.Vulnerability{}, + input: "", + }, + { + name: "empty_file_with_one_vuln", + args: []*osvschema.Vulnerability{ + {Id: "GHSA-123"}, + }, + }, + { + name: "empty_file_with_two_vulns", + args: []*osvschema.Vulnerability{ + {Id: "GHSA-123"}, + {Id: "GHSA-456"}, + }, + }, + { + name: "existing_properties_are_preserved", + args: []*osvschema.Vulnerability{ + {Id: "GHSA-123"}, + {Id: "GHSA-456"}, + }, + input: ` +GoVersionOverride = "1.20.0" + +[[PackageOverrides]] +name = "lib" +version = "1.0.0" +ecosystem = "Go" +group = "dev" + +vulnerability.ignore = true +license.override = ["MIT", "0BSD"] + +[[IgnoredVulns]] +id = "GHSA-123" +reason = "No ssh servers are connected to or hosted in Go lang" +`, + }, + { + name: "comments_are_not_preserved", + args: []*osvschema.Vulnerability{ + {Id: "GHSA-123"}, + {Id: "GHSA-456"}, + }, + input: ` +# TODO: we should patch this +[[IgnoredVulns]] +id = "GHSA-123" +`, + }, + { + name: "missing_vulns_are_removed", + args: []*osvschema.Vulnerability{ + {Id: "GHSA-123"}, + {Id: "GHSA-456"}, + }, + input: ` +[[IgnoredVulns]] +id = "GHSA-789" +`, + }, + { + name: "ids_are_deduplicated", + args: []*osvschema.Vulnerability{ + {Id: "GHSA-123"}, + {Id: "GHSA-123"}, + {Id: "GHSA-456"}, + }, + }, + { + name: "ids_are_deduplicated_including_already_existing", + args: []*osvschema.Vulnerability{ + {Id: "GHSA-456"}, + {Id: "GHSA-123"}, + {Id: "GHSA-456"}, + {Id: "GHSA-789"}, + }, + input: ` +[[IgnoredVulns]] +id = "GHSA-456" + +[[IgnoredVulns]] +id = "GHSA-456" +`, + }, + { + name: "aliases_are_deduplicated", + args: []*osvschema.Vulnerability{ + {Id: "GHSA-123"}, + {Id: "GHSA-456"}, + {Id: "GHSA-789", Aliases: []string{"GHSA-123"}}, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + dir := testutility.CreateTestDir(t) + + err := os.WriteFile(filepath.Join(dir, OSVScannerConfigName), []byte(tt.input), 0600) + + if err != nil { + t.Fatal(err) + } + + c, err := tryLoadConfig(filepath.Join(dir, OSVScannerConfigName)) + + if err != nil { + t.Fatalf("failed to load config: %v", err) + } + + err = c.UpdateFile(tt.args) + + if (err != nil) != tt.wantErr { + t.Errorf("UpdateFile() error = %v, wantErr %v", err, tt.wantErr) + } + + b, err := os.ReadFile(c.LoadPath) + + if err != nil { + t.Fatalf("failed to read file: %v", err) + } + + testutility.NewSnapshot().MatchText(t, string(b)) + }) + } +} diff --git a/internal/config/testmain_test.go b/internal/config/testmain_test.go new file mode 100644 index 00000000000..ae924fa602c --- /dev/null +++ b/internal/config/testmain_test.go @@ -0,0 +1,13 @@ +package config_test + +import ( + "testing" + + "github.com/google/osv-scanner/v2/internal/testutility" +) + +func TestMain(m *testing.M) { + m.Run() + + testutility.CleanSnapshots(m) +} From 74fc9f0a048b35aee6721f0938291f5ac7e94e4a Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Thu, 19 Feb 2026 13:01:08 +1300 Subject: [PATCH 03/43] feat: implement experimental flag --- cmd/osv-scanner/internal/helper/flags.go | 4 ++++ cmd/osv-scanner/internal/helper/getters.go | 11 ++++++----- pkg/osvscanner/osvscanner.go | 7 ++++++- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/cmd/osv-scanner/internal/helper/flags.go b/cmd/osv-scanner/internal/helper/flags.go index c7601c2906f..196873ddfb7 100644 --- a/cmd/osv-scanner/internal/helper/flags.go +++ b/cmd/osv-scanner/internal/helper/flags.go @@ -207,5 +207,9 @@ func BuildCommonScanFlags(defaultExtractors []string) []cli.Flag { Name: "experimental-no-default-plugins", Usage: "disable default plugins, instead using only those enabled by --experimental-plugins", }, + &cli.BoolFlag{ + Name: "experimental-update-config-ignore-vulns", + Usage: "update config file(s) to ignore all found vulnerabilities", + }, } } diff --git a/cmd/osv-scanner/internal/helper/getters.go b/cmd/osv-scanner/internal/helper/getters.go index c1fc053e94f..45e3f65f9f3 100644 --- a/cmd/osv-scanner/internal/helper/getters.go +++ b/cmd/osv-scanner/internal/helper/getters.go @@ -51,10 +51,11 @@ func GetCommonScannerActions(cmd *cli.Command, scanLicensesAllowlist []string) o func GetExperimentalScannerActions(cmd *cli.Command, client *http.Client) osvscanner.ExperimentalScannerActions { return osvscanner.ExperimentalScannerActions{ - PluginsEnabled: cmd.StringSlice("experimental-plugins"), - PluginsDisabled: cmd.StringSlice("experimental-disable-plugins"), - PluginsNoDefaults: cmd.Bool("experimental-no-default-plugins"), - HTTPClient: client, - FlagDeprecatedPackages: cmd.Bool("experimental-flag-deprecated-packages"), + PluginsEnabled: cmd.StringSlice("experimental-plugins"), + PluginsDisabled: cmd.StringSlice("experimental-disable-plugins"), + PluginsNoDefaults: cmd.Bool("experimental-no-default-plugins"), + HTTPClient: client, + FlagDeprecatedPackages: cmd.Bool("experimental-flag-deprecated-packages"), + UpdateConfigIgnoreVulns: cmd.Bool("experimental-update-config-ignore-vulns"), } } diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 2de2e63ac10..768c98cc306 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -84,6 +84,9 @@ type ExperimentalScannerActions struct { // Report deprecated packages as findings FlagDeprecatedPackages bool + // Update config file(s) to ignore all found vulnerabilities + UpdateConfigIgnoreVulns bool + // Allows specifying user agent RequestUserAgent string } @@ -398,7 +401,9 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) ) } - updateConfigs(&vulnerabilityResults, &scanResult.ConfigManager) + if actions.UpdateConfigIgnoreVulns { + updateConfigs(&vulnerabilityResults, &scanResult.ConfigManager) + } if unusedIgnoredEntries := scanResult.ConfigManager.GetUnusedIgnoreEntries(); len(unusedIgnoredEntries) != 0 { configFiles := slices.Collect(maps.Keys(unusedIgnoredEntries)) From c3d796fe7a1f3e081b8fb68567e5f5b7ff56ee29 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Thu, 19 Feb 2026 13:56:52 +1300 Subject: [PATCH 04/43] test: add some cmd cases --- .../source/__snapshots__/command_test.snap | 206 ++++++++++++++++++ cmd/osv-scanner/scan/source/command_test.go | 95 ++++++++ .../locks-with-many-configs/composer.lock | 1 + .../nested-1/osv-scanner-test.toml | 3 + .../nested-1/osv-scanner.toml | 2 + .../nested-1/package-lock.json | 17 ++ .../nested-2/osv-scanner-test.toml | 5 + .../nested-2/osv-scanner.toml | 2 + .../nested-2/package-lock.json | 17 ++ .../osv-scanner-test.toml | 0 .../locks-with-many-configs/osv-scanner.toml | 2 + .../locks-with-many-configs/package-lock.json | 9 + 12 files changed, 359 insertions(+) create mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/composer.lock create mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/osv-scanner-test.toml create mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/osv-scanner.toml create mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/package-lock.json create mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/osv-scanner-test.toml create mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/osv-scanner.toml create mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/package-lock.json create mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/osv-scanner-test.toml create mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/osv-scanner.toml create mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/package-lock.json diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 5d72adfe495..17d79c472f0 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -5873,6 +5873,212 @@ Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Me --- +[TestCommand_UpdateConfigIgnores/config_gets_updated - 1] +Scanning dir +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml + +Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +1 vulnerability can be fixed. + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated - 2] + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated - 3] +[[IgnoredVulns]] + id = "GHSA-whgm-jr23-g3j9" + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated - 4] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated - 5] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated - 6] +Scanning dir +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +Filtered 1 vulnerability from output +No issues found + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated - 7] + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 1] +Scanning dir +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /nested-1/osv-scanner-test.toml +warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! +Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /osv-scanner-test.toml +CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 3 vulnerabilities from output +/nested-2/osv-scanner-test.toml has unused ignores: + - GHSA-2g4f-4pwh-qvx6 + +Total 5 packages affected by 6 known vulnerabilities (0 Critical, 2 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +6 vulnerabilities can be fixed. + +npm + +lockfile:/nested-1/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + + 3 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 2] + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 3] +[[IgnoredVulns]] + id = "GHSA-whgm-jr23-g3j9" + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 4] +[[IgnoredVulns]] + id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] + id = "GHSA-v88g-cgmw-v5xw" + +[[IgnoredVulns]] + id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 5] +[[IgnoredVulns]] + id = "GHSA-v88g-cgmw-v5xw" + +[[IgnoredVulns]] + id = "GHSA-whgm-jr23-g3j9" + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 6] +Scanning dir +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +warning: /nested-1/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! +Loaded filter from: /nested-1/osv-scanner-test.toml +Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /osv-scanner-test.toml +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +Filtered 6 vulnerabilities from output +/nested-1/osv-scanner-test.toml has unused ignores: + - GHSA-2g4f-4pwh-qvx6 + +Total 3 packages affected by 3 known vulnerabilities (0 Critical, 1 High, 2 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +3 vulnerabilities can be fixed. + +npm + +lockfile:/nested-1/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 7] + +--- + [TestCommand_WithDetector_OffLinux/ssh_version_errors - 1] Scanning dir /composer.lock Scanned /composer.lock file and found 1 package diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 3febffb55d7..6e08018a76b 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1,6 +1,7 @@ package source_test import ( + "fmt" "net/http" "os" "path/filepath" @@ -1743,3 +1744,97 @@ func TestCommand_FlagDeprecatedPackages(t *testing.T) { }) } } + +func copyFile(from, to string) (string, error) { + b, err := os.ReadFile(from) + if err != nil { + return "", fmt.Errorf("could not read test file: %w", err) + } + + if err := os.WriteFile(to, b, 0600); err != nil { + return "", fmt.Errorf("could not copy test file: %w", err) + } + + return to, nil +} + +func TestCommand_UpdateConfigIgnores(t *testing.T) { + t.Parallel() + + tests := []testcmd.Case{ + { + Name: "config_gets_updated", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignore-vulns", + }, + Exit: 1, + }, + { + Name: "config_gets_updated_recursively", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignore-vulns", "-r", + }, + Exit: 1, + }, + } + for _, tt := range tests { + t.Run(tt.Name, func(t *testing.T) { + t.Parallel() + + // action overwrites files, copy them to a temporary directory. + testDir := testutility.CreateTestDir(t) + var err error + + for _, file := range []string{ + "composer.lock", + "osv-scanner-test.toml", + "package-lock.json", + "nested-1/package-lock.json", + "nested-1/osv-scanner-test.toml", + "nested-2/package-lock.json", + "nested-2/osv-scanner-test.toml", + } { + err = os.MkdirAll(testDir+"/"+filepath.Dir(file), 0750) + if err != nil { + t.Fatal(err) + } + + _, err = copyFile("testdata/locks-with-many-configs/"+file, testDir+"/"+file) + + if err != nil { + t.Fatal(err) + } + } + + tt.Args = append(tt.Args, testDir) + + testcmd.RunAndMatchSnapshots(t, tt) + + for _, file := range []string{ + "osv-scanner-test.toml", + "nested-1/osv-scanner-test.toml", + "nested-2/osv-scanner-test.toml", + } { + b, err := os.ReadFile(testDir + "/" + file) + + if err != nil { + t.Fatal(err) + } + + testutility.NewSnapshot().MatchText(t, string(b)) + } + + // re-running the cli now should have no vulnerabilities, + // as everything should be marked as ignored + for i, arg := range tt.Args { + if arg == "--experimental-update-config-ignore-vulns" { + tt.Args[i] = "--experimental-update-config-ignore-vulns=false" + } + } + + tt.Exit = 0 + + testcmd.RunAndMatchSnapshots(t, tt) + }) + } +} diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/composer.lock b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/composer.lock new file mode 100644 index 00000000000..0967ef424bc --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/composer.lock @@ -0,0 +1 @@ +{} diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/osv-scanner-test.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/osv-scanner-test.toml new file mode 100644 index 00000000000..6b6d8b344ee --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/osv-scanner-test.toml @@ -0,0 +1,3 @@ +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/osv-scanner.toml new file mode 100644 index 00000000000..dfafb8fb5fe --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/osv-scanner.toml @@ -0,0 +1,2 @@ +[[PackageOverrides]] +ignore = true diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/package-lock.json b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/package-lock.json new file mode 100644 index 00000000000..45a1996e344 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-1/package-lock.json @@ -0,0 +1,17 @@ +{ + "requires": true, + "lockfileVersion": 1, + "dependencies": { + "ansi-html": { + "version": "0.0.1", + "dependencies": { + "ajv": { + "version": "6.0.0" + } + } + }, + "ajv": { + "version": "8.0.0" + } + } +} diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/osv-scanner-test.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/osv-scanner-test.toml new file mode 100644 index 00000000000..177dc465564 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/osv-scanner-test.toml @@ -0,0 +1,5 @@ +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/osv-scanner.toml new file mode 100644 index 00000000000..dfafb8fb5fe --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/osv-scanner.toml @@ -0,0 +1,2 @@ +[[PackageOverrides]] +ignore = true diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/package-lock.json b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/package-lock.json new file mode 100644 index 00000000000..45a1996e344 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-2/package-lock.json @@ -0,0 +1,17 @@ +{ + "requires": true, + "lockfileVersion": 1, + "dependencies": { + "ansi-html": { + "version": "0.0.1", + "dependencies": { + "ajv": { + "version": "6.0.0" + } + } + }, + "ajv": { + "version": "8.0.0" + } + } +} diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/osv-scanner-test.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/osv-scanner-test.toml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/osv-scanner.toml new file mode 100644 index 00000000000..dfafb8fb5fe --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/osv-scanner.toml @@ -0,0 +1,2 @@ +[[PackageOverrides]] +ignore = true diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/package-lock.json b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/package-lock.json new file mode 100644 index 00000000000..e3a2d44973c --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/package-lock.json @@ -0,0 +1,9 @@ +{ + "requires": true, + "lockfileVersion": 1, + "dependencies": { + "ansi-html": { + "version": "0.0.1" + } + } +} From fdfe272d7d68f509284cf33d84f8d46abddf2d9b Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Thu, 19 Feb 2026 14:37:25 +1300 Subject: [PATCH 05/43] fix: update ignores before doing filtering --- .../source/__snapshots__/command_test.snap | 43 ++++++++----------- pkg/osvscanner/osvscanner.go | 8 ++-- 2 files changed, 21 insertions(+), 30 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 17d79c472f0..0f0c9d72872 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -6016,12 +6016,21 @@ lockfile:/package-lock.json: found 1 package with issues [[IgnoredVulns]] id = "GHSA-2g4f-4pwh-qvx6" +[[IgnoredVulns]] + id = "GHSA-whgm-jr23-g3j9" + --- [TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 5] +[[IgnoredVulns]] + id = "GHSA-2g4f-4pwh-qvx6" + [[IgnoredVulns]] id = "GHSA-v88g-cgmw-v5xw" +[[IgnoredVulns]] + id = "GHSA-2g4f-4pwh-qvx6" + [[IgnoredVulns]] id = "GHSA-whgm-jr23-g3j9" @@ -6036,42 +6045,24 @@ Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. warning: /nested-1/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! Loaded filter from: /nested-1/osv-scanner-test.toml +warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! Loaded filter from: /nested-2/osv-scanner-test.toml Loaded filter from: /osv-scanner-test.toml GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) -Filtered 6 vulnerabilities from output +Filtered 9 vulnerabilities from output /nested-1/osv-scanner-test.toml has unused ignores: - GHSA-2g4f-4pwh-qvx6 - -Total 3 packages affected by 3 known vulnerabilities (0 Critical, 1 High, 2 Medium, 0 Low, 0 Unknown) from 1 ecosystem. -3 vulnerabilities can be fixed. - -npm - -lockfile:/nested-1/package-lock.json: found 1 package with issues - - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 1 known vulnerability found in lockfile:/nested-1/package-lock.json - -lockfile:/nested-2/package-lock.json: found 2 packages with issues - - ajv@6.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '6.14.0'; - ajv@8.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '8.18.0'; - - 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json - +/nested-2/osv-scanner-test.toml has unused ignores: + - GHSA-2g4f-4pwh-qvx6 +No issues found --- diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 768c98cc306..4193d5f4691 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -392,6 +392,10 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) vulnerabilityResults.LicenseSummary = buildLicenseSummary(&scanResult) } + if actions.UpdateConfigIgnoreVulns { + updateConfigs(&vulnerabilityResults, &scanResult.ConfigManager) + } + filtered := filterResults(&vulnerabilityResults, &scanResult.ConfigManager, actions.ShowAllPackages) if filtered > 0 { cmdlogger.Infof( @@ -401,10 +405,6 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) ) } - if actions.UpdateConfigIgnoreVulns { - updateConfigs(&vulnerabilityResults, &scanResult.ConfigManager) - } - if unusedIgnoredEntries := scanResult.ConfigManager.GetUnusedIgnoreEntries(); len(unusedIgnoredEntries) != 0 { configFiles := slices.Collect(maps.Keys(unusedIgnoredEntries)) slices.Sort(configFiles) From febfce0a6a98226c4888d5d973552cb62ff4237e Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Thu, 19 Feb 2026 14:38:01 +1300 Subject: [PATCH 06/43] fix: deduplicate ignores --- .../scan/source/__snapshots__/command_test.snap | 12 ------------ .../config/__snapshots__/config_internal_test.snap | 6 ------ internal/config/config.go | 9 +++++++++ 3 files changed, 9 insertions(+), 18 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 0f0c9d72872..dda1dfc19ad 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -6013,9 +6013,6 @@ lockfile:/package-lock.json: found 1 package with issues [[IgnoredVulns]] id = "GHSA-v88g-cgmw-v5xw" -[[IgnoredVulns]] - id = "GHSA-2g4f-4pwh-qvx6" - [[IgnoredVulns]] id = "GHSA-whgm-jr23-g3j9" @@ -6028,9 +6025,6 @@ lockfile:/package-lock.json: found 1 package with issues [[IgnoredVulns]] id = "GHSA-v88g-cgmw-v5xw" -[[IgnoredVulns]] - id = "GHSA-2g4f-4pwh-qvx6" - [[IgnoredVulns]] id = "GHSA-whgm-jr23-g3j9" @@ -6043,9 +6037,7 @@ Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. -warning: /nested-1/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! Loaded filter from: /nested-1/osv-scanner-test.toml -warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! Loaded filter from: /nested-2/osv-scanner-test.toml Loaded filter from: /osv-scanner-test.toml GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) @@ -6058,10 +6050,6 @@ GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) Filtered 9 vulnerabilities from output -/nested-1/osv-scanner-test.toml has unused ignores: - - GHSA-2g4f-4pwh-qvx6 -/nested-2/osv-scanner-test.toml has unused ignores: - - GHSA-2g4f-4pwh-qvx6 No issues found --- diff --git a/internal/config/__snapshots__/config_internal_test.snap b/internal/config/__snapshots__/config_internal_test.snap index 90791b12ad8..3d88031da7d 100755 --- a/internal/config/__snapshots__/config_internal_test.snap +++ b/internal/config/__snapshots__/config_internal_test.snap @@ -65,9 +65,6 @@ GoVersionOverride = "1.20.0" [[IgnoredVulns]] id = "GHSA-123" -[[IgnoredVulns]] - id = "GHSA-123" - [[IgnoredVulns]] id = "GHSA-456" @@ -80,9 +77,6 @@ GoVersionOverride = "1.20.0" [[IgnoredVulns]] id = "GHSA-123" -[[IgnoredVulns]] - id = "GHSA-456" - [[IgnoredVulns]] id = "GHSA-789" diff --git a/internal/config/config.go b/internal/config/config.go index 4608722802c..057f29a7acc 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -84,9 +84,17 @@ func (c *Config) UpdateFile(vulns []*osvschema.Vulnerability) error { existingIgnores[ignoredVuln.ID] = ignoredVuln } + // use a fresh slice to ensure vulns that are no longer present are removed c.IgnoredVulns = make([]*IgnoreEntry, 0, len(vulns)) + seen := make(map[string]struct{}, len(vulns)) + for _, vuln := range vulns { + if _, ok := seen[vuln.GetId()]; ok { + continue + } + + // if the vuln was already ignored, we want to persist its other fields ignore, ok := existingIgnores[vuln.GetId()] if !ok { @@ -94,6 +102,7 @@ func (c *Config) UpdateFile(vulns []*osvschema.Vulnerability) error { } c.IgnoredVulns = append(c.IgnoredVulns, ignore) + seen[vuln.GetId()] = struct{}{} } b, err := toml.Marshal(c) From 1ddcd9ed2f95c898607ab014980fe7befa621071 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Thu, 19 Feb 2026 14:41:38 +1300 Subject: [PATCH 07/43] fix: return errors --- internal/config/config.go | 4 +--- pkg/osvscanner/osvscanner.go | 16 +++++++++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/internal/config/config.go b/internal/config/config.go index 057f29a7acc..aa69f21f960 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -111,9 +111,7 @@ func (c *Config) UpdateFile(vulns []*osvschema.Vulnerability) error { return err } - os.WriteFile(c.LoadPath, b, 0600) - - return nil + return os.WriteFile(c.LoadPath, b, 0600) } func (c *Config) UnusedIgnoredVulns() []*IgnoreEntry { diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 4193d5f4691..340a673eedf 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -393,7 +393,11 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) } if actions.UpdateConfigIgnoreVulns { - updateConfigs(&vulnerabilityResults, &scanResult.ConfigManager) + err := updateConfigs(&vulnerabilityResults, &scanResult.ConfigManager) + + if err != nil { + return models.VulnerabilityResults{}, err + } } filtered := filterResults(&vulnerabilityResults, &scanResult.ConfigManager, actions.ShowAllPackages) @@ -421,7 +425,7 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) return vulnerabilityResults, determineReturnErr(vulnerabilityResults, actions.ShowAllVulns) } -func updateConfigs(vulnResults *models.VulnerabilityResults, configManager *config.Manager) { +func updateConfigs(vulnResults *models.VulnerabilityResults, configManager *config.Manager) error { for _, pkgSrc := range vulnResults.Results { configToUse := configManager.Get(pkgSrc.Source.Path) @@ -432,8 +436,14 @@ func updateConfigs(vulnResults *models.VulnerabilityResults, configManager *conf } // todo: is it possible to have results using the same file? - configToUse.UpdateFile(vulns) + err := configToUse.UpdateFile(vulns) + + if err != nil { + return err + } } + + return nil } func buildLicenseSummary(scanResult *results.ScanResults) []models.LicenseCount { From cce94d9846fe4b991b15c8b93e840729a288dc28 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Thu, 19 Feb 2026 14:48:39 +1300 Subject: [PATCH 08/43] fix: remove indenting --- .../source/__snapshots__/command_test.snap | 16 ++--- .../__snapshots__/config_internal_test.snap | 60 +++++++++---------- internal/config/config.go | 7 ++- 3 files changed, 43 insertions(+), 40 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index dda1dfc19ad..6ec44cc49b6 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -5902,7 +5902,7 @@ lockfile:/package-lock.json: found 1 package with issues [TestCommand_UpdateConfigIgnores/config_gets_updated - 3] [[IgnoredVulns]] - id = "GHSA-whgm-jr23-g3j9" +id = "GHSA-whgm-jr23-g3j9" --- @@ -6002,31 +6002,31 @@ lockfile:/package-lock.json: found 1 package with issues [TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 3] [[IgnoredVulns]] - id = "GHSA-whgm-jr23-g3j9" +id = "GHSA-whgm-jr23-g3j9" --- [TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 4] [[IgnoredVulns]] - id = "GHSA-2g4f-4pwh-qvx6" +id = "GHSA-2g4f-4pwh-qvx6" [[IgnoredVulns]] - id = "GHSA-v88g-cgmw-v5xw" +id = "GHSA-v88g-cgmw-v5xw" [[IgnoredVulns]] - id = "GHSA-whgm-jr23-g3j9" +id = "GHSA-whgm-jr23-g3j9" --- [TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 5] [[IgnoredVulns]] - id = "GHSA-2g4f-4pwh-qvx6" +id = "GHSA-2g4f-4pwh-qvx6" [[IgnoredVulns]] - id = "GHSA-v88g-cgmw-v5xw" +id = "GHSA-v88g-cgmw-v5xw" [[IgnoredVulns]] - id = "GHSA-whgm-jr23-g3j9" +id = "GHSA-whgm-jr23-g3j9" --- diff --git a/internal/config/__snapshots__/config_internal_test.snap b/internal/config/__snapshots__/config_internal_test.snap index 3d88031da7d..40926bdadc4 100755 --- a/internal/config/__snapshots__/config_internal_test.snap +++ b/internal/config/__snapshots__/config_internal_test.snap @@ -1,37 +1,37 @@ [TestConfig_UpdateFile/aliases_are_deduplicated - 1] [[IgnoredVulns]] - id = "GHSA-123" +id = "GHSA-123" [[IgnoredVulns]] - id = "GHSA-456" +id = "GHSA-456" [[IgnoredVulns]] - id = "GHSA-789" +id = "GHSA-789" --- [TestConfig_UpdateFile/comments_are_not_preserved - 1] [[IgnoredVulns]] - id = "GHSA-123" +id = "GHSA-123" [[IgnoredVulns]] - id = "GHSA-456" +id = "GHSA-456" --- [TestConfig_UpdateFile/empty_file_with_one_vuln - 1] [[IgnoredVulns]] - id = "GHSA-123" +id = "GHSA-123" --- [TestConfig_UpdateFile/empty_file_with_two_vulns - 1] [[IgnoredVulns]] - id = "GHSA-123" +id = "GHSA-123" [[IgnoredVulns]] - id = "GHSA-456" +id = "GHSA-456" --- @@ -39,55 +39,55 @@ GoVersionOverride = "1.20.0" [[IgnoredVulns]] - id = "GHSA-123" - reason = "No ssh servers are connected to or hosted in Go lang" +id = "GHSA-123" +reason = "No ssh servers are connected to or hosted in Go lang" [[IgnoredVulns]] - id = "GHSA-456" +id = "GHSA-456" [[PackageOverrides]] - name = "lib" - version = "1.0.0" - ecosystem = "Go" - group = "dev" - ignore = false - effectiveUntil = 0001-01-01T00:00:00Z - reason = "" - [PackageOverrides.vulnerability] - ignore = true - [PackageOverrides.license] - override = ["MIT", "0BSD"] - ignore = false +name = "lib" +version = "1.0.0" +ecosystem = "Go" +group = "dev" +ignore = false +effectiveUntil = 0001-01-01T00:00:00Z +reason = "" +[PackageOverrides.vulnerability] +ignore = true +[PackageOverrides.license] +override = ["MIT", "0BSD"] +ignore = false --- [TestConfig_UpdateFile/ids_are_deduplicated - 1] [[IgnoredVulns]] - id = "GHSA-123" +id = "GHSA-123" [[IgnoredVulns]] - id = "GHSA-456" +id = "GHSA-456" --- [TestConfig_UpdateFile/ids_are_deduplicated_including_already_existing - 1] [[IgnoredVulns]] - id = "GHSA-456" +id = "GHSA-456" [[IgnoredVulns]] - id = "GHSA-123" +id = "GHSA-123" [[IgnoredVulns]] - id = "GHSA-789" +id = "GHSA-789" --- [TestConfig_UpdateFile/missing_vulns_are_removed - 1] [[IgnoredVulns]] - id = "GHSA-123" +id = "GHSA-123" [[IgnoredVulns]] - id = "GHSA-456" +id = "GHSA-456" --- diff --git a/internal/config/config.go b/internal/config/config.go index aa69f21f960..53fc0375ad3 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -105,13 +105,16 @@ func (c *Config) UpdateFile(vulns []*osvschema.Vulnerability) error { seen[vuln.GetId()] = struct{}{} } - b, err := toml.Marshal(c) + f, err := os.OpenFile(c.LoadPath, os.O_TRUNC|os.O_WRONLY, os.ModePerm) if err != nil { return err } - return os.WriteFile(c.LoadPath, b, 0600) + encoder := toml.NewEncoder(f) + encoder.Indent = "" + + return encoder.Encode(c) } func (c *Config) UnusedIgnoredVulns() []*IgnoreEntry { From a5f9dd81c1984131f47ff4df663e85a8ae098b61 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Thu, 19 Feb 2026 15:18:09 +1300 Subject: [PATCH 09/43] refactor: rename flag --- cmd/osv-scanner/internal/helper/flags.go | 2 +- cmd/osv-scanner/internal/helper/getters.go | 12 ++++++------ .../scan/source/__snapshots__/command_test.snap | 1 + cmd/osv-scanner/scan/source/command_test.go | 8 ++++---- pkg/osvscanner/osvscanner.go | 4 ++-- 5 files changed, 14 insertions(+), 13 deletions(-) diff --git a/cmd/osv-scanner/internal/helper/flags.go b/cmd/osv-scanner/internal/helper/flags.go index 196873ddfb7..285a5e9331e 100644 --- a/cmd/osv-scanner/internal/helper/flags.go +++ b/cmd/osv-scanner/internal/helper/flags.go @@ -208,7 +208,7 @@ func BuildCommonScanFlags(defaultExtractors []string) []cli.Flag { Usage: "disable default plugins, instead using only those enabled by --experimental-plugins", }, &cli.BoolFlag{ - Name: "experimental-update-config-ignore-vulns", + Name: "experimental-update-config-ignores", Usage: "update config file(s) to ignore all found vulnerabilities", }, } diff --git a/cmd/osv-scanner/internal/helper/getters.go b/cmd/osv-scanner/internal/helper/getters.go index 45e3f65f9f3..041ae35137b 100644 --- a/cmd/osv-scanner/internal/helper/getters.go +++ b/cmd/osv-scanner/internal/helper/getters.go @@ -51,11 +51,11 @@ func GetCommonScannerActions(cmd *cli.Command, scanLicensesAllowlist []string) o func GetExperimentalScannerActions(cmd *cli.Command, client *http.Client) osvscanner.ExperimentalScannerActions { return osvscanner.ExperimentalScannerActions{ - PluginsEnabled: cmd.StringSlice("experimental-plugins"), - PluginsDisabled: cmd.StringSlice("experimental-disable-plugins"), - PluginsNoDefaults: cmd.Bool("experimental-no-default-plugins"), - HTTPClient: client, - FlagDeprecatedPackages: cmd.Bool("experimental-flag-deprecated-packages"), - UpdateConfigIgnoreVulns: cmd.Bool("experimental-update-config-ignore-vulns"), + PluginsEnabled: cmd.StringSlice("experimental-plugins"), + PluginsDisabled: cmd.StringSlice("experimental-disable-plugins"), + PluginsNoDefaults: cmd.Bool("experimental-no-default-plugins"), + HTTPClient: client, + FlagDeprecatedPackages: cmd.Bool("experimental-flag-deprecated-packages"), + UpdateConfigIgnores: cmd.Bool("experimental-update-config-ignores"), } } diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 6ec44cc49b6..458f635441a 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -1206,6 +1206,7 @@ OPTIONS: --experimental-plugins string [ --experimental-plugins string ] list of specific plugins and presets of plugins to use (default: "lockfile", "sbom", "directory") --experimental-disable-plugins string [ --experimental-disable-plugins string ] list of specific plugins and presets of plugins to not use --experimental-no-default-plugins disable default plugins, instead using only those enabled by --experimental-plugins + --experimental-update-config-ignores update config file(s) to ignore all found vulnerabilities --help, -h show help --- diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 6e08018a76b..6fe31378464 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1765,14 +1765,14 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) { { Name: "config_gets_updated", Args: []string{ - "", "source", "--format=vertical", "--experimental-update-config-ignore-vulns", + "", "source", "--format=vertical", "--experimental-update-config-ignores", }, Exit: 1, }, { Name: "config_gets_updated_recursively", Args: []string{ - "", "source", "--format=vertical", "--experimental-update-config-ignore-vulns", "-r", + "", "source", "--format=vertical", "--experimental-update-config-ignores", "-r", }, Exit: 1, }, @@ -1827,8 +1827,8 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) { // re-running the cli now should have no vulnerabilities, // as everything should be marked as ignored for i, arg := range tt.Args { - if arg == "--experimental-update-config-ignore-vulns" { - tt.Args[i] = "--experimental-update-config-ignore-vulns=false" + if arg == "--experimental-update-config-ignores" { + tt.Args[i] = "--experimental-update-config-ignores=false" } } diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 340a673eedf..c48e3020b5c 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -85,7 +85,7 @@ type ExperimentalScannerActions struct { FlagDeprecatedPackages bool // Update config file(s) to ignore all found vulnerabilities - UpdateConfigIgnoreVulns bool + UpdateConfigIgnores bool // Allows specifying user agent RequestUserAgent string @@ -392,7 +392,7 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) vulnerabilityResults.LicenseSummary = buildLicenseSummary(&scanResult) } - if actions.UpdateConfigIgnoreVulns { + if actions.UpdateConfigIgnores { err := updateConfigs(&vulnerabilityResults, &scanResult.ConfigManager) if err != nil { From 0e46061d28b5e2260e5be43d76c504fbc0e39803 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Thu, 19 Feb 2026 15:32:44 +1300 Subject: [PATCH 10/43] fix: ensure vulns are sorted by ID --- internal/config/__snapshots__/config_internal_test.snap | 4 ++-- internal/config/config.go | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/internal/config/__snapshots__/config_internal_test.snap b/internal/config/__snapshots__/config_internal_test.snap index 40926bdadc4..0a1863fdf4e 100755 --- a/internal/config/__snapshots__/config_internal_test.snap +++ b/internal/config/__snapshots__/config_internal_test.snap @@ -72,10 +72,10 @@ id = "GHSA-456" [TestConfig_UpdateFile/ids_are_deduplicated_including_already_existing - 1] [[IgnoredVulns]] -id = "GHSA-456" +id = "GHSA-123" [[IgnoredVulns]] -id = "GHSA-123" +id = "GHSA-456" [[IgnoredVulns]] id = "GHSA-789" diff --git a/internal/config/config.go b/internal/config/config.go index 53fc0375ad3..5a6b5d7611c 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -9,6 +9,7 @@ import ( "github.com/BurntSushi/toml" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scanner/v2/internal/cmdlogger" + "github.com/google/osv-scanner/v2/internal/identifiers" "github.com/google/osv-scanner/v2/internal/imodels" "github.com/ossf/osv-schema/bindings/go/osvschema" ) @@ -105,6 +106,10 @@ func (c *Config) UpdateFile(vulns []*osvschema.Vulnerability) error { seen[vuln.GetId()] = struct{}{} } + slices.SortFunc(c.IgnoredVulns, func(a, b *IgnoreEntry) int { + return identifiers.IDSortFunc(a.ID, b.ID) + }) + f, err := os.OpenFile(c.LoadPath, os.O_TRUNC|os.O_WRONLY, os.ModePerm) if err != nil { From 28eb674a4bf77c55890caef87535b22bccea5a12 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Thu, 19 Feb 2026 15:50:58 +1300 Subject: [PATCH 11/43] refactor: make `copyFile` public (internally) --- cmd/osv-scanner/internal/testcmd/copy.go | 4 ++-- cmd/osv-scanner/internal/testcmd/git.go | 2 +- cmd/osv-scanner/scan/source/command_test.go | 16 +--------------- 3 files changed, 4 insertions(+), 18 deletions(-) diff --git a/cmd/osv-scanner/internal/testcmd/copy.go b/cmd/osv-scanner/internal/testcmd/copy.go index 68f850e8888..15cf08aeb5b 100644 --- a/cmd/osv-scanner/internal/testcmd/copy.go +++ b/cmd/osv-scanner/internal/testcmd/copy.go @@ -8,7 +8,7 @@ import ( "testing" ) -func copyFile(from, to string) (string, error) { +func CopyFile(from, to string) (string, error) { b, err := os.ReadFile(from) if err != nil { return "", fmt.Errorf("could not read test file: %w", err) @@ -37,7 +37,7 @@ func CopyFileFlagTo(t *testing.T, tc Case, flagName string, dir string) string { return "" } - newPath, err := copyFile(flagValue, filepath.Join(dir, filepath.Base(flagValue))) + newPath, err := CopyFile(flagValue, filepath.Join(dir, filepath.Base(flagValue))) if err != nil { t.Fatalf("%v", err) diff --git a/cmd/osv-scanner/internal/testcmd/git.go b/cmd/osv-scanner/internal/testcmd/git.go index e8035415736..8a7c41946be 100644 --- a/cmd/osv-scanner/internal/testcmd/git.go +++ b/cmd/osv-scanner/internal/testcmd/git.go @@ -43,7 +43,7 @@ func SetupGitFixtures() (func(), error) { } for _, f := range gitIgnoreFiles { - gitignoreFile, err := copyFile(f, filepath.Join(filepath.Dir(f), ".gitignore")) + gitignoreFile, err := CopyFile(f, filepath.Join(filepath.Dir(f), ".gitignore")) if err != nil { return cleaner, err diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 6fe31378464..080283e68fa 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1,7 +1,6 @@ package source_test import ( - "fmt" "net/http" "os" "path/filepath" @@ -1745,19 +1744,6 @@ func TestCommand_FlagDeprecatedPackages(t *testing.T) { } } -func copyFile(from, to string) (string, error) { - b, err := os.ReadFile(from) - if err != nil { - return "", fmt.Errorf("could not read test file: %w", err) - } - - if err := os.WriteFile(to, b, 0600); err != nil { - return "", fmt.Errorf("could not copy test file: %w", err) - } - - return to, nil -} - func TestCommand_UpdateConfigIgnores(t *testing.T) { t.Parallel() @@ -1799,7 +1785,7 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) { t.Fatal(err) } - _, err = copyFile("testdata/locks-with-many-configs/"+file, testDir+"/"+file) + _, err = testcmd.CopyFile("testdata/locks-with-many-configs/"+file, testDir+"/"+file) if err != nil { t.Fatal(err) From 79ba12b5604c90d1b929f2b1e10226c00eda5c5f Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Thu, 19 Feb 2026 15:57:02 +1300 Subject: [PATCH 12/43] test: add a case with a custom global config --- .../source/__snapshots__/command_test.snap | 91 +++++++++++++++++-- cmd/osv-scanner/scan/source/command_test.go | 11 +++ .../custom-config.toml | 1 + 3 files changed, 97 insertions(+), 6 deletions(-) create mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/custom-config.toml diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 458f635441a..9d6aa0b6128 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -5908,13 +5908,18 @@ id = "GHSA-whgm-jr23-g3j9" --- [TestCommand_UpdateConfigIgnores/config_gets_updated - 4] +GoVersionOverride = "1.20.0" + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated - 5] [[IgnoredVulns]] id = "CVE-2021-23424" reason = "Test manifest file (package-lock.json)" --- -[TestCommand_UpdateConfigIgnores/config_gets_updated - 5] +[TestCommand_UpdateConfigIgnores/config_gets_updated - 6] [[IgnoredVulns]] id = "GHSA-2g4f-4pwh-qvx6" @@ -5923,7 +5928,7 @@ id = "GHSA-2g4f-4pwh-qvx6" --- -[TestCommand_UpdateConfigIgnores/config_gets_updated - 6] +[TestCommand_UpdateConfigIgnores/config_gets_updated - 7] Scanning dir Scanned /composer.lock file and found 0 packages Scanned /package-lock.json file and found 1 package @@ -5935,7 +5940,7 @@ No issues found --- -[TestCommand_UpdateConfigIgnores/config_gets_updated - 7] +[TestCommand_UpdateConfigIgnores/config_gets_updated - 8] --- @@ -6008,6 +6013,11 @@ id = "GHSA-whgm-jr23-g3j9" --- [TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 4] +GoVersionOverride = "1.20.0" + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 5] [[IgnoredVulns]] id = "GHSA-2g4f-4pwh-qvx6" @@ -6019,7 +6029,7 @@ id = "GHSA-whgm-jr23-g3j9" --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 5] +[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 6] [[IgnoredVulns]] id = "GHSA-2g4f-4pwh-qvx6" @@ -6031,7 +6041,7 @@ id = "GHSA-whgm-jr23-g3j9" --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 6] +[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 7] Scanning dir Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages @@ -6055,7 +6065,76 @@ No issues found --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 7] +[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 8] + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 1] +Scanning dir +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +1 vulnerability can be fixed. + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 2] + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 3] + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 4] +GoVersionOverride = "1.20.0" + +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 7] +Scanning dir +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +Filtered 1 vulnerability from output +No issues found + +--- + +[TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 8] --- diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 080283e68fa..55ef74f76e1 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1762,6 +1762,13 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) { }, Exit: 1, }, + { + Name: "config_gets_updated_with_explicit_config", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores", "--config", "./testdata/locks-with-many-configs/custom-config.toml", + }, + Exit: 1, + }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { @@ -1773,6 +1780,7 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) { for _, file := range []string{ "composer.lock", + "custom-config.toml", "osv-scanner-test.toml", "package-lock.json", "nested-1/package-lock.json", @@ -1794,10 +1802,13 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) { tt.Args = append(tt.Args, testDir) + testcmd.CopyFileFlagTo(t, tt, "--config", testDir) + testcmd.RunAndMatchSnapshots(t, tt) for _, file := range []string{ "osv-scanner-test.toml", + "custom-config.toml", "nested-1/osv-scanner-test.toml", "nested-2/osv-scanner-test.toml", } { diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/custom-config.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/custom-config.toml new file mode 100644 index 00000000000..209c43005e8 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/custom-config.toml @@ -0,0 +1 @@ +GoVersionOverride = "1.20.0" From c42e875c34e8574b21717dd299e75062797a4050 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Fri, 20 Feb 2026 07:54:52 +1300 Subject: [PATCH 13/43] fix: account for multiple files using the same config --- .../source/__snapshots__/command_test.snap | 70 ++++++++++++++++--- cmd/osv-scanner/scan/source/command_test.go | 1 + .../locks-with-many-configs/Gemfile.lock | 16 +++++ pkg/osvscanner/osvscanner.go | 20 ++++-- 4 files changed, 92 insertions(+), 15 deletions(-) create mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/Gemfile.lock diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 9d6aa0b6128..de0444910dc 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -5876,13 +5876,24 @@ Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Me [TestCommand_UpdateConfigIgnores/config_gets_updated - 1] Scanning dir +Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml -Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. -1 vulnerability can be fixed. +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock npm @@ -5905,6 +5916,9 @@ lockfile:/package-lock.json: found 1 package with issues [[IgnoredVulns]] id = "GHSA-whgm-jr23-g3j9" +[[IgnoredVulns]] +id = "GHSA-wx95-c6cv-8532" + --- [TestCommand_UpdateConfigIgnores/config_gets_updated - 4] @@ -5930,12 +5944,14 @@ id = "GHSA-2g4f-4pwh-qvx6" [TestCommand_UpdateConfigIgnores/config_gets_updated - 7] Scanning dir +Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml +GHSA-wx95-c6cv-8532 has been filtered out because: (no reason given) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) -Filtered 1 vulnerability from output +Filtered 2 vulnerabilities from output No issues found --- @@ -5946,15 +5962,16 @@ No issues found [TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 1] Scanning dir +Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml Loaded filter from: /nested-1/osv-scanner-test.toml warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! Loaded filter from: /nested-2/osv-scanner-test.toml -Loaded filter from: /osv-scanner-test.toml CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) @@ -5962,8 +5979,18 @@ Filtered 3 vulnerabilities from output /nested-2/osv-scanner-test.toml has unused ignores: - GHSA-2g4f-4pwh-qvx6 -Total 5 packages affected by 6 known vulnerabilities (0 Critical, 2 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystem. -6 vulnerabilities can be fixed. +Total 6 packages affected by 7 known vulnerabilities (0 Critical, 2 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +7 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock npm @@ -6010,6 +6037,9 @@ lockfile:/package-lock.json: found 1 package with issues [[IgnoredVulns]] id = "GHSA-whgm-jr23-g3j9" +[[IgnoredVulns]] +id = "GHSA-wx95-c6cv-8532" + --- [TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 4] @@ -6043,14 +6073,16 @@ id = "GHSA-whgm-jr23-g3j9" [TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 7] Scanning dir +Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml Loaded filter from: /nested-1/osv-scanner-test.toml Loaded filter from: /nested-2/osv-scanner-test.toml -Loaded filter from: /osv-scanner-test.toml +GHSA-wx95-c6cv-8532 has been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) @@ -6060,7 +6092,7 @@ GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) -Filtered 9 vulnerabilities from output +Filtered 10 vulnerabilities from output No issues found --- @@ -6071,12 +6103,23 @@ No issues found [TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 1] Scanning dir +Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. -Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. -1 vulnerability can be fixed. +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock npm @@ -6105,6 +6148,9 @@ GoVersionOverride = "1.20.0" [[IgnoredVulns]] id = "GHSA-whgm-jr23-g3j9" +[[IgnoredVulns]] +id = "GHSA-wx95-c6cv-8532" + --- [TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 5] @@ -6125,11 +6171,13 @@ id = "GHSA-2g4f-4pwh-qvx6" [TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 7] Scanning dir +Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +GHSA-wx95-c6cv-8532 has been filtered out because: (no reason given) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) -Filtered 1 vulnerability from output +Filtered 2 vulnerabilities from output No issues found --- diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 55ef74f76e1..d2a94ba2c99 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1782,6 +1782,7 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) { "composer.lock", "custom-config.toml", "osv-scanner-test.toml", + "Gemfile.lock", "package-lock.json", "nested-1/package-lock.json", "nested-1/osv-scanner-test.toml", diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/Gemfile.lock b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/Gemfile.lock new file mode 100644 index 00000000000..c398b9387cd --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/Gemfile.lock @@ -0,0 +1,16 @@ +GEM + remote: https://rubygems.org/ + specs: + nokogiri (1.18.9) + +PLATFORMS + x86_64-linux + +DEPENDENCIES + nokogiri (1.18.9) + +RUBY VERSION + ruby 3.0.2p107 + +BUNDLED WITH + 2.2.28 diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index c48e3020b5c..8b986b481c8 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -426,18 +426,30 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) } func updateConfigs(vulnResults *models.VulnerabilityResults, configManager *config.Manager) error { + m := make(map[string][]*osvschema.Vulnerability) + + // todo: explore how we might be able to clean this whole thing up... for _, pkgSrc := range vulnResults.Results { - configToUse := configManager.Get(pkgSrc.Source.Path) + configToUsePath := configManager.Get(pkgSrc.Source.Path).LoadPath - var vulns []*osvschema.Vulnerability //nolint:prealloc + vulns, _ := m[configToUsePath] for _, pkgVulns := range pkgSrc.Packages { vulns = append(vulns, pkgVulns.Vulnerabilities...) } - // todo: is it possible to have results using the same file? - err := configToUse.UpdateFile(vulns) + m[configToUsePath] = vulns + } + + for p, vulns := range m { + c, ok := configManager.ConfigMap[p] + + // todo: this is probably not safe... + if !ok { + c = *configManager.OverrideConfig + } + err := c.UpdateFile(vulns) if err != nil { return err } From be1a88c1ef2a4a548bb79b9bdf6636fe3007da19 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Fri, 20 Feb 2026 07:05:05 +1300 Subject: [PATCH 14/43] test: use `os.CopyFS` --- cmd/osv-scanner/scan/source/command_test.go | 25 +++------------------ 1 file changed, 3 insertions(+), 22 deletions(-) diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index d2a94ba2c99..d1a7e669ea1 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1776,29 +1776,10 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) { // action overwrites files, copy them to a temporary directory. testDir := testutility.CreateTestDir(t) - var err error - for _, file := range []string{ - "composer.lock", - "custom-config.toml", - "osv-scanner-test.toml", - "Gemfile.lock", - "package-lock.json", - "nested-1/package-lock.json", - "nested-1/osv-scanner-test.toml", - "nested-2/package-lock.json", - "nested-2/osv-scanner-test.toml", - } { - err = os.MkdirAll(testDir+"/"+filepath.Dir(file), 0750) - if err != nil { - t.Fatal(err) - } - - _, err = testcmd.CopyFile("testdata/locks-with-many-configs/"+file, testDir+"/"+file) - - if err != nil { - t.Fatal(err) - } + err := os.CopyFS(testDir, os.DirFS("./testdata/locks-with-many-configs")) + if err != nil { + t.Fatal(err) } tt.Args = append(tt.Args, testDir) From da1e75b54c65c49e251842c31eb44169309788d1 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Fri, 20 Feb 2026 08:31:17 +1300 Subject: [PATCH 15/43] fix: skip the default config and add nil check --- .../source/__snapshots__/command_test.snap | 37 +++++++++++++++ cmd/osv-scanner/scan/source/command_test.go | 46 +++++++++++++++++++ pkg/osvscanner/osvscanner.go | 7 ++- 3 files changed, 88 insertions(+), 2 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index de0444910dc..5514eafe812 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -6186,6 +6186,43 @@ No issues found --- +[TestCommand_UpdateConfigIgnores_WithNoConfig - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_WithNoConfig - 2] + +--- + [TestCommand_WithDetector_OffLinux/ssh_version_errors - 1] Scanning dir /composer.lock Scanned /composer.lock file and found 1 package diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index d1a7e669ea1..0eb497e53e6 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1,6 +1,7 @@ package source_test import ( + "errors" "net/http" "os" "path/filepath" @@ -1817,3 +1818,48 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) { }) } } + +func TestCommand_UpdateConfigIgnores_WithNoConfig(t *testing.T) { + t.Parallel() + + // action overwrites files, copy them to a temporary directory. + testDir := testutility.CreateTestDir(t) + var err error + + err = os.CopyFS(testDir, os.DirFS("./testdata/locks-with-many-configs")) + if err != nil { + t.Fatal(err) + } + + // the test suite sets "osv-scanner-test.toml" as the default config name, + // but we might as well remove the "ignore all" config we have in our testdata + // for tools like scorecard, to be extra sure it can't interfere with our tests + err = os.Remove(testDir + "/osv-scanner.toml") + if err != nil { + t.Fatal(err) + } + + // remove the expected config file + err = os.Remove(testDir + "/osv-scanner-test.toml") + if err != nil { + t.Fatal(err) + } + + // the "update config ignores" flag should not create a config file + testcmd.RunAndMatchSnapshots(t, testcmd.Case{ + Args: []string{"", "source", "--format=vertical", "--experimental-update-config-ignores", testDir}, + Exit: 1, + }) + + _, err = os.Stat(testDir + "/osv-scanner.toml") + + if !errors.Is(err, os.ErrNotExist) { + t.Errorf("expected osv-scanner.toml not to be created") + } + + _, err = os.Stat(testDir + "/osv-scanner-test.toml") + + if !errors.Is(err, os.ErrNotExist) { + t.Errorf("expected osv-scanner-test.toml not to be created") + } +} diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 8b986b481c8..0558537799d 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -432,6 +432,10 @@ func updateConfigs(vulnResults *models.VulnerabilityResults, configManager *conf for _, pkgSrc := range vulnResults.Results { configToUsePath := configManager.Get(pkgSrc.Source.Path).LoadPath + // skip the default config + if configToUsePath == "" { + continue + } vulns, _ := m[configToUsePath] for _, pkgVulns := range pkgSrc.Packages { @@ -444,8 +448,7 @@ func updateConfigs(vulnResults *models.VulnerabilityResults, configManager *conf for p, vulns := range m { c, ok := configManager.ConfigMap[p] - // todo: this is probably not safe... - if !ok { + if !ok && configManager.OverrideConfig != nil { c = *configManager.OverrideConfig } From 89d55c3ade98e80c9f51104d2b1cdf629e5d495b Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Fri, 20 Feb 2026 08:37:21 +1300 Subject: [PATCH 16/43] refactor: simplify "update configs" implementation (somewhat) --- pkg/osvscanner/osvscanner.go | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 0558537799d..ad0b09cda0b 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -426,31 +426,28 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) } func updateConfigs(vulnResults *models.VulnerabilityResults, configManager *config.Manager) error { - m := make(map[string][]*osvschema.Vulnerability) + configVulns := make(map[string][]*osvschema.Vulnerability) + configPaths := make(map[string]config.Config) - // todo: explore how we might be able to clean this whole thing up... for _, pkgSrc := range vulnResults.Results { - configToUsePath := configManager.Get(pkgSrc.Source.Path).LoadPath + c := configManager.Get(pkgSrc.Source.Path) // skip the default config - if configToUsePath == "" { + if c.LoadPath == "" { continue } - vulns, _ := m[configToUsePath] + + configPaths[c.LoadPath] = c for _, pkgVulns := range pkgSrc.Packages { - vulns = append(vulns, pkgVulns.Vulnerabilities...) + configVulns[c.LoadPath] = append(configVulns[c.LoadPath], pkgVulns.Vulnerabilities...) } - - m[configToUsePath] = vulns } - for p, vulns := range m { - c, ok := configManager.ConfigMap[p] - - if !ok && configManager.OverrideConfig != nil { - c = *configManager.OverrideConfig - } + // update each config to ignore all the vulnerabilities + // found across all packages that are using that config + for p, vulns := range configVulns { + c := configPaths[p] err := c.UpdateFile(vulns) if err != nil { From 8e1efd84267b1454db6786a549b656bcbf164035 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Fri, 20 Feb 2026 08:41:34 +1300 Subject: [PATCH 17/43] test: update names --- .../source/__snapshots__/command_test.snap | 202 +++++++++--------- cmd/osv-scanner/scan/source/command_test.go | 6 +- 2 files changed, 104 insertions(+), 104 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 5514eafe812..5ddbab1e404 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -5874,16 +5874,27 @@ Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Me --- -[TestCommand_UpdateConfigIgnores/config_gets_updated - 1] +[TestCommand_UpdateConfigIgnores/deep - 1] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml +Loaded filter from: /nested-1/osv-scanner-test.toml +warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! +Loaded filter from: /nested-2/osv-scanner-test.toml +CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 3 vulnerabilities from output +/nested-2/osv-scanner-test.toml has unused ignores: + - GHSA-2g4f-4pwh-qvx6 -Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -2 vulnerabilities can be fixed. +Total 6 packages affected by 7 known vulnerabilities (0 Critical, 2 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +7 vulnerabilities can be fixed. RubyGems @@ -5897,6 +5908,30 @@ lockfile:/Gemfile.lock: found 1 package with issues npm +lockfile:/nested-1/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + + 3 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + lockfile:/package-lock.json: found 1 package with issues ansi-html@0.0.1 has the following known vulnerabilities: @@ -5908,11 +5943,11 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores/config_gets_updated - 2] +[TestCommand_UpdateConfigIgnores/deep - 2] --- -[TestCommand_UpdateConfigIgnores/config_gets_updated - 3] +[TestCommand_UpdateConfigIgnores/deep - 3] [[IgnoredVulns]] id = "GHSA-whgm-jr23-g3j9" @@ -5921,66 +5956,74 @@ id = "GHSA-wx95-c6cv-8532" --- -[TestCommand_UpdateConfigIgnores/config_gets_updated - 4] +[TestCommand_UpdateConfigIgnores/deep - 4] GoVersionOverride = "1.20.0" --- -[TestCommand_UpdateConfigIgnores/config_gets_updated - 5] +[TestCommand_UpdateConfigIgnores/deep - 5] [[IgnoredVulns]] -id = "CVE-2021-23424" -reason = "Test manifest file (package-lock.json)" +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-v88g-cgmw-v5xw" + +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" --- -[TestCommand_UpdateConfigIgnores/config_gets_updated - 6] +[TestCommand_UpdateConfigIgnores/deep - 6] [[IgnoredVulns]] id = "GHSA-2g4f-4pwh-qvx6" [[IgnoredVulns]] -id = "GHSA-2g4f-4pwh-qvx6" +id = "GHSA-v88g-cgmw-v5xw" + +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" --- -[TestCommand_UpdateConfigIgnores/config_gets_updated - 7] +[TestCommand_UpdateConfigIgnores/deep - 7] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml +Loaded filter from: /nested-1/osv-scanner-test.toml +Loaded filter from: /nested-2/osv-scanner-test.toml GHSA-wx95-c6cv-8532 has been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) -Filtered 2 vulnerabilities from output +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +Filtered 10 vulnerabilities from output No issues found --- -[TestCommand_UpdateConfigIgnores/config_gets_updated - 8] +[TestCommand_UpdateConfigIgnores/deep - 8] --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 1] +[TestCommand_UpdateConfigIgnores/global_config_shallow - 1] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages -Scanned /nested-1/package-lock.json file and found 3 packages -Scanned /nested-2/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. -Loaded filter from: /osv-scanner-test.toml -Loaded filter from: /nested-1/osv-scanner-test.toml -warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! -Loaded filter from: /nested-2/osv-scanner-test.toml -CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -Filtered 3 vulnerabilities from output -/nested-2/osv-scanner-test.toml has unused ignores: - - GHSA-2g4f-4pwh-qvx6 -Total 6 packages affected by 7 known vulnerabilities (0 Critical, 2 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -7 vulnerabilities can be fixed. +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. RubyGems @@ -5994,30 +6037,6 @@ lockfile:/Gemfile.lock: found 1 package with issues npm -lockfile:/nested-1/package-lock.json: found 2 packages with issues - - ajv@6.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '6.14.0'; - GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv - Severity: '5.6'; Minimal Fix Version: '6.12.3'; - ajv@8.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '8.18.0'; - - 3 known vulnerabilities found in lockfile:/nested-1/package-lock.json - -lockfile:/nested-2/package-lock.json: found 2 packages with issues - - ajv@6.0.0 has the following known vulnerabilities: - GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv - Severity: '5.6'; Minimal Fix Version: '6.12.3'; - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json - lockfile:/package-lock.json: found 1 package with issues ansi-html@0.0.1 has the following known vulnerabilities: @@ -6029,84 +6048,65 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 2] +[TestCommand_UpdateConfigIgnores/global_config_shallow - 2] --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 3] -[[IgnoredVulns]] -id = "GHSA-whgm-jr23-g3j9" - -[[IgnoredVulns]] -id = "GHSA-wx95-c6cv-8532" +[TestCommand_UpdateConfigIgnores/global_config_shallow - 3] --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 4] +[TestCommand_UpdateConfigIgnores/global_config_shallow - 4] GoVersionOverride = "1.20.0" ---- - -[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 5] [[IgnoredVulns]] -id = "GHSA-2g4f-4pwh-qvx6" +id = "GHSA-whgm-jr23-g3j9" [[IgnoredVulns]] -id = "GHSA-v88g-cgmw-v5xw" +id = "GHSA-wx95-c6cv-8532" +--- + +[TestCommand_UpdateConfigIgnores/global_config_shallow - 5] [[IgnoredVulns]] -id = "GHSA-whgm-jr23-g3j9" +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 6] +[TestCommand_UpdateConfigIgnores/global_config_shallow - 6] [[IgnoredVulns]] id = "GHSA-2g4f-4pwh-qvx6" [[IgnoredVulns]] -id = "GHSA-v88g-cgmw-v5xw" - -[[IgnoredVulns]] -id = "GHSA-whgm-jr23-g3j9" +id = "GHSA-2g4f-4pwh-qvx6" --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 7] +[TestCommand_UpdateConfigIgnores/global_config_shallow - 7] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages -Scanned /nested-1/package-lock.json file and found 3 packages -Scanned /nested-2/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. -Loaded filter from: /osv-scanner-test.toml -Loaded filter from: /nested-1/osv-scanner-test.toml -Loaded filter from: /nested-2/osv-scanner-test.toml GHSA-wx95-c6cv-8532 has been filtered out because: (no reason given) -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) -GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) -Filtered 10 vulnerabilities from output +Filtered 2 vulnerabilities from output No issues found --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_recursively - 8] +[TestCommand_UpdateConfigIgnores/global_config_shallow - 8] --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 1] +[TestCommand_UpdateConfigIgnores/shallow - 1] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 2 vulnerabilities can be fixed. @@ -6134,17 +6134,11 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 2] +[TestCommand_UpdateConfigIgnores/shallow - 2] --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 3] - ---- - -[TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 4] -GoVersionOverride = "1.20.0" - +[TestCommand_UpdateConfigIgnores/shallow - 3] [[IgnoredVulns]] id = "GHSA-whgm-jr23-g3j9" @@ -6153,14 +6147,19 @@ id = "GHSA-wx95-c6cv-8532" --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 5] +[TestCommand_UpdateConfigIgnores/shallow - 4] +GoVersionOverride = "1.20.0" + +--- + +[TestCommand_UpdateConfigIgnores/shallow - 5] [[IgnoredVulns]] id = "CVE-2021-23424" reason = "Test manifest file (package-lock.json)" --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 6] +[TestCommand_UpdateConfigIgnores/shallow - 6] [[IgnoredVulns]] id = "GHSA-2g4f-4pwh-qvx6" @@ -6169,12 +6168,13 @@ id = "GHSA-2g4f-4pwh-qvx6" --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 7] +[TestCommand_UpdateConfigIgnores/shallow - 7] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml GHSA-wx95-c6cv-8532 has been filtered out because: (no reason given) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) Filtered 2 vulnerabilities from output @@ -6182,7 +6182,7 @@ No issues found --- -[TestCommand_UpdateConfigIgnores/config_gets_updated_with_explicit_config - 8] +[TestCommand_UpdateConfigIgnores/shallow - 8] --- diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 0eb497e53e6..4639971d023 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1750,21 +1750,21 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) { tests := []testcmd.Case{ { - Name: "config_gets_updated", + Name: "shallow", Args: []string{ "", "source", "--format=vertical", "--experimental-update-config-ignores", }, Exit: 1, }, { - Name: "config_gets_updated_recursively", + Name: "deep", Args: []string{ "", "source", "--format=vertical", "--experimental-update-config-ignores", "-r", }, Exit: 1, }, { - Name: "config_gets_updated_with_explicit_config", + Name: "global_config_shallow", Args: []string{ "", "source", "--format=vertical", "--experimental-update-config-ignores", "--config", "./testdata/locks-with-many-configs/custom-config.toml", }, From 15a04117e71713c9769677a74f4650a1b265a1d7 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Fri, 20 Feb 2026 08:43:04 +1300 Subject: [PATCH 18/43] test: add case for global config + recursive --- .../source/__snapshots__/command_test.snap | 135 ++++++++++++++++++ cmd/osv-scanner/scan/source/command_test.go | 7 + 2 files changed, 142 insertions(+) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 5ddbab1e404..be4ccc41a40 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -6015,6 +6015,141 @@ No issues found --- +[TestCommand_UpdateConfigIgnores/global_config_deep - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +10 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores/global_config_deep - 2] + +--- + +[TestCommand_UpdateConfigIgnores/global_config_deep - 3] + +--- + +[TestCommand_UpdateConfigIgnores/global_config_deep - 4] +GoVersionOverride = "1.20.0" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-v88g-cgmw-v5xw" + +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +[[IgnoredVulns]] +id = "GHSA-wx95-c6cv-8532" + +--- + +[TestCommand_UpdateConfigIgnores/global_config_deep - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores/global_config_deep - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores/global_config_deep - 7] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +GHSA-wx95-c6cv-8532 has been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +Filtered 10 vulnerabilities from output +No issues found + +--- + +[TestCommand_UpdateConfigIgnores/global_config_deep - 8] + +--- + [TestCommand_UpdateConfigIgnores/global_config_shallow - 1] Scanning dir Scanned /Gemfile.lock file and found 1 package diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 4639971d023..0b7247c8346 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1770,6 +1770,13 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) { }, Exit: 1, }, + { + Name: "global_config_deep", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores", "-r", "--config", "./testdata/locks-with-many-configs/custom-config.toml", + }, + Exit: 1, + }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { From 513f9c41ca35e61befe282679dcf3da49e1352f2 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Fri, 20 Feb 2026 09:02:03 +1300 Subject: [PATCH 19/43] test: add more cases for "with no config" --- .../source/__snapshots__/command_test.snap | 221 +++++++++++++++++- cmd/osv-scanner/scan/source/command_test.go | 104 ++++++--- 2 files changed, 294 insertions(+), 31 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index be4ccc41a40..f46d53c116d 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -6321,7 +6321,224 @@ No issues found --- -[TestCommand_UpdateConfigIgnores_WithNoConfig - 1] +[TestCommand_UpdateConfigIgnores_WithNoConfig/all - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +10 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_WithNoConfig/all - 2] + +--- + +[TestCommand_UpdateConfigIgnores_WithNoConfig/deep - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! +Loaded filter from: /nested-2/osv-scanner-test.toml +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 2 vulnerabilities from output +/nested-2/osv-scanner-test.toml has unused ignores: + - GHSA-2g4f-4pwh-qvx6 + +Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +8 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_WithNoConfig/deep - 2] + +--- + +[TestCommand_UpdateConfigIgnores_WithNoConfig/deep2 - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +Loaded filter from: /nested-1/osv-scanner-test.toml +CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) +Filtered 1 vulnerability from output + +Total 7 packages affected by 9 known vulnerabilities (0 Critical, 2 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +9 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + + 3 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_WithNoConfig/deep2 - 2] + +--- + +[TestCommand_UpdateConfigIgnores_WithNoConfig/shallow - 1] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6354,7 +6571,7 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores_WithNoConfig - 2] +[TestCommand_UpdateConfigIgnores_WithNoConfig/shallow - 2] --- diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 0b7247c8346..916b542ca1d 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1829,44 +1829,90 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) { func TestCommand_UpdateConfigIgnores_WithNoConfig(t *testing.T) { t.Parallel() - // action overwrites files, copy them to a temporary directory. - testDir := testutility.CreateTestDir(t) - var err error + type withFilesToRemove struct { + Name string + Args []string + Exit int - err = os.CopyFS(testDir, os.DirFS("./testdata/locks-with-many-configs")) - if err != nil { - t.Fatal(err) + Remove []string } - // the test suite sets "osv-scanner-test.toml" as the default config name, - // but we might as well remove the "ignore all" config we have in our testdata - // for tools like scorecard, to be extra sure it can't interfere with our tests - err = os.Remove(testDir + "/osv-scanner.toml") - if err != nil { - t.Fatal(err) - } + tests := []withFilesToRemove{ + { + Name: "shallow", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores", + }, + Exit: 1, - // remove the expected config file - err = os.Remove(testDir + "/osv-scanner-test.toml") - if err != nil { - t.Fatal(err) + Remove: []string{"osv-scanner-test.toml"}, + }, + { + Name: "deep", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores", "-r", + }, + Exit: 1, + Remove: []string{"nested-1/osv-scanner-test.toml"}, + }, + { + Name: "deep2", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores", "-r", + }, + Exit: 1, + Remove: []string{"nested-2/osv-scanner-test.toml"}, + }, + { + Name: "all", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores", "-r", + }, + Exit: 1, + Remove: []string{ + "osv-scanner-test.toml", + "nested-1/osv-scanner-test.toml", + "nested-2/osv-scanner-test.toml", + }, + }, } + for _, tt := range tests { + t.Run(tt.Name, func(t *testing.T) { + t.Parallel() - // the "update config ignores" flag should not create a config file - testcmd.RunAndMatchSnapshots(t, testcmd.Case{ - Args: []string{"", "source", "--format=vertical", "--experimental-update-config-ignores", testDir}, - Exit: 1, - }) + // action overwrites files, copy them to a temporary directory. + testDir := testutility.CreateTestDir(t) + + err := os.CopyFS(testDir, os.DirFS("./testdata/locks-with-many-configs")) + if err != nil { + t.Fatal(err) + } - _, err = os.Stat(testDir + "/osv-scanner.toml") + // remove our config files + for _, file := range tt.Remove { + err = os.Remove(testDir + "/" + file) + if err != nil { + t.Fatal(err) + } + } - if !errors.Is(err, os.ErrNotExist) { - t.Errorf("expected osv-scanner.toml not to be created") - } + tt.Args = append(tt.Args, testDir) - _, err = os.Stat(testDir + "/osv-scanner-test.toml") + // the "update config ignores" flag should not create a config file + testcmd.RunAndMatchSnapshots(t, testcmd.Case{ + Name: tt.Name, + Args: tt.Args, + Exit: 1, + }) - if !errors.Is(err, os.ErrNotExist) { - t.Errorf("expected osv-scanner-test.toml not to be created") + for _, file := range tt.Remove { + p := testDir + "/" + file + _, err = os.Stat(p) + + if !errors.Is(err, os.ErrNotExist) { + t.Errorf("expected %s not to exist", p) + } + } + }) } } From c71171176a770c41e30521e555f3a41b371b8aa6 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Fri, 20 Feb 2026 09:05:37 +1300 Subject: [PATCH 20/43] test: merge groups --- .../source/__snapshots__/command_test.snap | 504 ++++++++++++------ cmd/osv-scanner/scan/source/command_test.go | 161 ++---- 2 files changed, 388 insertions(+), 277 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index f46d53c116d..58716381db5 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -6015,6 +6015,315 @@ No issues found --- +[TestCommand_UpdateConfigIgnores/deep_with_no_configs - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +10 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores/deep_with_no_configs - 2] + +--- + +[TestCommand_UpdateConfigIgnores/deep_with_no_configs - 3] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores/deep_with_no_configs - 4] +GoVersionOverride = "1.20.0" + +--- + +[TestCommand_UpdateConfigIgnores/deep_with_no_configs - 5] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores/deep_with_no_configs - 6] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores/deep_with_no_configs - 7] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +10 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores/deep_with_no_configs - 8] + +--- + +[TestCommand_UpdateConfigIgnores/deep_with_removed_config - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! +Loaded filter from: /nested-2/osv-scanner-test.toml +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 2 vulnerabilities from output +/nested-2/osv-scanner-test.toml has unused ignores: + - GHSA-2g4f-4pwh-qvx6 + +Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +8 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores/deep_with_removed_config - 2] + +--- + +[TestCommand_UpdateConfigIgnores/deep_with_removed_config - 3] +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +[[IgnoredVulns]] +id = "GHSA-wx95-c6cv-8532" + +--- + +[TestCommand_UpdateConfigIgnores/deep_with_removed_config - 4] +GoVersionOverride = "1.20.0" + +--- + +[TestCommand_UpdateConfigIgnores/deep_with_removed_config - 5] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores/deep_with_removed_config - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-v88g-cgmw-v5xw" + +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +--- + +[TestCommand_UpdateConfigIgnores/deep_with_removed_config - 7] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +Loaded filter from: /nested-2/osv-scanner-test.toml +GHSA-wx95-c6cv-8532 has been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +Filtered 6 vulnerabilities from output + +Total 3 packages affected by 4 known vulnerabilities (0 Critical, 1 High, 3 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +4 vulnerabilities can be fixed. + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores/deep_with_removed_config - 8] + +--- + [TestCommand_UpdateConfigIgnores/global_config_deep - 1] Scanning dir Scanned /Gemfile.lock file and found 1 package @@ -6321,17 +6630,15 @@ No issues found --- -[TestCommand_UpdateConfigIgnores_WithNoConfig/all - 1] +[TestCommand_UpdateConfigIgnores/shallow_with_removed_config - 1] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages -Scanned /nested-1/package-lock.json file and found 3 packages -Scanned /nested-2/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. -Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -10 vulnerabilities can be fixed. +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. RubyGems @@ -6345,38 +6652,6 @@ lockfile:/Gemfile.lock: found 1 package with issues npm -lockfile:/nested-1/package-lock.json: found 3 packages with issues - - ajv@6.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '6.14.0'; - GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv - Severity: '5.6'; Minimal Fix Version: '6.12.3'; - ajv@8.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '8.18.0'; - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json - -lockfile:/nested-2/package-lock.json: found 3 packages with issues - - ajv@6.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '6.14.0'; - GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv - Severity: '5.6'; Minimal Fix Version: '6.12.3'; - ajv@8.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '8.18.0'; - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json - lockfile:/package-lock.json: found 1 package with issues ansi-html@0.0.1 has the following known vulnerabilities: @@ -6388,157 +6663,36 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores_WithNoConfig/all - 2] +[TestCommand_UpdateConfigIgnores/shallow_with_removed_config - 2] --- -[TestCommand_UpdateConfigIgnores_WithNoConfig/deep - 1] -Scanning dir -Scanned /Gemfile.lock file and found 1 package -Scanned /composer.lock file and found 0 packages -Scanned /nested-1/package-lock.json file and found 3 packages -Scanned /nested-2/package-lock.json file and found 3 packages -Scanned /package-lock.json file and found 1 package -Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. -Loaded filter from: /osv-scanner-test.toml -warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! -Loaded filter from: /nested-2/osv-scanner-test.toml -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -Filtered 2 vulnerabilities from output -/nested-2/osv-scanner-test.toml has unused ignores: - - GHSA-2g4f-4pwh-qvx6 - -Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -8 vulnerabilities can be fixed. - -RubyGems - -lockfile:/Gemfile.lock: found 1 package with issues - - nokogiri@1.18.9 has the following known vulnerabilities: - GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute - Severity: '5.3'; Minimal Fix Version: '1.19.1'; - - 1 known vulnerability found in lockfile:/Gemfile.lock - -npm - -lockfile:/nested-1/package-lock.json: found 3 packages with issues - - ajv@6.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '6.14.0'; - GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv - Severity: '5.6'; Minimal Fix Version: '6.12.3'; - ajv@8.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '8.18.0'; - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json - -lockfile:/nested-2/package-lock.json: found 2 packages with issues - - ajv@6.0.0 has the following known vulnerabilities: - GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv - Severity: '5.6'; Minimal Fix Version: '6.12.3'; - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json - -lockfile:/package-lock.json: found 1 package with issues - - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 1 known vulnerability found in lockfile:/package-lock.json - - +[TestCommand_UpdateConfigIgnores/shallow_with_removed_config - 3] +(does not exist) --- -[TestCommand_UpdateConfigIgnores_WithNoConfig/deep - 2] +[TestCommand_UpdateConfigIgnores/shallow_with_removed_config - 4] +GoVersionOverride = "1.20.0" --- -[TestCommand_UpdateConfigIgnores_WithNoConfig/deep2 - 1] -Scanning dir -Scanned /Gemfile.lock file and found 1 package -Scanned /composer.lock file and found 0 packages -Scanned /nested-1/package-lock.json file and found 3 packages -Scanned /nested-2/package-lock.json file and found 3 packages -Scanned /package-lock.json file and found 1 package -Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. -Loaded filter from: /osv-scanner-test.toml -Loaded filter from: /nested-1/osv-scanner-test.toml -CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) -Filtered 1 vulnerability from output - -Total 7 packages affected by 9 known vulnerabilities (0 Critical, 2 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -9 vulnerabilities can be fixed. - -RubyGems - -lockfile:/Gemfile.lock: found 1 package with issues - - nokogiri@1.18.9 has the following known vulnerabilities: - GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute - Severity: '5.3'; Minimal Fix Version: '1.19.1'; - - 1 known vulnerability found in lockfile:/Gemfile.lock - -npm - -lockfile:/nested-1/package-lock.json: found 2 packages with issues - - ajv@6.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '6.14.0'; - GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv - Severity: '5.6'; Minimal Fix Version: '6.12.3'; - ajv@8.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '8.18.0'; - - 3 known vulnerabilities found in lockfile:/nested-1/package-lock.json - -lockfile:/nested-2/package-lock.json: found 3 packages with issues - - ajv@6.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '6.14.0'; - GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv - Severity: '5.6'; Minimal Fix Version: '6.12.3'; - ajv@8.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '8.18.0'; - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json - -lockfile:/package-lock.json: found 1 package with issues - - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 1 known vulnerability found in lockfile:/package-lock.json - +[TestCommand_UpdateConfigIgnores/shallow_with_removed_config - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" --- -[TestCommand_UpdateConfigIgnores_WithNoConfig/deep2 - 2] +[TestCommand_UpdateConfigIgnores/shallow_with_removed_config - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" --- -[TestCommand_UpdateConfigIgnores_WithNoConfig/shallow - 1] +[TestCommand_UpdateConfigIgnores/shallow_with_removed_config - 7] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6571,7 +6725,7 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores_WithNoConfig/shallow - 2] +[TestCommand_UpdateConfigIgnores/shallow_with_removed_config - 8] --- diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 916b542ca1d..9747006f630 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1748,91 +1748,9 @@ func TestCommand_FlagDeprecatedPackages(t *testing.T) { func TestCommand_UpdateConfigIgnores(t *testing.T) { t.Parallel() - tests := []testcmd.Case{ - { - Name: "shallow", - Args: []string{ - "", "source", "--format=vertical", "--experimental-update-config-ignores", - }, - Exit: 1, - }, - { - Name: "deep", - Args: []string{ - "", "source", "--format=vertical", "--experimental-update-config-ignores", "-r", - }, - Exit: 1, - }, - { - Name: "global_config_shallow", - Args: []string{ - "", "source", "--format=vertical", "--experimental-update-config-ignores", "--config", "./testdata/locks-with-many-configs/custom-config.toml", - }, - Exit: 1, - }, - { - Name: "global_config_deep", - Args: []string{ - "", "source", "--format=vertical", "--experimental-update-config-ignores", "-r", "--config", "./testdata/locks-with-many-configs/custom-config.toml", - }, - Exit: 1, - }, - } - for _, tt := range tests { - t.Run(tt.Name, func(t *testing.T) { - t.Parallel() - - // action overwrites files, copy them to a temporary directory. - testDir := testutility.CreateTestDir(t) - - err := os.CopyFS(testDir, os.DirFS("./testdata/locks-with-many-configs")) - if err != nil { - t.Fatal(err) - } - - tt.Args = append(tt.Args, testDir) - - testcmd.CopyFileFlagTo(t, tt, "--config", testDir) - - testcmd.RunAndMatchSnapshots(t, tt) - - for _, file := range []string{ - "osv-scanner-test.toml", - "custom-config.toml", - "nested-1/osv-scanner-test.toml", - "nested-2/osv-scanner-test.toml", - } { - b, err := os.ReadFile(testDir + "/" + file) - - if err != nil { - t.Fatal(err) - } - - testutility.NewSnapshot().MatchText(t, string(b)) - } - - // re-running the cli now should have no vulnerabilities, - // as everything should be marked as ignored - for i, arg := range tt.Args { - if arg == "--experimental-update-config-ignores" { - tt.Args[i] = "--experimental-update-config-ignores=false" - } - } - - tt.Exit = 0 - - testcmd.RunAndMatchSnapshots(t, tt) - }) - } -} - -func TestCommand_UpdateConfigIgnores_WithNoConfig(t *testing.T) { - t.Parallel() - type withFilesToRemove struct { Name string Args []string - Exit int Remove []string } @@ -1843,8 +1761,12 @@ func TestCommand_UpdateConfigIgnores_WithNoConfig(t *testing.T) { Args: []string{ "", "source", "--format=vertical", "--experimental-update-config-ignores", }, - Exit: 1, - + }, + { + Name: "shallow_with_removed_config", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores", + }, Remove: []string{"osv-scanner-test.toml"}, }, { @@ -1852,29 +1774,37 @@ func TestCommand_UpdateConfigIgnores_WithNoConfig(t *testing.T) { Args: []string{ "", "source", "--format=vertical", "--experimental-update-config-ignores", "-r", }, - Exit: 1, - Remove: []string{"nested-1/osv-scanner-test.toml"}, }, { - Name: "deep2", + Name: "deep_with_removed_config", Args: []string{ "", "source", "--format=vertical", "--experimental-update-config-ignores", "-r", }, - Exit: 1, - Remove: []string{"nested-2/osv-scanner-test.toml"}, + Remove: []string{"nested-1/osv-scanner-test.toml"}, }, { - Name: "all", + Name: "deep_with_no_configs", Args: []string{ "", "source", "--format=vertical", "--experimental-update-config-ignores", "-r", }, - Exit: 1, Remove: []string{ "osv-scanner-test.toml", "nested-1/osv-scanner-test.toml", "nested-2/osv-scanner-test.toml", }, }, + { + Name: "global_config_shallow", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores", "--config", "./testdata/locks-with-many-configs/custom-config.toml", + }, + }, + { + Name: "global_config_deep", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores", "-r", "--config", "./testdata/locks-with-many-configs/custom-config.toml", + }, + }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { @@ -1888,7 +1818,7 @@ func TestCommand_UpdateConfigIgnores_WithNoConfig(t *testing.T) { t.Fatal(err) } - // remove our config files + // remove specified files for _, file := range tt.Remove { err = os.Remove(testDir + "/" + file) if err != nil { @@ -1896,23 +1826,50 @@ func TestCommand_UpdateConfigIgnores_WithNoConfig(t *testing.T) { } } - tt.Args = append(tt.Args, testDir) - - // the "update config ignores" flag should not create a config file - testcmd.RunAndMatchSnapshots(t, testcmd.Case{ + tc := testcmd.Case{ Name: tt.Name, Args: tt.Args, Exit: 1, - }) + } - for _, file := range tt.Remove { - p := testDir + "/" + file - _, err = os.Stat(p) + tc.Args = append(tc.Args, testDir) + + testcmd.CopyFileFlagTo(t, tc, "--config", testDir) + + testcmd.RunAndMatchSnapshots(t, tc) + + for _, file := range []string{ + "osv-scanner-test.toml", + "custom-config.toml", + "nested-1/osv-scanner-test.toml", + "nested-2/osv-scanner-test.toml", + } { + b, err := os.ReadFile(testDir + "/" + file) - if !errors.Is(err, os.ErrNotExist) { - t.Errorf("expected %s not to exist", p) + if err != nil { + if !errors.Is(err, os.ErrNotExist) { + t.Fatal(err) + } + + b = []byte("(does not exist)") } + + testutility.NewSnapshot().MatchText(t, string(b)) } + + for i, arg := range tc.Args { + if arg == "--experimental-update-config-ignores" { + tc.Args[i] = "--experimental-update-config-ignores=false" + } + } + + // if there were no (config) files removed, then re-running the cli + // should have no vulnerabilities as everything should be ignored + if len(tt.Remove) == 0 { + tc.Exit = 0 + } + + testcmd.RunAndMatchSnapshots(t, tc) }) } } From 8eb82f00e4cf8387cd39cb17e2cf346c6e751a32 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Mon, 23 Feb 2026 13:48:43 +1300 Subject: [PATCH 21/43] test: use cassettes and update snapshots --- cmd/osv-scanner/scan/source/command_test.go | 4 + .../TestCommand_UpdateConfigIgnores.yaml | 857 ++++++++++++++++++ 2 files changed, 861 insertions(+) create mode 100644 cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores.yaml diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 9747006f630..1f1108f879c 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1748,6 +1748,8 @@ func TestCommand_FlagDeprecatedPackages(t *testing.T) { func TestCommand_UpdateConfigIgnores(t *testing.T) { t.Parallel() + client := testcmd.InsertCassette(t) + type withFilesToRemove struct { Name string Args []string @@ -1830,6 +1832,8 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) { Name: tt.Name, Args: tt.Args, Exit: 1, + + HTTPClient: testcmd.WithTestNameHeader(t, *client), } tc.Args = append(tc.Args, testDir) diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores.yaml new file mode 100644 index 00000000000..5d3d1e8f889 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores.yaml @@ -0,0 +1,857 @@ +--- +version: 2 +interactions: + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores/deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores/deep_with_no_configs + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores/global_config_shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores/shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores/shallow_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s From c1145a68451cb636469badd37257c1e05f85d133 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 25 Feb 2026 08:49:03 +1300 Subject: [PATCH 22/43] feat: switch to using a string flag --- cmd/osv-scanner/internal/helper/flags.go | 14 ++- cmd/osv-scanner/internal/helper/getters.go | 2 +- .../source/__snapshots__/command_test.snap | 114 +++++++++--------- cmd/osv-scanner/scan/source/command_test.go | 20 +-- ... TestCommand_UpdateConfigIgnores_All.yaml} | 14 +-- pkg/osvscanner/osvscanner.go | 4 +- 6 files changed, 89 insertions(+), 79 deletions(-) rename cmd/osv-scanner/scan/source/testdata/cassettes/{TestCommand_UpdateConfigIgnores.yaml => TestCommand_UpdateConfigIgnores_All.yaml} (97%) diff --git a/cmd/osv-scanner/internal/helper/flags.go b/cmd/osv-scanner/internal/helper/flags.go index 285a5e9331e..ff0f362e32f 100644 --- a/cmd/osv-scanner/internal/helper/flags.go +++ b/cmd/osv-scanner/internal/helper/flags.go @@ -207,9 +207,19 @@ func BuildCommonScanFlags(defaultExtractors []string) []cli.Flag { Name: "experimental-no-default-plugins", Usage: "disable default plugins, instead using only those enabled by --experimental-plugins", }, - &cli.BoolFlag{ + &cli.StringFlag{ Name: "experimental-update-config-ignores", - Usage: "update config file(s) to ignore all found vulnerabilities", + Usage: "update config file(s) to ignore vulnerabilities - must be one of: none, unused, or all", + Action: func(_ context.Context, _ *cli.Command, s string) error { + // todo: can we do something other than "none"? + // - feels like that might mean "remove all ignores" + // - ideally empty string would be nice, but might not work properly as a flag default? + if s == "none" || s == "unused" || s == "all" { + return nil + } + + return fmt.Errorf("unsupported option \"%s\" - must be none, unused, or all", s) + }, }, } } diff --git a/cmd/osv-scanner/internal/helper/getters.go b/cmd/osv-scanner/internal/helper/getters.go index 041ae35137b..847252b8877 100644 --- a/cmd/osv-scanner/internal/helper/getters.go +++ b/cmd/osv-scanner/internal/helper/getters.go @@ -56,6 +56,6 @@ func GetExperimentalScannerActions(cmd *cli.Command, client *http.Client) osvsca PluginsNoDefaults: cmd.Bool("experimental-no-default-plugins"), HTTPClient: client, FlagDeprecatedPackages: cmd.Bool("experimental-flag-deprecated-packages"), - UpdateConfigIgnores: cmd.Bool("experimental-update-config-ignores"), + UpdateConfigIgnores: cmd.String("experimental-update-config-ignores"), } } diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 58716381db5..1b26dd7f975 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -1206,7 +1206,7 @@ OPTIONS: --experimental-plugins string [ --experimental-plugins string ] list of specific plugins and presets of plugins to use (default: "lockfile", "sbom", "directory") --experimental-disable-plugins string [ --experimental-disable-plugins string ] list of specific plugins and presets of plugins to not use --experimental-no-default-plugins disable default plugins, instead using only those enabled by --experimental-plugins - --experimental-update-config-ignores update config file(s) to ignore all found vulnerabilities + --experimental-update-config-ignores string update config file(s) to ignore vulnerabilities - must be one of: none, unused, or all --help, -h show help --- @@ -5874,7 +5874,7 @@ Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Me --- -[TestCommand_UpdateConfigIgnores/deep - 1] +[TestCommand_UpdateConfigIgnores_All/deep - 1] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -5943,11 +5943,11 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores/deep - 2] +[TestCommand_UpdateConfigIgnores_All/deep - 2] --- -[TestCommand_UpdateConfigIgnores/deep - 3] +[TestCommand_UpdateConfigIgnores_All/deep - 3] [[IgnoredVulns]] id = "GHSA-whgm-jr23-g3j9" @@ -5956,12 +5956,12 @@ id = "GHSA-wx95-c6cv-8532" --- -[TestCommand_UpdateConfigIgnores/deep - 4] +[TestCommand_UpdateConfigIgnores_All/deep - 4] GoVersionOverride = "1.20.0" --- -[TestCommand_UpdateConfigIgnores/deep - 5] +[TestCommand_UpdateConfigIgnores_All/deep - 5] [[IgnoredVulns]] id = "GHSA-2g4f-4pwh-qvx6" @@ -5973,7 +5973,7 @@ id = "GHSA-whgm-jr23-g3j9" --- -[TestCommand_UpdateConfigIgnores/deep - 6] +[TestCommand_UpdateConfigIgnores_All/deep - 6] [[IgnoredVulns]] id = "GHSA-2g4f-4pwh-qvx6" @@ -5985,7 +5985,7 @@ id = "GHSA-whgm-jr23-g3j9" --- -[TestCommand_UpdateConfigIgnores/deep - 7] +[TestCommand_UpdateConfigIgnores_All/deep - 7] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6011,11 +6011,11 @@ No issues found --- -[TestCommand_UpdateConfigIgnores/deep - 8] +[TestCommand_UpdateConfigIgnores_All/deep - 8] --- -[TestCommand_UpdateConfigIgnores/deep_with_no_configs - 1] +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 1] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6082,28 +6082,28 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores/deep_with_no_configs - 2] +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 2] --- -[TestCommand_UpdateConfigIgnores/deep_with_no_configs - 3] +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 3] (does not exist) --- -[TestCommand_UpdateConfigIgnores/deep_with_no_configs - 4] +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 4] GoVersionOverride = "1.20.0" --- -[TestCommand_UpdateConfigIgnores/deep_with_no_configs - 5] +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 5] (does not exist) --- -[TestCommand_UpdateConfigIgnores/deep_with_no_configs - 6] +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 6] (does not exist) --- -[TestCommand_UpdateConfigIgnores/deep_with_no_configs - 7] +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 7] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6170,11 +6170,11 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores/deep_with_no_configs - 8] +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 8] --- -[TestCommand_UpdateConfigIgnores/deep_with_removed_config - 1] +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 1] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6244,11 +6244,11 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores/deep_with_removed_config - 2] +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 2] --- -[TestCommand_UpdateConfigIgnores/deep_with_removed_config - 3] +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 3] [[IgnoredVulns]] id = "GHSA-whgm-jr23-g3j9" @@ -6257,16 +6257,16 @@ id = "GHSA-wx95-c6cv-8532" --- -[TestCommand_UpdateConfigIgnores/deep_with_removed_config - 4] +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 4] GoVersionOverride = "1.20.0" --- -[TestCommand_UpdateConfigIgnores/deep_with_removed_config - 5] +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 5] (does not exist) --- -[TestCommand_UpdateConfigIgnores/deep_with_removed_config - 6] +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 6] [[IgnoredVulns]] id = "GHSA-2g4f-4pwh-qvx6" @@ -6278,7 +6278,7 @@ id = "GHSA-whgm-jr23-g3j9" --- -[TestCommand_UpdateConfigIgnores/deep_with_removed_config - 7] +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 7] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6320,11 +6320,11 @@ lockfile:/nested-1/package-lock.json: found 3 packages with issues --- -[TestCommand_UpdateConfigIgnores/deep_with_removed_config - 8] +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 8] --- -[TestCommand_UpdateConfigIgnores/global_config_deep - 1] +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 1] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6391,15 +6391,15 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores/global_config_deep - 2] +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 2] --- -[TestCommand_UpdateConfigIgnores/global_config_deep - 3] +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 3] --- -[TestCommand_UpdateConfigIgnores/global_config_deep - 4] +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 4] GoVersionOverride = "1.20.0" [[IgnoredVulns]] @@ -6416,14 +6416,14 @@ id = "GHSA-wx95-c6cv-8532" --- -[TestCommand_UpdateConfigIgnores/global_config_deep - 5] +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 5] [[IgnoredVulns]] id = "CVE-2021-23424" reason = "Test manifest file (package-lock.json)" --- -[TestCommand_UpdateConfigIgnores/global_config_deep - 6] +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 6] [[IgnoredVulns]] id = "GHSA-2g4f-4pwh-qvx6" @@ -6432,7 +6432,7 @@ id = "GHSA-2g4f-4pwh-qvx6" --- -[TestCommand_UpdateConfigIgnores/global_config_deep - 7] +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 7] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6455,11 +6455,11 @@ No issues found --- -[TestCommand_UpdateConfigIgnores/global_config_deep - 8] +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 8] --- -[TestCommand_UpdateConfigIgnores/global_config_shallow - 1] +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 1] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6492,15 +6492,15 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores/global_config_shallow - 2] +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 2] --- -[TestCommand_UpdateConfigIgnores/global_config_shallow - 3] +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 3] --- -[TestCommand_UpdateConfigIgnores/global_config_shallow - 4] +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 4] GoVersionOverride = "1.20.0" [[IgnoredVulns]] @@ -6511,14 +6511,14 @@ id = "GHSA-wx95-c6cv-8532" --- -[TestCommand_UpdateConfigIgnores/global_config_shallow - 5] +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 5] [[IgnoredVulns]] id = "CVE-2021-23424" reason = "Test manifest file (package-lock.json)" --- -[TestCommand_UpdateConfigIgnores/global_config_shallow - 6] +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 6] [[IgnoredVulns]] id = "GHSA-2g4f-4pwh-qvx6" @@ -6527,7 +6527,7 @@ id = "GHSA-2g4f-4pwh-qvx6" --- -[TestCommand_UpdateConfigIgnores/global_config_shallow - 7] +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 7] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6540,11 +6540,11 @@ No issues found --- -[TestCommand_UpdateConfigIgnores/global_config_shallow - 8] +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 8] --- -[TestCommand_UpdateConfigIgnores/shallow - 1] +[TestCommand_UpdateConfigIgnores_All/shallow - 1] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6578,11 +6578,11 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores/shallow - 2] +[TestCommand_UpdateConfigIgnores_All/shallow - 2] --- -[TestCommand_UpdateConfigIgnores/shallow - 3] +[TestCommand_UpdateConfigIgnores_All/shallow - 3] [[IgnoredVulns]] id = "GHSA-whgm-jr23-g3j9" @@ -6591,19 +6591,19 @@ id = "GHSA-wx95-c6cv-8532" --- -[TestCommand_UpdateConfigIgnores/shallow - 4] +[TestCommand_UpdateConfigIgnores_All/shallow - 4] GoVersionOverride = "1.20.0" --- -[TestCommand_UpdateConfigIgnores/shallow - 5] +[TestCommand_UpdateConfigIgnores_All/shallow - 5] [[IgnoredVulns]] id = "CVE-2021-23424" reason = "Test manifest file (package-lock.json)" --- -[TestCommand_UpdateConfigIgnores/shallow - 6] +[TestCommand_UpdateConfigIgnores_All/shallow - 6] [[IgnoredVulns]] id = "GHSA-2g4f-4pwh-qvx6" @@ -6612,7 +6612,7 @@ id = "GHSA-2g4f-4pwh-qvx6" --- -[TestCommand_UpdateConfigIgnores/shallow - 7] +[TestCommand_UpdateConfigIgnores_All/shallow - 7] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6626,11 +6626,11 @@ No issues found --- -[TestCommand_UpdateConfigIgnores/shallow - 8] +[TestCommand_UpdateConfigIgnores_All/shallow - 8] --- -[TestCommand_UpdateConfigIgnores/shallow_with_removed_config - 1] +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 1] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6663,27 +6663,27 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores/shallow_with_removed_config - 2] +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 2] --- -[TestCommand_UpdateConfigIgnores/shallow_with_removed_config - 3] +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 3] (does not exist) --- -[TestCommand_UpdateConfigIgnores/shallow_with_removed_config - 4] +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 4] GoVersionOverride = "1.20.0" --- -[TestCommand_UpdateConfigIgnores/shallow_with_removed_config - 5] +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 5] [[IgnoredVulns]] id = "CVE-2021-23424" reason = "Test manifest file (package-lock.json)" --- -[TestCommand_UpdateConfigIgnores/shallow_with_removed_config - 6] +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 6] [[IgnoredVulns]] id = "GHSA-2g4f-4pwh-qvx6" @@ -6692,7 +6692,7 @@ id = "GHSA-2g4f-4pwh-qvx6" --- -[TestCommand_UpdateConfigIgnores/shallow_with_removed_config - 7] +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 7] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6725,7 +6725,7 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores/shallow_with_removed_config - 8] +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 8] --- diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 1f1108f879c..bfeea058f05 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1745,7 +1745,7 @@ func TestCommand_FlagDeprecatedPackages(t *testing.T) { } } -func TestCommand_UpdateConfigIgnores(t *testing.T) { +func TestCommand_UpdateConfigIgnores_All(t *testing.T) { t.Parallel() client := testcmd.InsertCassette(t) @@ -1761,33 +1761,33 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) { { Name: "shallow", Args: []string{ - "", "source", "--format=vertical", "--experimental-update-config-ignores", + "", "source", "--format=vertical", "--experimental-update-config-ignores=all", }, }, { Name: "shallow_with_removed_config", Args: []string{ - "", "source", "--format=vertical", "--experimental-update-config-ignores", + "", "source", "--format=vertical", "--experimental-update-config-ignores=all", }, Remove: []string{"osv-scanner-test.toml"}, }, { Name: "deep", Args: []string{ - "", "source", "--format=vertical", "--experimental-update-config-ignores", "-r", + "", "source", "--format=vertical", "--experimental-update-config-ignores=all", "-r", }, }, { Name: "deep_with_removed_config", Args: []string{ - "", "source", "--format=vertical", "--experimental-update-config-ignores", "-r", + "", "source", "--format=vertical", "--experimental-update-config-ignores=all", "-r", }, Remove: []string{"nested-1/osv-scanner-test.toml"}, }, { Name: "deep_with_no_configs", Args: []string{ - "", "source", "--format=vertical", "--experimental-update-config-ignores", "-r", + "", "source", "--format=vertical", "--experimental-update-config-ignores=all", "-r", }, Remove: []string{ "osv-scanner-test.toml", @@ -1798,13 +1798,13 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) { { Name: "global_config_shallow", Args: []string{ - "", "source", "--format=vertical", "--experimental-update-config-ignores", "--config", "./testdata/locks-with-many-configs/custom-config.toml", + "", "source", "--format=vertical", "--experimental-update-config-ignores=all", "--config", "./testdata/locks-with-many-configs/custom-config.toml", }, }, { Name: "global_config_deep", Args: []string{ - "", "source", "--format=vertical", "--experimental-update-config-ignores", "-r", "--config", "./testdata/locks-with-many-configs/custom-config.toml", + "", "source", "--format=vertical", "--experimental-update-config-ignores=all", "-r", "--config", "./testdata/locks-with-many-configs/custom-config.toml", }, }, } @@ -1862,8 +1862,8 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) { } for i, arg := range tc.Args { - if arg == "--experimental-update-config-ignores" { - tc.Args[i] = "--experimental-update-config-ignores=false" + if arg == "--experimental-update-config-ignores=all" { + tc.Args[i] = "--experimental-update-config-ignores=none" } } diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_All.yaml similarity index 97% rename from cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores.yaml rename to cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_All.yaml index 5d3d1e8f889..f91c4d90802 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_All.yaml @@ -72,7 +72,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores/deep + - TestCommand_UpdateConfigIgnores_All/deep url: https://api.osv.dev/v1/querybatch method: POST response: @@ -236,7 +236,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores/deep_with_no_configs + - TestCommand_UpdateConfigIgnores_All/deep_with_no_configs url: https://api.osv.dev/v1/querybatch method: POST response: @@ -400,7 +400,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores/deep_with_removed_config + - TestCommand_UpdateConfigIgnores_All/deep_with_removed_config url: https://api.osv.dev/v1/querybatch method: POST response: @@ -564,7 +564,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores/global_config_deep + - TestCommand_UpdateConfigIgnores_All/global_config_deep url: https://api.osv.dev/v1/querybatch method: POST response: @@ -686,7 +686,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores/global_config_shallow + - TestCommand_UpdateConfigIgnores_All/global_config_shallow url: https://api.osv.dev/v1/querybatch method: POST response: @@ -752,7 +752,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores/shallow + - TestCommand_UpdateConfigIgnores_All/shallow url: https://api.osv.dev/v1/querybatch method: POST response: @@ -818,7 +818,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores/shallow_with_removed_config + - TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config url: https://api.osv.dev/v1/querybatch method: POST response: diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index ad0b09cda0b..1d33052f335 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -85,7 +85,7 @@ type ExperimentalScannerActions struct { FlagDeprecatedPackages bool // Update config file(s) to ignore all found vulnerabilities - UpdateConfigIgnores bool + UpdateConfigIgnores string // Allows specifying user agent RequestUserAgent string @@ -392,7 +392,7 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) vulnerabilityResults.LicenseSummary = buildLicenseSummary(&scanResult) } - if actions.UpdateConfigIgnores { + if actions.UpdateConfigIgnores == "all" { err := updateConfigs(&vulnerabilityResults, &scanResult.ConfigManager) if err != nil { From 9395e541b527c20c00d697dfafc344a19f706690 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 25 Feb 2026 09:28:27 +1300 Subject: [PATCH 23/43] feat: implement support for removing unused ignores --- .../source/__snapshots__/command_test.snap | 1215 +++++++++++++++++ cmd/osv-scanner/scan/source/command_test.go | 147 ++ .../TestCommand_UpdateConfigIgnores_All.yaml | 856 +++++++++++- ...estCommand_UpdateConfigIgnores_Unused.yaml | 1087 +++++++++++++++ .../unused-config.toml | 9 + internal/config/config.go | 18 + pkg/osvscanner/osvscanner.go | 35 + 7 files changed, 3366 insertions(+), 1 deletion(-) create mode 100644 cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_Unused.yaml create mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/unused-config.toml diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 1b26dd7f975..9d25dda3be1 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -6729,6 +6729,1221 @@ lockfile:/package-lock.json: found 1 package with issues --- +[TestCommand_UpdateConfigIgnores_Unused/deep - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +Loaded filter from: /nested-1/osv-scanner-test.toml +warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! +Loaded filter from: /nested-2/osv-scanner-test.toml +CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 3 vulnerabilities from output +/nested-2/osv-scanner-test.toml has unused ignores: + - GHSA-2g4f-4pwh-qvx6 + +Total 6 packages affected by 7 known vulnerabilities (0 Critical, 2 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +7 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + + 3 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 2] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 3] +IgnoredVulns = [] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 4] +GoVersionOverride = "1.20.0" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 7] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +Loaded filter from: /nested-1/osv-scanner-test.toml +Loaded filter from: /nested-2/osv-scanner-test.toml +CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 3 vulnerabilities from output + +Total 6 packages affected by 7 known vulnerabilities (0 Critical, 2 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +7 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + + 3 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 8] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +10 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 2] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 3] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 4] +GoVersionOverride = "1.20.0" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 5] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 6] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 7] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +10 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 8] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! +Loaded filter from: /nested-2/osv-scanner-test.toml +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 2 vulnerabilities from output +/nested-2/osv-scanner-test.toml has unused ignores: + - GHSA-2g4f-4pwh-qvx6 + +Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +8 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 2] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 3] +IgnoredVulns = [] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 4] +GoVersionOverride = "1.20.0" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 5] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 7] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml +Loaded filter from: /nested-2/osv-scanner-test.toml +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 2 vulnerabilities from output + +Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +8 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 8] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +10 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 2] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 3] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 4] +IgnoredVulns = [] +GoVersionOverride = "1.20.0" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 7] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +10 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 3 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 8] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 2] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 3] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 4] +IgnoredVulns = [] +GoVersionOverride = "1.20.0" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 7] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 8] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 4 vulnerabilities from output + +Total 6 packages affected by 6 known vulnerabilities (0 Critical, 3 High, 3 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +6 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep - 2] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep - 3] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep - 4] +GoVersionOverride = "1.20.0" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep - 7] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /nested-1/package-lock.json file and found 3 packages +Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 4 vulnerabilities from output + +Total 6 packages affected by 6 known vulnerabilities (0 Critical, 3 High, 3 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +6 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/nested-1/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-1/package-lock.json + +lockfile:/nested-2/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep - 8] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow - 2] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow - 3] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow - 4] +GoVersionOverride = "1.20.0" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow - 7] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow - 8] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 2] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 3] +IgnoredVulns = [] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 4] +GoVersionOverride = "1.20.0" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 7] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /osv-scanner-test.toml + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 8] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 1] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 2] + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 3] +(does not exist) +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 4] +GoVersionOverride = "1.20.0" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 5] +[[IgnoredVulns]] +id = "CVE-2021-23424" +reason = "Test manifest file (package-lock.json)" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 6] +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 7] +Scanning dir +Scanned /Gemfile.lock file and found 1 package +Scanned /composer.lock file and found 0 packages +Scanned /package-lock.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + +Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +2 vulnerabilities can be fixed. + +RubyGems + +lockfile:/Gemfile.lock: found 1 package with issues + + nokogiri@1.18.9 has the following known vulnerabilities: + GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute + Severity: '5.3'; Minimal Fix Version: '1.19.1'; + + 1 known vulnerability found in lockfile:/Gemfile.lock + +npm + +lockfile:/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/package-lock.json + + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 8] + +--- + [TestCommand_WithDetector_OffLinux/ssh_version_errors - 1] Scanning dir /composer.lock Scanned /composer.lock file and found 1 package diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index bfeea058f05..0a65ea89c53 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1877,3 +1877,150 @@ func TestCommand_UpdateConfigIgnores_All(t *testing.T) { }) } } + +func TestCommand_UpdateConfigIgnores_Unused(t *testing.T) { + t.Parallel() + + client := testcmd.InsertCassette(t) + + type withFilesToRemove struct { + Name string + Args []string + + Remove []string + } + + tests := []withFilesToRemove{ + { + Name: "shallow", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", + }, + }, + { + Name: "shallow_with_removed_config", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", + }, + Remove: []string{"osv-scanner-test.toml"}, + }, + { + Name: "deep", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", + "-r", + }, + }, + { + Name: "deep_with_removed_config", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", + "-r", + }, + Remove: []string{"nested-1/osv-scanner-test.toml"}, + }, + { + Name: "deep_with_no_configs", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", + "-r", + }, + Remove: []string{ + "osv-scanner-test.toml", + "nested-1/osv-scanner-test.toml", + "nested-2/osv-scanner-test.toml", + }, + }, + { + Name: "global_config_shallow", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", + "--config", "./testdata/locks-with-many-configs/custom-config.toml", + }, + }, + { + Name: "global_config_deep", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", + "-r", "--config", "./testdata/locks-with-many-configs/custom-config.toml", + }, + }, + { + Name: "global_config_with_unused_shallow", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", + "--config", "./testdata/locks-with-many-configs/unused-config.toml", + }, + }, + { + Name: "global_config_with_unused_deep", + Args: []string{ + "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", + "-r", "--config", "./testdata/locks-with-many-configs/unused-config.toml", + }, + }, + } + for _, tt := range tests { + t.Run(tt.Name, func(t *testing.T) { + t.Parallel() + + // action overwrites files, copy them to a temporary directory. + testDir := testutility.CreateTestDir(t) + + err := os.CopyFS(testDir, os.DirFS("./testdata/locks-with-many-configs")) + if err != nil { + t.Fatal(err) + } + + // remove specified files + for _, file := range tt.Remove { + err = os.Remove(testDir + "/" + file) + if err != nil { + t.Fatal(err) + } + } + + tc := testcmd.Case{ + Name: tt.Name, + Args: tt.Args, + Exit: 1, + + HTTPClient: testcmd.WithTestNameHeader(t, *client), + } + + tc.Args = append(tc.Args, testDir) + + testcmd.CopyFileFlagTo(t, tc, "--config", testDir) + + testcmd.RunAndMatchSnapshots(t, tc) + + for _, file := range []string{ + "osv-scanner-test.toml", + "custom-config.toml", + "nested-1/osv-scanner-test.toml", + "nested-2/osv-scanner-test.toml", + } { + b, err := os.ReadFile(testDir + "/" + file) + + if err != nil { + if !errors.Is(err, os.ErrNotExist) { + t.Fatal(err) + } + + b = []byte("(does not exist)") + } + + testutility.NewSnapshot().MatchText(t, string(b)) + } + + for i, arg := range tc.Args { + if arg == "--experimental-update-config-ignores=unused" { + tc.Args[i] = "--experimental-update-config-ignores=none" + } + } + + // re-running the cli should have vulnerabilities as not everything was ignored + testcmd.RunAndMatchSnapshots(t, tc) + }) + } +} diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_All.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_All.yaml index f91c4d90802..9748aa32b33 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_All.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_All.yaml @@ -165,6 +165,170 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s - request: proto: HTTP/1.1 proto_major: 1 @@ -400,7 +564,499 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores_All/deep_with_removed_config + - TestCommand_UpdateConfigIgnores_All/deep_with_no_configs + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_deep url: https://api.osv.dev/v1/querybatch method: POST response: @@ -723,6 +1379,138 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s - request: proto: HTTP/1.1 proto_major: 1 @@ -855,3 +1643,69 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_Unused.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_Unused.yaml new file mode 100644 index 00000000000..cc9a769a0eb --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_Unused.yaml @@ -0,0 +1,1087 @@ +--- +version: 2 +interactions: + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/unused-config.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/unused-config.toml new file mode 100644 index 00000000000..fb0e028aa23 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/unused-config.toml @@ -0,0 +1,9 @@ +GoVersionOverride = "1.20.0" + +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" diff --git a/internal/config/config.go b/internal/config/config.go index 5a6b5d7611c..3193ca6be86 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -110,6 +110,11 @@ func (c *Config) UpdateFile(vulns []*osvschema.Vulnerability) error { return identifiers.IDSortFunc(a.ID, b.ID) }) + return c.Save() +} + +// Save writes the configuration file to disk, overriding the existing content +func (c *Config) Save() error { f, err := os.OpenFile(c.LoadPath, os.O_TRUNC|os.O_WRONLY, os.ModePerm) if err != nil { @@ -134,6 +139,19 @@ func (c *Config) UnusedIgnoredVulns() []*IgnoreEntry { return unused } +func (c *Config) RemoveUnusedIgnores() { + // todo: see if this is a more optimized way to do this? + ignoredVulns := make([]*IgnoreEntry, 0, len(c.IgnoredVulns)) + + for _, iv := range c.IgnoredVulns { + if iv.Used { + ignoredVulns = append(ignoredVulns, iv) + } + } + + c.IgnoredVulns = ignoredVulns +} + func (c *Config) ShouldIgnore(vulnID string) (bool, *IgnoreEntry) { index := slices.IndexFunc(c.IgnoredVulns, func(e *IgnoreEntry) bool { return e.ID == vulnID }) if index == -1 { diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 1d33052f335..ff10b0c1404 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -409,6 +409,14 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) ) } + if actions.UpdateConfigIgnores == "unused" { + err := updateConfigsToRemoveUnusedIgnores(&scanResult.ConfigManager) + + if err != nil { + return models.VulnerabilityResults{}, err + } + } + if unusedIgnoredEntries := scanResult.ConfigManager.GetUnusedIgnoreEntries(); len(unusedIgnoredEntries) != 0 { configFiles := slices.Collect(maps.Keys(unusedIgnoredEntries)) slices.Sort(configFiles) @@ -458,6 +466,33 @@ func updateConfigs(vulnResults *models.VulnerabilityResults, configManager *conf return nil } +func updateConfigsToRemoveUnusedIgnores(configManager *config.Manager) error { + if configManager.OverrideConfig != nil { + configManager.OverrideConfig.RemoveUnusedIgnores() + + err := configManager.OverrideConfig.Save() + if err != nil { + return err + } + } + + for _, c := range configManager.ConfigMap { + // skip the default config + if c.LoadPath == "" { + continue + } + + c.RemoveUnusedIgnores() + + err := c.Save() + if err != nil { + return err + } + } + + return nil +} + func buildLicenseSummary(scanResult *results.ScanResults) []models.LicenseCount { var licenseSummary []models.LicenseCount From b1e0899d3d0008645f4de9cca61ed698af5c5905 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Thu, 26 Feb 2026 14:34:46 +1300 Subject: [PATCH 24/43] refactor: merge `unused-config.toml` and `custom-config.toml` --- .../source/__snapshots__/command_test.snap | 414 +++++------------- cmd/osv-scanner/scan/source/command_test.go | 14 - .../custom-config.toml | 8 + .../unused-config.toml | 9 - 4 files changed, 123 insertions(+), 322 deletions(-) delete mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/unused-config.toml diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 9d25dda3be1..4df112e1b76 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -5959,6 +5959,14 @@ id = "GHSA-wx95-c6cv-8532" [TestCommand_UpdateConfigIgnores_All/deep - 4] GoVersionOverride = "1.20.0" +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + --- [TestCommand_UpdateConfigIgnores_All/deep - 5] @@ -6093,6 +6101,14 @@ lockfile:/package-lock.json: found 1 package with issues [TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 4] GoVersionOverride = "1.20.0" +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + --- [TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 5] @@ -6260,6 +6276,14 @@ id = "GHSA-wx95-c6cv-8532" [TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 4] GoVersionOverride = "1.20.0" +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + --- [TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 5] @@ -6332,9 +6356,16 @@ Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 4 vulnerabilities from output +/custom-config.toml has unused ignores: + - CVE-123-456-789 -Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -10 vulnerabilities can be fixed. +Total 6 packages affected by 6 known vulnerabilities (0 Critical, 3 High, 3 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +6 vulnerabilities can be fixed. RubyGems @@ -6348,37 +6379,27 @@ lockfile:/Gemfile.lock: found 1 package with issues npm -lockfile:/nested-1/package-lock.json: found 3 packages with issues +lockfile:/nested-1/package-lock.json: found 2 packages with issues ajv@6.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '6.14.0'; GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv Severity: '5.6'; Minimal Fix Version: '6.12.3'; - ajv@8.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '8.18.0'; ansi-html@0.0.1 has the following known vulnerabilities: GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html Severity: '7.5'; Minimal Fix Version: '0.0.8'; - 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json + 2 known vulnerabilities found in lockfile:/nested-1/package-lock.json -lockfile:/nested-2/package-lock.json: found 3 packages with issues +lockfile:/nested-2/package-lock.json: found 2 packages with issues ajv@6.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '6.14.0'; GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv Severity: '5.6'; Minimal Fix Version: '6.12.3'; - ajv@8.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '8.18.0'; ansi-html@0.0.1 has the following known vulnerabilities: GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html Severity: '7.5'; Minimal Fix Version: '0.0.8'; - 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json + 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json lockfile:/package-lock.json: found 1 package with issues @@ -6465,6 +6486,9 @@ Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +/custom-config.toml has unused ignores: + - CVE-123-456-789 + - GHSA-2g4f-4pwh-qvx6 Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 2 vulnerabilities can be fixed. @@ -6594,6 +6618,14 @@ id = "GHSA-wx95-c6cv-8532" [TestCommand_UpdateConfigIgnores_All/shallow - 4] GoVersionOverride = "1.20.0" +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + --- [TestCommand_UpdateConfigIgnores_All/shallow - 5] @@ -6674,6 +6706,14 @@ lockfile:/package-lock.json: found 1 package with issues [TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 4] GoVersionOverride = "1.20.0" +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + --- [TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 5] @@ -6810,6 +6850,14 @@ IgnoredVulns = [] [TestCommand_UpdateConfigIgnores_Unused/deep - 4] GoVersionOverride = "1.20.0" +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + --- [TestCommand_UpdateConfigIgnores_Unused/deep - 5] @@ -6973,6 +7021,14 @@ lockfile:/package-lock.json: found 1 package with issues [TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 4] GoVersionOverride = "1.20.0" +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + --- [TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 5] @@ -7136,6 +7192,14 @@ IgnoredVulns = [] [TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 4] GoVersionOverride = "1.20.0" +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + --- [TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 5] @@ -7227,274 +7291,6 @@ Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. - -Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -10 vulnerabilities can be fixed. - -RubyGems - -lockfile:/Gemfile.lock: found 1 package with issues - - nokogiri@1.18.9 has the following known vulnerabilities: - GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute - Severity: '5.3'; Minimal Fix Version: '1.19.1'; - - 1 known vulnerability found in lockfile:/Gemfile.lock - -npm - -lockfile:/nested-1/package-lock.json: found 3 packages with issues - - ajv@6.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '6.14.0'; - GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv - Severity: '5.6'; Minimal Fix Version: '6.12.3'; - ajv@8.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '8.18.0'; - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json - -lockfile:/nested-2/package-lock.json: found 3 packages with issues - - ajv@6.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '6.14.0'; - GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv - Severity: '5.6'; Minimal Fix Version: '6.12.3'; - ajv@8.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '8.18.0'; - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json - -lockfile:/package-lock.json: found 1 package with issues - - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 1 known vulnerability found in lockfile:/package-lock.json - - ---- - -[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 2] - ---- - -[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 3] - ---- - -[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 4] -IgnoredVulns = [] -GoVersionOverride = "1.20.0" - ---- - -[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 5] -[[IgnoredVulns]] -id = "CVE-2021-23424" -reason = "Test manifest file (package-lock.json)" - ---- - -[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 6] -[[IgnoredVulns]] -id = "GHSA-2g4f-4pwh-qvx6" - -[[IgnoredVulns]] -id = "GHSA-2g4f-4pwh-qvx6" - ---- - -[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 7] -Scanning dir -Scanned /Gemfile.lock file and found 1 package -Scanned /composer.lock file and found 0 packages -Scanned /nested-1/package-lock.json file and found 3 packages -Scanned /nested-2/package-lock.json file and found 3 packages -Scanned /package-lock.json file and found 1 package -Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. - -Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -10 vulnerabilities can be fixed. - -RubyGems - -lockfile:/Gemfile.lock: found 1 package with issues - - nokogiri@1.18.9 has the following known vulnerabilities: - GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute - Severity: '5.3'; Minimal Fix Version: '1.19.1'; - - 1 known vulnerability found in lockfile:/Gemfile.lock - -npm - -lockfile:/nested-1/package-lock.json: found 3 packages with issues - - ajv@6.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '6.14.0'; - GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv - Severity: '5.6'; Minimal Fix Version: '6.12.3'; - ajv@8.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '8.18.0'; - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json - -lockfile:/nested-2/package-lock.json: found 3 packages with issues - - ajv@6.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '6.14.0'; - GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv - Severity: '5.6'; Minimal Fix Version: '6.12.3'; - ajv@8.0.0 has the following known vulnerabilities: - GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option - Severity: '5.5'; Minimal Fix Version: '8.18.0'; - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json - -lockfile:/package-lock.json: found 1 package with issues - - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 1 known vulnerability found in lockfile:/package-lock.json - - ---- - -[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 8] - ---- - -[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 1] -Scanning dir -Scanned /Gemfile.lock file and found 1 package -Scanned /composer.lock file and found 0 packages -Scanned /package-lock.json file and found 1 package -Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. - -Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -2 vulnerabilities can be fixed. - -RubyGems - -lockfile:/Gemfile.lock: found 1 package with issues - - nokogiri@1.18.9 has the following known vulnerabilities: - GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute - Severity: '5.3'; Minimal Fix Version: '1.19.1'; - - 1 known vulnerability found in lockfile:/Gemfile.lock - -npm - -lockfile:/package-lock.json: found 1 package with issues - - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 1 known vulnerability found in lockfile:/package-lock.json - - ---- - -[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 2] - ---- - -[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 3] - ---- - -[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 4] -IgnoredVulns = [] -GoVersionOverride = "1.20.0" - ---- - -[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 5] -[[IgnoredVulns]] -id = "CVE-2021-23424" -reason = "Test manifest file (package-lock.json)" - ---- - -[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 6] -[[IgnoredVulns]] -id = "GHSA-2g4f-4pwh-qvx6" - -[[IgnoredVulns]] -id = "GHSA-2g4f-4pwh-qvx6" - ---- - -[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 7] -Scanning dir -Scanned /Gemfile.lock file and found 1 package -Scanned /composer.lock file and found 0 packages -Scanned /package-lock.json file and found 1 package -Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. - -Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -2 vulnerabilities can be fixed. - -RubyGems - -lockfile:/Gemfile.lock: found 1 package with issues - - nokogiri@1.18.9 has the following known vulnerabilities: - GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute - Severity: '5.3'; Minimal Fix Version: '1.19.1'; - - 1 known vulnerability found in lockfile:/Gemfile.lock - -npm - -lockfile:/package-lock.json: found 1 package with issues - - ansi-html@0.0.1 has the following known vulnerabilities: - GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html - Severity: '7.5'; Minimal Fix Version: '0.0.8'; - - 1 known vulnerability found in lockfile:/package-lock.json - - ---- - -[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 8] - ---- - -[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep - 1] -Scanning dir -Scanned /Gemfile.lock file and found 1 package -Scanned /composer.lock file and found 0 packages -Scanned /nested-1/package-lock.json file and found 3 packages -Scanned /nested-2/package-lock.json file and found 3 packages -Scanned /package-lock.json file and found 1 package -Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) @@ -7549,27 +7345,30 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep - 2] +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 2] --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep - 3] +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 3] --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep - 4] +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 4] GoVersionOverride = "1.20.0" +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep - 5] +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 5] [[IgnoredVulns]] id = "CVE-2021-23424" reason = "Test manifest file (package-lock.json)" --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep - 6] +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 6] [[IgnoredVulns]] id = "GHSA-2g4f-4pwh-qvx6" @@ -7578,7 +7377,7 @@ id = "GHSA-2g4f-4pwh-qvx6" --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep - 7] +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 7] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -7640,11 +7439,11 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep - 8] +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 8] --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow - 1] +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 1] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -7677,27 +7476,28 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow - 2] +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 2] --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow - 3] +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 3] --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow - 4] +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 4] +IgnoredVulns = [] GoVersionOverride = "1.20.0" --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow - 5] +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 5] [[IgnoredVulns]] id = "CVE-2021-23424" reason = "Test manifest file (package-lock.json)" --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow - 6] +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 6] [[IgnoredVulns]] id = "GHSA-2g4f-4pwh-qvx6" @@ -7706,7 +7506,7 @@ id = "GHSA-2g4f-4pwh-qvx6" --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow - 7] +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 7] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -7739,7 +7539,7 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow - 8] +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 8] --- @@ -7789,6 +7589,14 @@ IgnoredVulns = [] [TestCommand_UpdateConfigIgnores_Unused/shallow - 4] GoVersionOverride = "1.20.0" +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + --- [TestCommand_UpdateConfigIgnores_Unused/shallow - 5] @@ -7889,6 +7697,14 @@ lockfile:/package-lock.json: found 1 package with issues [TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 4] GoVersionOverride = "1.20.0" +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + --- [TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 5] diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 0a65ea89c53..5114a6ecf3f 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1945,20 +1945,6 @@ func TestCommand_UpdateConfigIgnores_Unused(t *testing.T) { "-r", "--config", "./testdata/locks-with-many-configs/custom-config.toml", }, }, - { - Name: "global_config_with_unused_shallow", - Args: []string{ - "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", - "--config", "./testdata/locks-with-many-configs/unused-config.toml", - }, - }, - { - Name: "global_config_with_unused_deep", - Args: []string{ - "", "source", "--format=vertical", "--experimental-update-config-ignores=unused", - "-r", "--config", "./testdata/locks-with-many-configs/unused-config.toml", - }, - }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/custom-config.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/custom-config.toml index 209c43005e8..fb0e028aa23 100644 --- a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/custom-config.toml +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/custom-config.toml @@ -1 +1,9 @@ GoVersionOverride = "1.20.0" + +# this is unused always +[[IgnoredVulns]] +id = "CVE-123-456-789" + +# this is unused unless --recursive is enabled +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/unused-config.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/unused-config.toml deleted file mode 100644 index fb0e028aa23..00000000000 --- a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/unused-config.toml +++ /dev/null @@ -1,9 +0,0 @@ -GoVersionOverride = "1.20.0" - -# this is unused always -[[IgnoredVulns]] -id = "CVE-123-456-789" - -# this is unused unless --recursive is enabled -[[IgnoredVulns]] -id = "GHSA-2g4f-4pwh-qvx6" From cbab8c1378756e0c7f8840121c73ede54bfe40b0 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Thu, 26 Feb 2026 15:16:23 +1300 Subject: [PATCH 25/43] test: add a config case with a package override --- .../source/__snapshots__/command_test.snap | 474 ++- cmd/osv-scanner/scan/source/command_test.go | 2 + .../TestCommand_UpdateConfigIgnores_All.yaml | 2466 +++++++++++++- ...estCommand_UpdateConfigIgnores_Unused.yaml | 2864 ++++++++++++++++- .../nested-3/osv-scanner-test.toml | 6 + .../nested-3/osv-scanner.toml | 2 + .../nested-3/package-lock.json | 17 + 7 files changed, 5591 insertions(+), 240 deletions(-) create mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/osv-scanner-test.toml create mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/osv-scanner.toml create mode 100644 cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/package-lock.json diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 4df112e1b76..e21d72e4fe8 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -5880,21 +5880,28 @@ Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml Loaded filter from: /nested-1/osv-scanner-test.toml warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) Filtered 3 vulnerabilities from output /nested-2/osv-scanner-test.toml has unused ignores: - GHSA-2g4f-4pwh-qvx6 +/nested-3/osv-scanner-test.toml has unused ignores: + - GHSA-2g4f-4pwh-qvx6 -Total 6 packages affected by 7 known vulnerabilities (0 Critical, 2 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -7 vulnerabilities can be fixed. +Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +8 vulnerabilities can be fixed. RubyGems @@ -5932,6 +5939,14 @@ lockfile:/nested-2/package-lock.json: found 2 packages with issues 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + lockfile:/package-lock.json: found 1 package with issues ansi-html@0.0.1 has the following known vulnerabilities: @@ -5994,16 +6009,40 @@ id = "GHSA-whgm-jr23-g3j9" --- [TestCommand_UpdateConfigIgnores_All/deep - 7] +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +[[PackageOverrides]] +name = "ajv" +version = "" +ecosystem = "" +group = "" +ignore = true +effectiveUntil = 0001-01-01T00:00:00Z +reason = "" +[PackageOverrides.vulnerability] +ignore = false +[PackageOverrides.license] +ignore = false + +--- + +[TestCommand_UpdateConfigIgnores_All/deep - 8] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml Loaded filter from: /nested-1/osv-scanner-test.toml Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. GHSA-wx95-c6cv-8532 has been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) @@ -6014,12 +6053,13 @@ GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) -Filtered 10 vulnerabilities from output +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +Filtered 11 vulnerabilities from output No issues found --- -[TestCommand_UpdateConfigIgnores_All/deep - 8] +[TestCommand_UpdateConfigIgnores_All/deep - 9] --- @@ -6029,11 +6069,18 @@ Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. +/nested-3/osv-scanner-test.toml has unused ignores: + - GHSA-2g4f-4pwh-qvx6 -Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -10 vulnerabilities can be fixed. +Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +11 vulnerabilities can be fixed. RubyGems @@ -6079,6 +6126,14 @@ lockfile:/nested-2/package-lock.json: found 3 packages with issues 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + lockfile:/package-lock.json: found 1 package with issues ansi-html@0.0.1 has the following known vulnerabilities: @@ -6120,13 +6175,39 @@ id = "GHSA-2g4f-4pwh-qvx6" --- [TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 7] +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +[[PackageOverrides]] +name = "ajv" +version = "" +ecosystem = "" +group = "" +ignore = true +effectiveUntil = 0001-01-01T00:00:00Z +reason = "" +[PackageOverrides.vulnerability] +ignore = false +[PackageOverrides.license] +ignore = false + +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 8] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +Filtered 1 vulnerability from output Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 10 vulnerabilities can be fixed. @@ -6186,7 +6267,7 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 8] +[TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 9] --- @@ -6196,19 +6277,26 @@ Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) Filtered 2 vulnerabilities from output /nested-2/osv-scanner-test.toml has unused ignores: - GHSA-2g4f-4pwh-qvx6 +/nested-3/osv-scanner-test.toml has unused ignores: + - GHSA-2g4f-4pwh-qvx6 -Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -8 vulnerabilities can be fixed. +Total 8 packages affected by 9 known vulnerabilities (0 Critical, 4 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +9 vulnerabilities can be fixed. RubyGems @@ -6249,6 +6337,14 @@ lockfile:/nested-2/package-lock.json: found 2 packages with issues 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + lockfile:/package-lock.json: found 1 package with issues ansi-html@0.0.1 has the following known vulnerabilities: @@ -6303,22 +6399,47 @@ id = "GHSA-whgm-jr23-g3j9" --- [TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 7] +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + +[[PackageOverrides]] +name = "ajv" +version = "" +ecosystem = "" +group = "" +ignore = true +effectiveUntil = 0001-01-01T00:00:00Z +reason = "" +[PackageOverrides.vulnerability] +ignore = false +[PackageOverrides.license] +ignore = false + +--- + +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 8] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. GHSA-wx95-c6cv-8532 has been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) -Filtered 6 vulnerabilities from output +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +Filtered 7 vulnerabilities from output Total 3 packages affected by 4 known vulnerabilities (0 Critical, 1 High, 3 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 4 vulnerabilities can be fixed. @@ -6344,7 +6465,7 @@ lockfile:/nested-1/package-lock.json: found 3 packages with issues --- -[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 8] +[TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 9] --- @@ -6354,18 +6475,21 @@ Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -Filtered 4 vulnerabilities from output +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 6 vulnerabilities from output /custom-config.toml has unused ignores: - CVE-123-456-789 -Total 6 packages affected by 6 known vulnerabilities (0 Critical, 3 High, 3 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -6 vulnerabilities can be fixed. +Total 8 packages affected by 8 known vulnerabilities (0 Critical, 4 High, 4 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +8 vulnerabilities can be fixed. RubyGems @@ -6401,6 +6525,17 @@ lockfile:/nested-2/package-lock.json: found 2 packages with issues 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json +lockfile:/nested-3/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-3/package-lock.json + lockfile:/package-lock.json: found 1 package with issues ansi-html@0.0.1 has the following known vulnerabilities: @@ -6454,11 +6589,22 @@ id = "GHSA-2g4f-4pwh-qvx6" --- [TestCommand_UpdateConfigIgnores_All/global_config_deep - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 8] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. GHSA-wx95-c6cv-8532 has been filtered out because: (no reason given) @@ -6470,13 +6616,17 @@ GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-v88g-cgmw-v5xw and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) -Filtered 10 vulnerabilities from output +Filtered 14 vulnerabilities from output No issues found --- -[TestCommand_UpdateConfigIgnores_All/global_config_deep - 8] +[TestCommand_UpdateConfigIgnores_All/global_config_deep - 9] --- @@ -6552,6 +6702,16 @@ id = "GHSA-2g4f-4pwh-qvx6" --- [TestCommand_UpdateConfigIgnores_All/global_config_shallow - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 8] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6564,7 +6724,7 @@ No issues found --- -[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 8] +[TestCommand_UpdateConfigIgnores_All/global_config_shallow - 9] --- @@ -6645,6 +6805,16 @@ id = "GHSA-2g4f-4pwh-qvx6" --- [TestCommand_UpdateConfigIgnores_All/shallow - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow - 8] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6658,7 +6828,7 @@ No issues found --- -[TestCommand_UpdateConfigIgnores_All/shallow - 8] +[TestCommand_UpdateConfigIgnores_All/shallow - 9] --- @@ -6733,6 +6903,16 @@ id = "GHSA-2g4f-4pwh-qvx6" --- [TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 8] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -6765,7 +6945,7 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 8] +[TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config - 9] --- @@ -6775,21 +6955,28 @@ Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml Loaded filter from: /nested-1/osv-scanner-test.toml warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) Filtered 3 vulnerabilities from output /nested-2/osv-scanner-test.toml has unused ignores: - GHSA-2g4f-4pwh-qvx6 +/nested-3/osv-scanner-test.toml has unused ignores: + - GHSA-2g4f-4pwh-qvx6 -Total 6 packages affected by 7 known vulnerabilities (0 Critical, 2 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -7 vulnerabilities can be fixed. +Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +8 vulnerabilities can be fixed. RubyGems @@ -6827,6 +7014,14 @@ lockfile:/nested-2/package-lock.json: found 2 packages with issues 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + lockfile:/package-lock.json: found 1 package with issues ansi-html@0.0.1 has the following known vulnerabilities: @@ -6874,23 +7069,46 @@ id = "GHSA-2g4f-4pwh-qvx6" --- [TestCommand_UpdateConfigIgnores_Unused/deep - 7] +IgnoredVulns = [] + +[[PackageOverrides]] +name = "ajv" +version = "" +ecosystem = "" +group = "" +ignore = true +effectiveUntil = 0001-01-01T00:00:00Z +reason = "" +[PackageOverrides.vulnerability] +ignore = false +[PackageOverrides.license] +ignore = false + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep - 8] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml Loaded filter from: /nested-1/osv-scanner-test.toml Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) Filtered 3 vulnerabilities from output -Total 6 packages affected by 7 known vulnerabilities (0 Critical, 2 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -7 vulnerabilities can be fixed. +Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +8 vulnerabilities can be fixed. RubyGems @@ -6928,6 +7146,14 @@ lockfile:/nested-2/package-lock.json: found 2 packages with issues 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + lockfile:/package-lock.json: found 1 package with issues ansi-html@0.0.1 has the following known vulnerabilities: @@ -6939,7 +7165,7 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores_Unused/deep - 8] +[TestCommand_UpdateConfigIgnores_Unused/deep - 9] --- @@ -6949,11 +7175,18 @@ Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. +/nested-3/osv-scanner-test.toml has unused ignores: + - GHSA-2g4f-4pwh-qvx6 -Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -10 vulnerabilities can be fixed. +Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +11 vulnerabilities can be fixed. RubyGems @@ -6999,6 +7232,14 @@ lockfile:/nested-2/package-lock.json: found 3 packages with issues 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + lockfile:/package-lock.json: found 1 package with issues ansi-html@0.0.1 has the following known vulnerabilities: @@ -7040,16 +7281,39 @@ id = "GHSA-2g4f-4pwh-qvx6" --- [TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 7] +IgnoredVulns = [] + +[[PackageOverrides]] +name = "ajv" +version = "" +ecosystem = "" +group = "" +ignore = true +effectiveUntil = 0001-01-01T00:00:00Z +reason = "" +[PackageOverrides.vulnerability] +ignore = false +[PackageOverrides.license] +ignore = false + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 8] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. -Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -10 vulnerabilities can be fixed. +Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +11 vulnerabilities can be fixed. RubyGems @@ -7095,6 +7359,14 @@ lockfile:/nested-2/package-lock.json: found 3 packages with issues 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + lockfile:/package-lock.json: found 1 package with issues ansi-html@0.0.1 has the following known vulnerabilities: @@ -7106,7 +7378,7 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 8] +[TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 9] --- @@ -7116,19 +7388,26 @@ Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml warning: /nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used! Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) Filtered 2 vulnerabilities from output /nested-2/osv-scanner-test.toml has unused ignores: - GHSA-2g4f-4pwh-qvx6 +/nested-3/osv-scanner-test.toml has unused ignores: + - GHSA-2g4f-4pwh-qvx6 -Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -8 vulnerabilities can be fixed. +Total 8 packages affected by 9 known vulnerabilities (0 Critical, 4 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +9 vulnerabilities can be fixed. RubyGems @@ -7169,6 +7448,14 @@ lockfile:/nested-2/package-lock.json: found 2 packages with issues 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + lockfile:/package-lock.json: found 1 package with issues ansi-html@0.0.1 has the following known vulnerabilities: @@ -7213,21 +7500,44 @@ id = "GHSA-2g4f-4pwh-qvx6" --- [TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 7] +IgnoredVulns = [] + +[[PackageOverrides]] +name = "ajv" +version = "" +ecosystem = "" +group = "" +ignore = true +effectiveUntil = 0001-01-01T00:00:00Z +reason = "" +[PackageOverrides.vulnerability] +ignore = false +[PackageOverrides.license] +ignore = false + +--- + +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 8] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml Loaded filter from: /nested-2/osv-scanner-test.toml +Loaded filter from: /nested-3/osv-scanner-test.toml +Package npm/ajv/6.0.0 has been filtered out because: (no reason given) +Package npm/ajv/8.0.0 has been filtered out because: (no reason given) +Filtered 2 ignored package/s from the scan. GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) Filtered 2 vulnerabilities from output -Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -8 vulnerabilities can be fixed. +Total 8 packages affected by 9 known vulnerabilities (0 Critical, 4 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +9 vulnerabilities can be fixed. RubyGems @@ -7268,6 +7578,14 @@ lockfile:/nested-2/package-lock.json: found 2 packages with issues 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json +lockfile:/nested-3/package-lock.json: found 1 package with issues + + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 1 known vulnerability found in lockfile:/nested-3/package-lock.json + lockfile:/package-lock.json: found 1 package with issues ansi-html@0.0.1 has the following known vulnerabilities: @@ -7279,7 +7597,7 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 8] +[TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 9] --- @@ -7289,16 +7607,19 @@ Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -Filtered 4 vulnerabilities from output +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 6 vulnerabilities from output -Total 6 packages affected by 6 known vulnerabilities (0 Critical, 3 High, 3 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -6 vulnerabilities can be fixed. +Total 8 packages affected by 8 known vulnerabilities (0 Critical, 4 High, 4 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +8 vulnerabilities can be fixed. RubyGems @@ -7334,6 +7655,17 @@ lockfile:/nested-2/package-lock.json: found 2 packages with issues 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json +lockfile:/nested-3/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-3/package-lock.json + lockfile:/package-lock.json: found 1 package with issues ansi-html@0.0.1 has the following known vulnerabilities: @@ -7378,21 +7710,34 @@ id = "GHSA-2g4f-4pwh-qvx6" --- [TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 8] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /nested-1/package-lock.json file and found 3 packages Scanned /nested-2/package-lock.json file and found 3 packages +Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -Filtered 4 vulnerabilities from output +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) +Filtered 6 vulnerabilities from output -Total 6 packages affected by 6 known vulnerabilities (0 Critical, 3 High, 3 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -6 vulnerabilities can be fixed. +Total 8 packages affected by 8 known vulnerabilities (0 Critical, 4 High, 4 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +8 vulnerabilities can be fixed. RubyGems @@ -7428,6 +7773,17 @@ lockfile:/nested-2/package-lock.json: found 2 packages with issues 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json +lockfile:/nested-3/package-lock.json: found 2 packages with issues + + ajv@6.0.0 has the following known vulnerabilities: + GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv + Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; + + 2 known vulnerabilities found in lockfile:/nested-3/package-lock.json + lockfile:/package-lock.json: found 1 package with issues ansi-html@0.0.1 has the following known vulnerabilities: @@ -7439,7 +7795,7 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 8] +[TestCommand_UpdateConfigIgnores_Unused/global_config_deep - 9] --- @@ -7507,6 +7863,16 @@ id = "GHSA-2g4f-4pwh-qvx6" --- [TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 8] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -7539,7 +7905,7 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 8] +[TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 9] --- @@ -7616,6 +7982,16 @@ id = "GHSA-2g4f-4pwh-qvx6" --- [TestCommand_UpdateConfigIgnores_Unused/shallow - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow - 8] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -7649,7 +8025,7 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores_Unused/shallow - 8] +[TestCommand_UpdateConfigIgnores_Unused/shallow - 9] --- @@ -7724,6 +8100,16 @@ id = "GHSA-2g4f-4pwh-qvx6" --- [TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 7] +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" + +--- + +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 8] Scanning dir Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages @@ -7756,7 +8142,7 @@ lockfile:/package-lock.json: found 1 package with issues --- -[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 8] +[TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config - 9] --- diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 5114a6ecf3f..190e94d4558 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -1847,6 +1847,7 @@ func TestCommand_UpdateConfigIgnores_All(t *testing.T) { "custom-config.toml", "nested-1/osv-scanner-test.toml", "nested-2/osv-scanner-test.toml", + "nested-3/osv-scanner-test.toml", } { b, err := os.ReadFile(testDir + "/" + file) @@ -1985,6 +1986,7 @@ func TestCommand_UpdateConfigIgnores_Unused(t *testing.T) { "custom-config.toml", "nested-1/osv-scanner-test.toml", "nested-2/osv-scanner-test.toml", + "nested-3/osv-scanner-test.toml", } { b, err := os.ReadFile(testDir + "/" + file) diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_All.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_All.yaml index 9748aa32b33..66305f2fa66 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_All.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_All.yaml @@ -5,7 +5,7 @@ interactions: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 - content_length: 979 + content_length: 1101 host: api.osv.dev body: | { @@ -59,6 +59,13 @@ interactions: }, "version": "0.0.1" }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, { "package": { "ecosystem": "npm", @@ -79,7 +86,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 795 + content_length: 877 body: | { "results": [ @@ -147,6 +154,14 @@ interactions: } ] }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, { "vulns": [ { @@ -159,7 +174,7 @@ interactions: } headers: Content-Length: - - "795" + - "877" Content-Type: - application/json status: 200 OK @@ -251,7 +266,7 @@ interactions: "vulns": [ { "id": "GHSA-wx95-c6cv-8532", - "modified": "2026-02-25T10:44:01.279701Z" + "modified": "2026-02-18T22:11:44.575445Z" } ] }, @@ -259,7 +274,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-20T21:26:03.466898Z" }, { "id": "GHSA-v88g-cgmw-v5xw", @@ -271,7 +286,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-20T21:26:03.466898Z" } ] }, @@ -287,7 +302,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-20T21:26:03.466898Z" }, { "id": "GHSA-v88g-cgmw-v5xw", @@ -299,7 +314,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-20T21:26:03.466898Z" } ] }, @@ -400,7 +415,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores_All/deep_with_no_configs + - TestCommand_UpdateConfigIgnores_All/deep url: https://api.osv.dev/v1/querybatch method: POST response: @@ -415,7 +430,7 @@ interactions: "vulns": [ { "id": "GHSA-wx95-c6cv-8532", - "modified": "2026-02-25T10:44:01.279701Z" + "modified": "2026-02-18T22:11:44.575445Z" } ] }, @@ -423,7 +438,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-20T21:26:03.466898Z" }, { "id": "GHSA-v88g-cgmw-v5xw", @@ -435,7 +450,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-20T21:26:03.466898Z" } ] }, @@ -451,7 +466,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-20T21:26:03.466898Z" }, { "id": "GHSA-v88g-cgmw-v5xw", @@ -463,7 +478,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-20T21:26:03.466898Z" } ] }, @@ -497,7 +512,7 @@ interactions: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 - content_length: 979 + content_length: 1101 host: api.osv.dev body: | { @@ -551,6 +566,13 @@ interactions: }, "version": "0.0.1" }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, { "package": { "ecosystem": "npm", @@ -564,14 +586,14 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores_All/deep_with_no_configs + - TestCommand_UpdateConfigIgnores_All/deep url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 795 + content_length: 877 body: | { "results": [ @@ -587,7 +609,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-23T23:27:04.622012Z" }, { "id": "GHSA-v88g-cgmw-v5xw", @@ -599,7 +621,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-23T23:27:04.622012Z" } ] }, @@ -615,7 +637,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-23T23:27:04.622012Z" }, { "id": "GHSA-v88g-cgmw-v5xw", @@ -627,7 +649,15 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" } ] }, @@ -651,7 +681,7 @@ interactions: } headers: Content-Length: - - "795" + - "877" Content-Type: - application/json status: 200 OK @@ -728,7 +758,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores_All/deep_with_removed_config + - TestCommand_UpdateConfigIgnores_All/deep url: https://api.osv.dev/v1/querybatch method: POST response: @@ -892,7 +922,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores_All/deep_with_removed_config + - TestCommand_UpdateConfigIgnores_All/deep_with_no_configs url: https://api.osv.dev/v1/querybatch method: POST response: @@ -907,7 +937,7 @@ interactions: "vulns": [ { "id": "GHSA-wx95-c6cv-8532", - "modified": "2026-02-25T10:44:01.279701Z" + "modified": "2026-02-18T22:11:44.575445Z" } ] }, @@ -915,7 +945,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-20T21:26:03.466898Z" }, { "id": "GHSA-v88g-cgmw-v5xw", @@ -927,7 +957,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-20T21:26:03.466898Z" } ] }, @@ -943,7 +973,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-20T21:26:03.466898Z" }, { "id": "GHSA-v88g-cgmw-v5xw", @@ -955,7 +985,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-20T21:26:03.466898Z" } ] }, @@ -1056,7 +1086,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores_All/global_config_deep + - TestCommand_UpdateConfigIgnores_All/deep_with_no_configs url: https://api.osv.dev/v1/querybatch method: POST response: @@ -1220,7 +1250,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores_All/global_config_deep + - TestCommand_UpdateConfigIgnores_All/deep_with_no_configs url: https://api.osv.dev/v1/querybatch method: POST response: @@ -1235,7 +1265,7 @@ interactions: "vulns": [ { "id": "GHSA-wx95-c6cv-8532", - "modified": "2026-02-25T10:44:01.279701Z" + "modified": "2026-02-18T22:11:44.575445Z" } ] }, @@ -1243,7 +1273,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-20T21:26:03.466898Z" }, { "id": "GHSA-v88g-cgmw-v5xw", @@ -1255,7 +1285,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-20T21:26:03.466898Z" } ] }, @@ -1271,7 +1301,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-20T21:26:03.466898Z" }, { "id": "GHSA-v88g-cgmw-v5xw", @@ -1283,7 +1313,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-20T21:26:03.466898Z" } ] }, @@ -1317,7 +1347,7 @@ interactions: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 - content_length: 271 + content_length: 1101 host: api.osv.dev body: | { @@ -1329,6 +1359,55 @@ interactions: }, "version": "1.18.9" }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, { "package": { "ecosystem": "npm", @@ -1342,14 +1421,14 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores_All/global_config_shallow + - TestCommand_UpdateConfigIgnores_All/deep_with_no_configs url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 177 + content_length: 877 body: | { "results": [ @@ -1361,6 +1440,70 @@ interactions: } ] }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, { "vulns": [ { @@ -1373,7 +1516,7 @@ interactions: } headers: Content-Length: - - "177" + - "877" Content-Type: - application/json status: 200 OK @@ -1383,7 +1526,7 @@ interactions: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 - content_length: 271 + content_length: 1101 host: api.osv.dev body: | { @@ -1395,6 +1538,55 @@ interactions: }, "version": "1.18.9" }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, { "package": { "ecosystem": "npm", @@ -1408,14 +1600,14 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores_All/global_config_shallow + - TestCommand_UpdateConfigIgnores_All/deep_with_no_configs url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 177 + content_length: 877 body: | { "results": [ @@ -1430,19 +1622,2049 @@ interactions: { "vulns": [ { - "id": "GHSA-whgm-jr23-g3j9", - "modified": "2023-11-08T04:05:08.868477Z" + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" } ] - } - ] - } - headers: - Content-Length: - - "177" - Content-Type: - - application/json - status: 200 OK + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1333 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 1104 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "1104" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1333 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 1104 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "1104" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-20T21:26:03.466898Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/global_config_shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK code: 200 duration: 0s - request: @@ -1555,7 +3777,73 @@ interactions: "vulns": [ { "id": "GHSA-wx95-c6cv-8532", - "modified": "2026-02-25T10:44:01.279701Z" + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" } ] }, @@ -1621,7 +3909,73 @@ interactions: "vulns": [ { "id": "GHSA-wx95-c6cv-8532", - "modified": "2026-02-25T10:44:01.279701Z" + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_All/shallow_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" } ] }, diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_Unused.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_Unused.yaml index cc9a769a0eb..364cfe00933 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_Unused.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_UpdateConfigIgnores_Unused.yaml @@ -232,6 +232,1042 @@ interactions: } ] } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } headers: Content-Type: - application/json @@ -243,7 +1279,1577 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 795 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1101 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 877 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "877" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-18T22:11:44.575445Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-02-23T23:27:04.622012Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1333 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 1104 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "1104" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 979 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 795 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "795" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1333 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "6.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "version": "8.0.0" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_deep + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 1104 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + }, + { + "id": "GHSA-v88g-cgmw-v5xw", + "modified": "2024-06-21T21:33:48Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2g4f-4pwh-qvx6", + "modified": "2026-03-04T15:06:32.662074Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-whgm-jr23-g3j9", + "modified": "2023-11-08T04:05:08.868477Z" + } + ] + } + ] + } + headers: + Content-Length: + - "1104" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" + }, + { + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 body: | { "results": [ @@ -251,27 +2857,7 @@ interactions: "vulns": [ { "id": "GHSA-wx95-c6cv-8532", - "modified": "2026-02-25T10:44:01.279701Z" - } - ] - }, - { - "vulns": [ - { - "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" - }, - { - "id": "GHSA-v88g-cgmw-v5xw", - "modified": "2024-06-21T21:33:48Z" - } - ] - }, - { - "vulns": [ - { - "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-18T22:11:44.575445Z" } ] }, @@ -282,32 +2868,62 @@ interactions: "modified": "2023-11-08T04:05:08.868477Z" } ] - }, + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ { - "vulns": [ - { - "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" - }, - { - "id": "GHSA-v88g-cgmw-v5xw", - "modified": "2024-06-21T21:33:48Z" - } - ] + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" }, { - "vulns": [ - { - "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" - } - ] - }, + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/global_config_shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ { "vulns": [ { - "id": "GHSA-whgm-jr23-g3j9", - "modified": "2023-11-08T04:05:08.868477Z" + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" } ] }, @@ -323,7 +2939,7 @@ interactions: } headers: Content-Length: - - "795" + - "177" Content-Type: - application/json status: 200 OK @@ -400,7 +3016,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config + - TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep url: https://api.osv.dev/v1/querybatch method: POST response: @@ -423,7 +3039,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-23T23:27:04.622012Z" }, { "id": "GHSA-v88g-cgmw-v5xw", @@ -435,7 +3051,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-23T23:27:04.622012Z" } ] }, @@ -451,7 +3067,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-23T23:27:04.622012Z" }, { "id": "GHSA-v88g-cgmw-v5xw", @@ -463,7 +3079,7 @@ interactions: "vulns": [ { "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" + "modified": "2026-02-23T23:27:04.622012Z" } ] }, @@ -564,7 +3180,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores_Unused/global_config_deep + - TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep url: https://api.osv.dev/v1/querybatch method: POST response: @@ -686,7 +3302,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores_Unused/global_config_shallow + - TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow url: https://api.osv.dev/v1/querybatch method: POST response: @@ -727,7 +3343,7 @@ interactions: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 - content_length: 979 + content_length: 271 host: api.osv.dev body: | { @@ -739,48 +3355,6 @@ interactions: }, "version": "1.18.9" }, - { - "package": { - "ecosystem": "npm", - "name": "ajv" - }, - "version": "6.0.0" - }, - { - "package": { - "ecosystem": "npm", - "name": "ajv" - }, - "version": "8.0.0" - }, - { - "package": { - "ecosystem": "npm", - "name": "ansi-html" - }, - "version": "0.0.1" - }, - { - "package": { - "ecosystem": "npm", - "name": "ajv" - }, - "version": "6.0.0" - }, - { - "package": { - "ecosystem": "npm", - "name": "ajv" - }, - "version": "8.0.0" - }, - { - "package": { - "ecosystem": "npm", - "name": "ansi-html" - }, - "version": "0.0.1" - }, { "package": { "ecosystem": "npm", @@ -794,14 +3368,14 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_deep + - TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 795 + content_length: 177 body: | { "results": [ @@ -813,26 +3387,6 @@ interactions: } ] }, - { - "vulns": [ - { - "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" - }, - { - "id": "GHSA-v88g-cgmw-v5xw", - "modified": "2024-06-21T21:33:48Z" - } - ] - }, - { - "vulns": [ - { - "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" - } - ] - }, { "vulns": [ { @@ -840,32 +3394,62 @@ interactions: "modified": "2023-11-08T04:05:08.868477Z" } ] - }, + } + ] + } + headers: + Content-Length: + - "177" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 271 + host: api.osv.dev + body: | + { + "queries": [ { - "vulns": [ - { - "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" - }, - { - "id": "GHSA-v88g-cgmw-v5xw", - "modified": "2024-06-21T21:33:48Z" - } - ] + "package": { + "ecosystem": "RubyGems", + "name": "nokogiri" + }, + "version": "1.18.9" }, { - "vulns": [ - { - "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-03-04T15:06:32.662074Z" - } - ] - }, + "package": { + "ecosystem": "npm", + "name": "ansi-html" + }, + "version": "0.0.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_UpdateConfigIgnores_Unused/shallow + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 177 + body: | + { + "results": [ { "vulns": [ { - "id": "GHSA-whgm-jr23-g3j9", - "modified": "2023-11-08T04:05:08.868477Z" + "id": "GHSA-wx95-c6cv-8532", + "modified": "2026-02-25T10:44:01.279701Z" } ] }, @@ -881,7 +3465,7 @@ interactions: } headers: Content-Length: - - "795" + - "177" Content-Type: - application/json status: 200 OK @@ -916,7 +3500,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores_Unused/global_config_with_unused_shallow + - TestCommand_UpdateConfigIgnores_Unused/shallow url: https://api.osv.dev/v1/querybatch method: POST response: @@ -931,7 +3515,7 @@ interactions: "vulns": [ { "id": "GHSA-wx95-c6cv-8532", - "modified": "2026-02-25T10:44:01.279701Z" + "modified": "2026-02-18T22:11:44.575445Z" } ] }, @@ -982,7 +3566,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_UpdateConfigIgnores_Unused/shallow + - TestCommand_UpdateConfigIgnores_Unused/shallow_with_removed_config url: https://api.osv.dev/v1/querybatch method: POST response: @@ -1063,7 +3647,7 @@ interactions: "vulns": [ { "id": "GHSA-wx95-c6cv-8532", - "modified": "2026-02-25T10:44:01.279701Z" + "modified": "2026-02-18T22:11:44.575445Z" } ] }, diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/osv-scanner-test.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/osv-scanner-test.toml new file mode 100644 index 00000000000..40a7b53a5b3 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/osv-scanner-test.toml @@ -0,0 +1,6 @@ +[[PackageOverrides]] +name = "ajv" +ignore = true + +[[IgnoredVulns]] +id = "GHSA-2g4f-4pwh-qvx6" diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/osv-scanner.toml b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/osv-scanner.toml new file mode 100644 index 00000000000..dfafb8fb5fe --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/osv-scanner.toml @@ -0,0 +1,2 @@ +[[PackageOverrides]] +ignore = true diff --git a/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/package-lock.json b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/package-lock.json new file mode 100644 index 00000000000..45a1996e344 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/locks-with-many-configs/nested-3/package-lock.json @@ -0,0 +1,17 @@ +{ + "requires": true, + "lockfileVersion": 1, + "dependencies": { + "ansi-html": { + "version": "0.0.1", + "dependencies": { + "ajv": { + "version": "6.0.0" + } + } + }, + "ajv": { + "version": "8.0.0" + } + } +} From f93dd0021ee19c24dc7c6e4bc05f54aa2622c7a2 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Thu, 26 Feb 2026 15:28:33 +1300 Subject: [PATCH 26/43] chore: add todos --- pkg/osvscanner/osvscanner.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index ff10b0c1404..05d07fc7348 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -392,7 +392,12 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) vulnerabilityResults.LicenseSummary = buildLicenseSummary(&scanResult) } + // todo: consider moving this after filtering + // - p: should allow deduplicating some logic + // - p: might be a better UX to present the vulns we're ignoring + // - c: filtering removes vulns from results, so need to account for that if actions.UpdateConfigIgnores == "all" { + // todo: add output about having ignored vulns err := updateConfigs(&vulnerabilityResults, &scanResult.ConfigManager) if err != nil { @@ -410,6 +415,7 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) } if actions.UpdateConfigIgnores == "unused" { + // todo: add output about having ignored vulns err := updateConfigsToRemoveUnusedIgnores(&scanResult.ConfigManager) if err != nil { From c6e840a595fd7f3b91cc9fc94dd8b633c401815d Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Mon, 2 Mar 2026 15:38:57 +1300 Subject: [PATCH 27/43] refactor(config): split ignoring and saving --- .../__snapshots__/config_internal_test.snap | 97 ------------- internal/config/config.go | 5 +- internal/config/config_internal_test.go | 135 ++++++++---------- internal/config/testmain_test.go | 13 -- pkg/osvscanner/osvscanner.go | 4 +- 5 files changed, 64 insertions(+), 190 deletions(-) delete mode 100755 internal/config/__snapshots__/config_internal_test.snap delete mode 100644 internal/config/testmain_test.go diff --git a/internal/config/__snapshots__/config_internal_test.snap b/internal/config/__snapshots__/config_internal_test.snap deleted file mode 100755 index 0a1863fdf4e..00000000000 --- a/internal/config/__snapshots__/config_internal_test.snap +++ /dev/null @@ -1,97 +0,0 @@ - -[TestConfig_UpdateFile/aliases_are_deduplicated - 1] -[[IgnoredVulns]] -id = "GHSA-123" - -[[IgnoredVulns]] -id = "GHSA-456" - -[[IgnoredVulns]] -id = "GHSA-789" - ---- - -[TestConfig_UpdateFile/comments_are_not_preserved - 1] -[[IgnoredVulns]] -id = "GHSA-123" - -[[IgnoredVulns]] -id = "GHSA-456" - ---- - -[TestConfig_UpdateFile/empty_file_with_one_vuln - 1] -[[IgnoredVulns]] -id = "GHSA-123" - ---- - -[TestConfig_UpdateFile/empty_file_with_two_vulns - 1] -[[IgnoredVulns]] -id = "GHSA-123" - -[[IgnoredVulns]] -id = "GHSA-456" - ---- - -[TestConfig_UpdateFile/existing_properties_are_preserved - 1] -GoVersionOverride = "1.20.0" - -[[IgnoredVulns]] -id = "GHSA-123" -reason = "No ssh servers are connected to or hosted in Go lang" - -[[IgnoredVulns]] -id = "GHSA-456" - -[[PackageOverrides]] -name = "lib" -version = "1.0.0" -ecosystem = "Go" -group = "dev" -ignore = false -effectiveUntil = 0001-01-01T00:00:00Z -reason = "" -[PackageOverrides.vulnerability] -ignore = true -[PackageOverrides.license] -override = ["MIT", "0BSD"] -ignore = false - ---- - -[TestConfig_UpdateFile/ids_are_deduplicated - 1] -[[IgnoredVulns]] -id = "GHSA-123" - -[[IgnoredVulns]] -id = "GHSA-456" - ---- - -[TestConfig_UpdateFile/ids_are_deduplicated_including_already_existing - 1] -[[IgnoredVulns]] -id = "GHSA-123" - -[[IgnoredVulns]] -id = "GHSA-456" - -[[IgnoredVulns]] -id = "GHSA-789" - ---- - -[TestConfig_UpdateFile/missing_vulns_are_removed - 1] -[[IgnoredVulns]] -id = "GHSA-123" - -[[IgnoredVulns]] -id = "GHSA-456" - ---- - -[TestConfig_UpdateFile/nothing_happens_when_everything_is_empty - 1] -IgnoredVulns = [] - ---- diff --git a/internal/config/config.go b/internal/config/config.go index 3193ca6be86..8d905bae102 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -79,7 +79,8 @@ type License struct { Ignore bool `toml:"ignore"` } -func (c *Config) UpdateFile(vulns []*osvschema.Vulnerability) error { +// IgnoreVulns updates Config.IgnoredVulns to hold only the given vulnerabilities +func (c *Config) IgnoreVulns(vulns []*osvschema.Vulnerability) { existingIgnores := make(map[string]*IgnoreEntry, len(c.IgnoredVulns)) for _, ignoredVuln := range c.IgnoredVulns { existingIgnores[ignoredVuln.ID] = ignoredVuln @@ -109,8 +110,6 @@ func (c *Config) UpdateFile(vulns []*osvschema.Vulnerability) error { slices.SortFunc(c.IgnoredVulns, func(a, b *IgnoreEntry) int { return identifiers.IDSortFunc(a.ID, b.ID) }) - - return c.Save() } // Save writes the configuration file to disk, overriding the existing content diff --git a/internal/config/config_internal_test.go b/internal/config/config_internal_test.go index 67088ada346..586f076bff2 100644 --- a/internal/config/config_internal_test.go +++ b/internal/config/config_internal_test.go @@ -2,8 +2,6 @@ package config import ( "fmt" - "os" - "path/filepath" "reflect" "strings" "testing" @@ -14,7 +12,6 @@ import ( apkmetadata "github.com/google/osv-scalibr/extractor/filesystem/os/apk/metadata" "github.com/google/osv-scalibr/extractor/filesystem/osv" "github.com/google/osv-scalibr/purl" - "github.com/google/osv-scanner/v2/internal/testutility" "github.com/ossf/osv-schema/bindings/go/osvschema" ) @@ -1152,67 +1149,57 @@ func TestConfig_ShouldOverridePackageLicense(t *testing.T) { } } -func TestConfig_UpdateFile(t *testing.T) { +func TestConfig_IgnoreVulns(t *testing.T) { t.Parallel() tests := []struct { - name string - args []*osvschema.Vulnerability - input string - wantErr bool + name string + args []*osvschema.Vulnerability + existing []*IgnoreEntry + want []*IgnoreEntry }{ { - name: "nothing_happens_when_everything_is_empty", - args: []*osvschema.Vulnerability{}, - input: "", + name: "nothing_happens_when_everything_is_empty", + args: []*osvschema.Vulnerability{}, + existing: []*IgnoreEntry{}, + want: []*IgnoreEntry{}, }, { - name: "empty_file_with_one_vuln", + name: "empty_config_with_one_vuln", args: []*osvschema.Vulnerability{ {Id: "GHSA-123"}, }, + existing: []*IgnoreEntry{}, + want: []*IgnoreEntry{{ID: "GHSA-123"}}, }, { - name: "empty_file_with_two_vulns", + name: "empty_config_with_two_vulns", args: []*osvschema.Vulnerability{ {Id: "GHSA-123"}, {Id: "GHSA-456"}, }, + existing: []*IgnoreEntry{}, + want: []*IgnoreEntry{ + {ID: "GHSA-123"}, + {ID: "GHSA-456"}, + }, }, { name: "existing_properties_are_preserved", args: []*osvschema.Vulnerability{ {Id: "GHSA-123"}, {Id: "GHSA-456"}, + {Id: "GHSA-789"}, }, - input: ` -GoVersionOverride = "1.20.0" - -[[PackageOverrides]] -name = "lib" -version = "1.0.0" -ecosystem = "Go" -group = "dev" - -vulnerability.ignore = true -license.override = ["MIT", "0BSD"] - -[[IgnoredVulns]] -id = "GHSA-123" -reason = "No ssh servers are connected to or hosted in Go lang" -`, - }, - { - name: "comments_are_not_preserved", - args: []*osvschema.Vulnerability{ - {Id: "GHSA-123"}, - {Id: "GHSA-456"}, + existing: []*IgnoreEntry{ + {ID: "GHSA-123", Reason: "No ssh servers are connected to or hosted in Go lang"}, + {ID: "GHSA-789", Used: true}, + }, + want: []*IgnoreEntry{ + {ID: "GHSA-123", Reason: "No ssh servers are connected to or hosted in Go lang"}, + {ID: "GHSA-456"}, + {ID: "GHSA-789", Used: true}, }, - input: ` -# TODO: we should patch this -[[IgnoredVulns]] -id = "GHSA-123" -`, }, { name: "missing_vulns_are_removed", @@ -1220,10 +1207,13 @@ id = "GHSA-123" {Id: "GHSA-123"}, {Id: "GHSA-456"}, }, - input: ` -[[IgnoredVulns]] -id = "GHSA-789" -`, + existing: []*IgnoreEntry{ + {ID: "GHSA-789"}, + }, + want: []*IgnoreEntry{ + {ID: "GHSA-123"}, + {ID: "GHSA-456"}, + }, }, { name: "ids_are_deduplicated", @@ -1232,6 +1222,11 @@ id = "GHSA-789" {Id: "GHSA-123"}, {Id: "GHSA-456"}, }, + existing: []*IgnoreEntry{}, + want: []*IgnoreEntry{ + {ID: "GHSA-123"}, + {ID: "GHSA-456"}, + }, }, { name: "ids_are_deduplicated_including_already_existing", @@ -1241,20 +1236,28 @@ id = "GHSA-789" {Id: "GHSA-456"}, {Id: "GHSA-789"}, }, - input: ` -[[IgnoredVulns]] -id = "GHSA-456" - -[[IgnoredVulns]] -id = "GHSA-456" -`, + existing: []*IgnoreEntry{ + {ID: "GHSA-456"}, + {ID: "GHSA-456"}, + }, + want: []*IgnoreEntry{ + {ID: "GHSA-123"}, + {ID: "GHSA-456"}, + {ID: "GHSA-789"}, + }, }, { name: "aliases_are_deduplicated", args: []*osvschema.Vulnerability{ {Id: "GHSA-123"}, {Id: "GHSA-456"}, - {Id: "GHSA-789", Aliases: []string{"GHSA-123"}}, + {Id: "GHSA-789", Aliases: []string{"GHSA-123", "CVE-123"}}, + }, + existing: []*IgnoreEntry{}, + want: []*IgnoreEntry{ + {ID: "GHSA-123"}, + {ID: "GHSA-456"}, + {ID: "GHSA-789"}, }, }, } @@ -1262,33 +1265,13 @@ id = "GHSA-456" t.Run(tt.name, func(t *testing.T) { t.Parallel() - dir := testutility.CreateTestDir(t) + c := Config{IgnoredVulns: tt.existing} - err := os.WriteFile(filepath.Join(dir, OSVScannerConfigName), []byte(tt.input), 0600) + c.IgnoreVulns(tt.args) - if err != nil { - t.Fatal(err) + if diff := cmp.Diff(tt.want, c.IgnoredVulns); diff != "" { + t.Errorf("IgnoreVulns() (-want +got):\n%s", diff) } - - c, err := tryLoadConfig(filepath.Join(dir, OSVScannerConfigName)) - - if err != nil { - t.Fatalf("failed to load config: %v", err) - } - - err = c.UpdateFile(tt.args) - - if (err != nil) != tt.wantErr { - t.Errorf("UpdateFile() error = %v, wantErr %v", err, tt.wantErr) - } - - b, err := os.ReadFile(c.LoadPath) - - if err != nil { - t.Fatalf("failed to read file: %v", err) - } - - testutility.NewSnapshot().MatchText(t, string(b)) }) } } diff --git a/internal/config/testmain_test.go b/internal/config/testmain_test.go deleted file mode 100644 index ae924fa602c..00000000000 --- a/internal/config/testmain_test.go +++ /dev/null @@ -1,13 +0,0 @@ -package config_test - -import ( - "testing" - - "github.com/google/osv-scanner/v2/internal/testutility" -) - -func TestMain(m *testing.M) { - m.Run() - - testutility.CleanSnapshots(m) -} diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 05d07fc7348..8990093b1aa 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -463,7 +463,9 @@ func updateConfigs(vulnResults *models.VulnerabilityResults, configManager *conf for p, vulns := range configVulns { c := configPaths[p] - err := c.UpdateFile(vulns) + c.IgnoreVulns(vulns) + + err := c.Save() if err != nil { return err } From 28ac7d4cecd97533bb732a22dad10923e4272dfb Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Mon, 2 Mar 2026 16:33:30 +1300 Subject: [PATCH 28/43] refactor: clean up functions a bit more --- pkg/osvscanner/configs.go | 73 +++++++++++++++++++++++++++++++++++ pkg/osvscanner/osvscanner.go | 75 +++--------------------------------- 2 files changed, 79 insertions(+), 69 deletions(-) create mode 100644 pkg/osvscanner/configs.go diff --git a/pkg/osvscanner/configs.go b/pkg/osvscanner/configs.go new file mode 100644 index 00000000000..e5c57d23df0 --- /dev/null +++ b/pkg/osvscanner/configs.go @@ -0,0 +1,73 @@ +package osvscanner + +import ( + "github.com/google/osv-scanner/v2/internal/config" + "github.com/google/osv-scanner/v2/pkg/models" + "github.com/ossf/osv-schema/bindings/go/osvschema" +) + +func addVulnConfigIgnores(vulnResults *models.VulnerabilityResults, manager *config.Manager) { + configVulns := make(map[string][]*osvschema.Vulnerability) + configPaths := make(map[string]config.Config) + + for _, pkgSrc := range vulnResults.Results { + c := manager.Get(pkgSrc.Source.Path) + + // skip the default config + if c.LoadPath == "" { + continue + } + + configPaths[c.LoadPath] = c + + for _, pkgVulns := range pkgSrc.Packages { + configVulns[c.LoadPath] = append(configVulns[c.LoadPath], pkgVulns.Vulnerabilities...) + } + } + + // update each config to ignore all the vulnerabilities + // found across all packages that are using that config + for p, vulns := range configVulns { + c := configPaths[p] + + c.IgnoreVulns(vulns) + } +} + +func removeAllUnusedConfigIgnores(manager *config.Manager) { + if manager.OverrideConfig != nil { + manager.OverrideConfig.RemoveUnusedIgnores() + } + + for _, c := range manager.ConfigMap { + // skip the default config + if c.LoadPath == "" { + continue + } + + c.RemoveUnusedIgnores() + } +} + +func saveAllConfigs(manager *config.Manager) error { + if manager.OverrideConfig != nil { + err := manager.OverrideConfig.Save() + if err != nil { + return err + } + } + + for _, c := range manager.ConfigMap { + // skip the default config + if c.LoadPath == "" { + continue + } + + err := c.Save() + if err != nil { + return err + } + } + + return nil +} diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 8990093b1aa..b8ee77f6284 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -34,7 +34,6 @@ import ( "github.com/google/osv-scanner/v2/pkg/models" "github.com/google/osv-scanner/v2/pkg/osvscanner/internal/imagehelpers" "github.com/ossf/osv-schema/bindings/go/osvconstants" - "github.com/ossf/osv-schema/bindings/go/osvschema" "osv.dev/bindings/go/osvdev" ) @@ -398,11 +397,7 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) // - c: filtering removes vulns from results, so need to account for that if actions.UpdateConfigIgnores == "all" { // todo: add output about having ignored vulns - err := updateConfigs(&vulnerabilityResults, &scanResult.ConfigManager) - - if err != nil { - return models.VulnerabilityResults{}, err - } + addVulnConfigIgnores(&vulnerabilityResults, &scanResult.ConfigManager) } filtered := filterResults(&vulnerabilityResults, &scanResult.ConfigManager, actions.ShowAllPackages) @@ -416,7 +411,11 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) if actions.UpdateConfigIgnores == "unused" { // todo: add output about having ignored vulns - err := updateConfigsToRemoveUnusedIgnores(&scanResult.ConfigManager) + removeAllUnusedConfigIgnores(&scanResult.ConfigManager) + } + + if actions.UpdateConfigIgnores != "" && actions.UpdateConfigIgnores != "none" { + err := saveAllConfigs(&scanResult.ConfigManager) if err != nil { return models.VulnerabilityResults{}, err @@ -439,68 +438,6 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) return vulnerabilityResults, determineReturnErr(vulnerabilityResults, actions.ShowAllVulns) } -func updateConfigs(vulnResults *models.VulnerabilityResults, configManager *config.Manager) error { - configVulns := make(map[string][]*osvschema.Vulnerability) - configPaths := make(map[string]config.Config) - - for _, pkgSrc := range vulnResults.Results { - c := configManager.Get(pkgSrc.Source.Path) - - // skip the default config - if c.LoadPath == "" { - continue - } - - configPaths[c.LoadPath] = c - - for _, pkgVulns := range pkgSrc.Packages { - configVulns[c.LoadPath] = append(configVulns[c.LoadPath], pkgVulns.Vulnerabilities...) - } - } - - // update each config to ignore all the vulnerabilities - // found across all packages that are using that config - for p, vulns := range configVulns { - c := configPaths[p] - - c.IgnoreVulns(vulns) - - err := c.Save() - if err != nil { - return err - } - } - - return nil -} - -func updateConfigsToRemoveUnusedIgnores(configManager *config.Manager) error { - if configManager.OverrideConfig != nil { - configManager.OverrideConfig.RemoveUnusedIgnores() - - err := configManager.OverrideConfig.Save() - if err != nil { - return err - } - } - - for _, c := range configManager.ConfigMap { - // skip the default config - if c.LoadPath == "" { - continue - } - - c.RemoveUnusedIgnores() - - err := c.Save() - if err != nil { - return err - } - } - - return nil -} - func buildLicenseSummary(scanResult *results.ScanResults) []models.LicenseCount { var licenseSummary []models.LicenseCount From 2e2b2c1c48c8e9212b66246c23b344c175a7dbd5 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 4 Mar 2026 10:20:08 +1300 Subject: [PATCH 29/43] refactor: stick with saving as config map is not holding pointers --- pkg/osvscanner/configs.go | 26 +++++++++++--------------- pkg/osvscanner/osvscanner.go | 12 ++++++------ 2 files changed, 17 insertions(+), 21 deletions(-) diff --git a/pkg/osvscanner/configs.go b/pkg/osvscanner/configs.go index e5c57d23df0..962b485e905 100644 --- a/pkg/osvscanner/configs.go +++ b/pkg/osvscanner/configs.go @@ -6,7 +6,7 @@ import ( "github.com/ossf/osv-schema/bindings/go/osvschema" ) -func addVulnConfigIgnores(vulnResults *models.VulnerabilityResults, manager *config.Manager) { +func addVulnConfigIgnoresAndSave(vulnResults *models.VulnerabilityResults, manager *config.Manager) error { configVulns := make(map[string][]*osvschema.Vulnerability) configPaths := make(map[string]config.Config) @@ -31,26 +31,20 @@ func addVulnConfigIgnores(vulnResults *models.VulnerabilityResults, manager *con c := configPaths[p] c.IgnoreVulns(vulns) - } -} - -func removeAllUnusedConfigIgnores(manager *config.Manager) { - if manager.OverrideConfig != nil { - manager.OverrideConfig.RemoveUnusedIgnores() - } - for _, c := range manager.ConfigMap { - // skip the default config - if c.LoadPath == "" { - continue + err := c.Save() + if err != nil { + return err } - - c.RemoveUnusedIgnores() } + + return nil } -func saveAllConfigs(manager *config.Manager) error { +func removeAllUnusedConfigIgnoresAndSave(manager *config.Manager) error { if manager.OverrideConfig != nil { + manager.OverrideConfig.RemoveUnusedIgnores() + err := manager.OverrideConfig.Save() if err != nil { return err @@ -63,6 +57,8 @@ func saveAllConfigs(manager *config.Manager) error { continue } + c.RemoveUnusedIgnores() + err := c.Save() if err != nil { return err diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index b8ee77f6284..53d7ca32ba5 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -397,7 +397,11 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) // - c: filtering removes vulns from results, so need to account for that if actions.UpdateConfigIgnores == "all" { // todo: add output about having ignored vulns - addVulnConfigIgnores(&vulnerabilityResults, &scanResult.ConfigManager) + err := addVulnConfigIgnoresAndSave(&vulnerabilityResults, &scanResult.ConfigManager) + + if err != nil { + return models.VulnerabilityResults{}, err + } } filtered := filterResults(&vulnerabilityResults, &scanResult.ConfigManager, actions.ShowAllPackages) @@ -411,11 +415,7 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) if actions.UpdateConfigIgnores == "unused" { // todo: add output about having ignored vulns - removeAllUnusedConfigIgnores(&scanResult.ConfigManager) - } - - if actions.UpdateConfigIgnores != "" && actions.UpdateConfigIgnores != "none" { - err := saveAllConfigs(&scanResult.ConfigManager) + err := removeAllUnusedConfigIgnoresAndSave(&scanResult.ConfigManager) if err != nil { return models.VulnerabilityResults{}, err From 92791ab8607ee8e9c730a6c26ae9adcea871ceda Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Sat, 7 Mar 2026 10:02:06 +1300 Subject: [PATCH 30/43] docs: add a page --- docs/configuration-updating.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 docs/configuration-updating.md diff --git a/docs/configuration-updating.md b/docs/configuration-updating.md new file mode 100644 index 00000000000..cf9fccb04cc --- /dev/null +++ b/docs/configuration-updating.md @@ -0,0 +1,27 @@ +--- +layout: page +permalink: /experimental/configuration-updating/ +parent: Experimental Features +nav_order: 6 +--- + +# Configuration updating + +Experimental +{: .label } + +{: .no_toc } + +OSV-Scanner can automatically update ignored vulnerabilities in `osv-scanner.toml` files, either to remove unused ignore entries, or to ignore all found vulnerabilities. + +This requires that a configuration file already exists, and currently makes no attempt to preserve comments or syntax. + +## Usage + +``` +# remove only ignore entires that are not being used +osv-scanner scan --experimental-update-config-ignores=unused . + +# add ignore entries for all found vulnerabilities +osv-scanner scan --experimental-update-config-ignores=all . +``` From eda992961f253e60b630f1f505f19f3aab848106 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 11 Mar 2026 07:57:23 +1300 Subject: [PATCH 31/43] perf: optimize slice filtering --- internal/config/config.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/internal/config/config.go b/internal/config/config.go index 8d905bae102..5eccb5b3664 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -139,16 +139,15 @@ func (c *Config) UnusedIgnoredVulns() []*IgnoreEntry { } func (c *Config) RemoveUnusedIgnores() { - // todo: see if this is a more optimized way to do this? - ignoredVulns := make([]*IgnoreEntry, 0, len(c.IgnoredVulns)) + filtered := c.IgnoredVulns[:0] for _, iv := range c.IgnoredVulns { if iv.Used { - ignoredVulns = append(ignoredVulns, iv) + filtered = append(filtered, iv) } } - c.IgnoredVulns = ignoredVulns + c.IgnoredVulns = filtered } func (c *Config) ShouldIgnore(vulnID string) (bool, *IgnoreEntry) { From 2ffb482c0f670a3f8a1db063b21178bdd42c5653 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 11 Mar 2026 08:24:30 +1300 Subject: [PATCH 32/43] fix: store configs by reference --- .../scan/source/__snapshots__/command_test.snap | 13 ------------- internal/config/manager.go | 11 ++++++----- pkg/osvscanner/filter_internal_test.go | 2 +- pkg/osvscanner/osvscanner.go | 4 ++-- 4 files changed, 9 insertions(+), 21 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index e21d72e4fe8..fad53b1c7ed 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -6970,10 +6970,6 @@ CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (p GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) Filtered 3 vulnerabilities from output -/nested-2/osv-scanner-test.toml has unused ignores: - - GHSA-2g4f-4pwh-qvx6 -/nested-3/osv-scanner-test.toml has unused ignores: - - GHSA-2g4f-4pwh-qvx6 Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 8 vulnerabilities can be fixed. @@ -7038,7 +7034,6 @@ lockfile:/package-lock.json: found 1 package with issues --- [TestCommand_UpdateConfigIgnores_Unused/deep - 3] -IgnoredVulns = [] --- @@ -7182,8 +7177,6 @@ Loaded filter from: /nested-3/osv-scanner-test.toml Package npm/ajv/6.0.0 has been filtered out because: (no reason given) Package npm/ajv/8.0.0 has been filtered out because: (no reason given) Filtered 2 ignored package/s from the scan. -/nested-3/osv-scanner-test.toml has unused ignores: - - GHSA-2g4f-4pwh-qvx6 Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. @@ -7401,10 +7394,6 @@ Filtered 2 ignored package/s from the scan. GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) Filtered 2 vulnerabilities from output -/nested-2/osv-scanner-test.toml has unused ignores: - - GHSA-2g4f-4pwh-qvx6 -/nested-3/osv-scanner-test.toml has unused ignores: - - GHSA-2g4f-4pwh-qvx6 Total 8 packages affected by 9 known vulnerabilities (0 Critical, 4 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 9 vulnerabilities can be fixed. @@ -7472,7 +7461,6 @@ lockfile:/package-lock.json: found 1 package with issues --- [TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 3] -IgnoredVulns = [] --- @@ -7948,7 +7936,6 @@ lockfile:/package-lock.json: found 1 package with issues --- [TestCommand_UpdateConfigIgnores_Unused/shallow - 3] -IgnoredVulns = [] --- diff --git a/internal/config/manager.go b/internal/config/manager.go index 6b5e0acfc5d..c63a46ef0d7 100644 --- a/internal/config/manager.go +++ b/internal/config/manager.go @@ -17,7 +17,7 @@ type Manager struct { // Config to use if no config file is found alongside manifests DefaultConfig Config // Cache to store loaded configs - ConfigMap map[string]Config + ConfigMap map[string]*Config } // UseOverride updates the Manager to use the config at the given path in place @@ -48,11 +48,12 @@ func (m *Manager) Get(targetPath string) Config { config, alreadyExists := m.ConfigMap[configPath] if alreadyExists { - return config + return *config } - config, configErr := tryLoadConfig(configPath) + loadedConfig, configErr := tryLoadConfig(configPath) if configErr == nil { + config = &loadedConfig cmdlogger.Infof("Loaded filter from: %s", config.LoadPath) } else { // anything other than the config file not existing is most likely due to an invalid config file @@ -60,11 +61,11 @@ func (m *Manager) Get(targetPath string) Config { cmdlogger.Errorf("Ignored invalid config file at %s because: %v", configPath, configErr) } // If config doesn't exist, use the default config - config = m.DefaultConfig + config = &m.DefaultConfig } m.ConfigMap[configPath] = config - return config + return *config } func (m *Manager) GetUnusedIgnoreEntries() map[string][]*IgnoreEntry { diff --git a/pkg/osvscanner/filter_internal_test.go b/pkg/osvscanner/filter_internal_test.go index 3f86739129b..e4227699131 100644 --- a/pkg/osvscanner/filter_internal_test.go +++ b/pkg/osvscanner/filter_internal_test.go @@ -40,7 +40,7 @@ func Test_filterResults(t *testing.T) { // Sources in the test input should point to files/folders in the testdata folder for this to work correctly. configManager := config.Manager{ DefaultConfig: config.Config{}, - ConfigMap: make(map[string]config.Config), + ConfigMap: make(map[string]*config.Config), } got := testutility.LoadJSONFixture[models.VulnerabilityResults](t, filepath.Join(tt.path, "input.json")) diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 53d7ca32ba5..75a47cb5b24 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -181,7 +181,7 @@ func DoScan(actions ScannerActions) (models.VulnerabilityResults, error) { scanResult := results.ScanResults{ ConfigManager: config.Manager{ DefaultConfig: config.Config{}, - ConfigMap: make(map[string]config.Config), + ConfigMap: make(map[string]*config.Config), }, } @@ -243,7 +243,7 @@ func DoContainerScan(actions ScannerActions) (models.VulnerabilityResults, error scanResult := results.ScanResults{ ConfigManager: config.Manager{ DefaultConfig: config.Config{}, - ConfigMap: make(map[string]config.Config), + ConfigMap: make(map[string]*config.Config), }, } From 2c62f2a1baef3a8f39da280a5e9bc9328f1b29c0 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 11 Mar 2026 08:35:29 +1300 Subject: [PATCH 33/43] feat: print the number of removed unused ignore entries --- .../source/__snapshots__/command_test.snap | 7 ++++ pkg/osvscanner/configs.go | 35 ++++++++++++++++--- 2 files changed, 38 insertions(+), 4 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index fad53b1c7ed..5efe942799c 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -6970,6 +6970,8 @@ CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (p GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) Filtered 3 vulnerabilities from output +Removed 1 unused ignore entry from /nested-2/osv-scanner-test.toml +Removed 1 unused ignore entry from /nested-3/osv-scanner-test.toml Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 8 vulnerabilities can be fixed. @@ -7177,6 +7179,7 @@ Loaded filter from: /nested-3/osv-scanner-test.toml Package npm/ajv/6.0.0 has been filtered out because: (no reason given) Package npm/ajv/8.0.0 has been filtered out because: (no reason given) Filtered 2 ignored package/s from the scan. +Removed 1 unused ignore entry from /nested-3/osv-scanner-test.toml Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. @@ -7394,6 +7397,8 @@ Filtered 2 ignored package/s from the scan. GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) Filtered 2 vulnerabilities from output +Removed 1 unused ignore entry from /nested-2/osv-scanner-test.toml +Removed 1 unused ignore entry from /nested-3/osv-scanner-test.toml Total 8 packages affected by 9 known vulnerabilities (0 Critical, 4 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 9 vulnerabilities can be fixed. @@ -7605,6 +7610,7 @@ GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) Filtered 6 vulnerabilities from output +Removed 1 unused ignore entry from /custom-config.toml Total 8 packages affected by 8 known vulnerabilities (0 Critical, 4 High, 4 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 8 vulnerabilities can be fixed. @@ -7793,6 +7799,7 @@ Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +Removed 2 unused ignore entries from /custom-config.toml Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 2 vulnerabilities can be fixed. diff --git a/pkg/osvscanner/configs.go b/pkg/osvscanner/configs.go index 962b485e905..fed86dac9cc 100644 --- a/pkg/osvscanner/configs.go +++ b/pkg/osvscanner/configs.go @@ -1,7 +1,9 @@ package osvscanner import ( + "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/config" + "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" ) @@ -41,11 +43,37 @@ func addVulnConfigIgnoresAndSave(vulnResults *models.VulnerabilityResults, manag return nil } +func removeUnusedConfigIgnoresAndSave(conf *config.Config) error { + ignoredVulnsCount := len(conf.IgnoredVulns) + conf.RemoveUnusedIgnores() + + // don't bother saving if nothing was removed + if ignoredVulnsCount == len(conf.IgnoredVulns) { + return nil + } + + err := conf.Save() + if err != nil { + return err + } + + removed := ignoredVulnsCount-len(conf.IgnoredVulns) + + // todo: might be nice to log what was removed? + cmdlogger.Infof( + "Removed %d unused ignore %s from %s", + removed, + output.Form(removed, "entry", "entries"), + conf.LoadPath, + ) + + return nil +} + func removeAllUnusedConfigIgnoresAndSave(manager *config.Manager) error { if manager.OverrideConfig != nil { - manager.OverrideConfig.RemoveUnusedIgnores() + err := removeUnusedConfigIgnoresAndSave(manager.OverrideConfig) - err := manager.OverrideConfig.Save() if err != nil { return err } @@ -57,9 +85,8 @@ func removeAllUnusedConfigIgnoresAndSave(manager *config.Manager) error { continue } - c.RemoveUnusedIgnores() + err := removeUnusedConfigIgnoresAndSave(c) - err := c.Save() if err != nil { return err } From c39c234acf5c63b8faaccc69b1440b2b61f0c1b3 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 11 Mar 2026 08:37:51 +1300 Subject: [PATCH 34/43] feat: print the actual ignore entries that were removed --- .../source/__snapshots__/command_test.snap | 26 ++++++++---- internal/config/config.go | 7 +++- pkg/osvscanner/configs.go | 40 ++++++++----------- pkg/osvscanner/osvscanner.go | 21 +++++++++- 4 files changed, 61 insertions(+), 33 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 5efe942799c..d8d2c51237e 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -6970,8 +6970,12 @@ CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (p GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) Filtered 3 vulnerabilities from output -Removed 1 unused ignore entry from /nested-2/osv-scanner-test.toml -Removed 1 unused ignore entry from /nested-3/osv-scanner-test.toml +/nested-1/osv-scanner-test.toml had unused ignores that were removed: +/nested-2/osv-scanner-test.toml had unused ignores that were removed: + - GHSA-2g4f-4pwh-qvx6 +/nested-3/osv-scanner-test.toml had unused ignores that were removed: + - GHSA-2g4f-4pwh-qvx6 +/osv-scanner-test.toml had unused ignores that were removed: Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 8 vulnerabilities can be fixed. @@ -7179,7 +7183,8 @@ Loaded filter from: /nested-3/osv-scanner-test.toml Package npm/ajv/6.0.0 has been filtered out because: (no reason given) Package npm/ajv/8.0.0 has been filtered out because: (no reason given) Filtered 2 ignored package/s from the scan. -Removed 1 unused ignore entry from /nested-3/osv-scanner-test.toml +/nested-3/osv-scanner-test.toml had unused ignores that were removed: + - GHSA-2g4f-4pwh-qvx6 Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. @@ -7397,8 +7402,11 @@ Filtered 2 ignored package/s from the scan. GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) Filtered 2 vulnerabilities from output -Removed 1 unused ignore entry from /nested-2/osv-scanner-test.toml -Removed 1 unused ignore entry from /nested-3/osv-scanner-test.toml +/nested-2/osv-scanner-test.toml had unused ignores that were removed: + - GHSA-2g4f-4pwh-qvx6 +/nested-3/osv-scanner-test.toml had unused ignores that were removed: + - GHSA-2g4f-4pwh-qvx6 +/osv-scanner-test.toml had unused ignores that were removed: Total 8 packages affected by 9 known vulnerabilities (0 Critical, 4 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 9 vulnerabilities can be fixed. @@ -7610,7 +7618,8 @@ GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) Filtered 6 vulnerabilities from output -Removed 1 unused ignore entry from /custom-config.toml +/custom-config.toml had unused ignores that were removed: + - CVE-123-456-789 Total 8 packages affected by 8 known vulnerabilities (0 Critical, 4 High, 4 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 8 vulnerabilities can be fixed. @@ -7799,7 +7808,9 @@ Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. -Removed 2 unused ignore entries from /custom-config.toml +/custom-config.toml had unused ignores that were removed: + - CVE-123-456-789 + - GHSA-2g4f-4pwh-qvx6 Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 2 vulnerabilities can be fixed. @@ -7911,6 +7922,7 @@ Scanned /composer.lock file and found 0 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml +/osv-scanner-test.toml had unused ignores that were removed: Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 2 vulnerabilities can be fixed. diff --git a/internal/config/config.go b/internal/config/config.go index 5eccb5b3664..904bd99267b 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -138,16 +138,21 @@ func (c *Config) UnusedIgnoredVulns() []*IgnoreEntry { return unused } -func (c *Config) RemoveUnusedIgnores() { +func (c *Config) RemoveUnusedIgnores() []*IgnoreEntry { + var removed []*IgnoreEntry filtered := c.IgnoredVulns[:0] for _, iv := range c.IgnoredVulns { if iv.Used { filtered = append(filtered, iv) + } else { + removed = append(removed, iv) } } c.IgnoredVulns = filtered + + return removed } func (c *Config) ShouldIgnore(vulnID string) (bool, *IgnoreEntry) { diff --git a/pkg/osvscanner/configs.go b/pkg/osvscanner/configs.go index fed86dac9cc..c2511886f4d 100644 --- a/pkg/osvscanner/configs.go +++ b/pkg/osvscanner/configs.go @@ -1,9 +1,7 @@ package osvscanner import ( - "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/config" - "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" ) @@ -43,40 +41,34 @@ func addVulnConfigIgnoresAndSave(vulnResults *models.VulnerabilityResults, manag return nil } -func removeUnusedConfigIgnoresAndSave(conf *config.Config) error { +func removeUnusedConfigIgnoresAndSave(conf *config.Config) ([]*config.IgnoreEntry, error) { ignoredVulnsCount := len(conf.IgnoredVulns) - conf.RemoveUnusedIgnores() + removed := conf.RemoveUnusedIgnores() // don't bother saving if nothing was removed if ignoredVulnsCount == len(conf.IgnoredVulns) { - return nil + return nil, nil } err := conf.Save() if err != nil { - return err + return nil, err } - removed := ignoredVulnsCount-len(conf.IgnoredVulns) - - // todo: might be nice to log what was removed? - cmdlogger.Infof( - "Removed %d unused ignore %s from %s", - removed, - output.Form(removed, "entry", "entries"), - conf.LoadPath, - ) - - return nil + return removed, nil } -func removeAllUnusedConfigIgnoresAndSave(manager *config.Manager) error { +func removeAllUnusedConfigIgnoresAndSave(manager *config.Manager) (map[string][]*config.IgnoreEntry, error) { + entries := make(map[string][]*config.IgnoreEntry) + if manager.OverrideConfig != nil { - err := removeUnusedConfigIgnoresAndSave(manager.OverrideConfig) + removed, err := removeUnusedConfigIgnoresAndSave(manager.OverrideConfig) if err != nil { - return err + return entries, err } + + entries[manager.OverrideConfig.LoadPath] = removed } for _, c := range manager.ConfigMap { @@ -85,12 +77,14 @@ func removeAllUnusedConfigIgnoresAndSave(manager *config.Manager) error { continue } - err := removeUnusedConfigIgnoresAndSave(c) + removed, err := removeUnusedConfigIgnoresAndSave(c) if err != nil { - return err + return entries, err } + + entries[c.LoadPath] = removed } - return nil + return entries, nil } diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 75a47cb5b24..bcdd2633cdd 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -413,9 +413,26 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) ) } + // todo: this + reporting unused ignores can probably be encapsulated, + // since it should be impossible to have unused ignores if we are updating... if actions.UpdateConfigIgnores == "unused" { - // todo: add output about having ignored vulns - err := removeAllUnusedConfigIgnoresAndSave(&scanResult.ConfigManager) + removedIgnoreEntries, err := removeAllUnusedConfigIgnoresAndSave(&scanResult.ConfigManager) + + // for once, we do this before checking the error as we might have successfully + // updated some configs before hitting an error saving, if running recursively + if len(removedIgnoreEntries) != 0 { + // todo: look at deduplicating this with "warn unused ignores" + configFiles := slices.Collect(maps.Keys(removedIgnoreEntries)) + slices.Sort(configFiles) + + for _, configFile := range configFiles { + cmdlogger.Warnf("%s had unused ignores that were removed:", configFile) + + for _, iv := range removedIgnoreEntries[configFile] { + cmdlogger.Warnf(" - %s", iv.ID) + } + } + } if err != nil { return models.VulnerabilityResults{}, err From 1baeada307ef337466005b8e9591f55f9599371d Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 11 Mar 2026 08:44:36 +1300 Subject: [PATCH 35/43] fix: don't record configs that had no ignores removed --- .../scan/source/__snapshots__/command_test.snap | 4 ---- pkg/osvscanner/configs.go | 8 ++++++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index d8d2c51237e..560b756986c 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -6970,12 +6970,10 @@ CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (p GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) Filtered 3 vulnerabilities from output -/nested-1/osv-scanner-test.toml had unused ignores that were removed: /nested-2/osv-scanner-test.toml had unused ignores that were removed: - GHSA-2g4f-4pwh-qvx6 /nested-3/osv-scanner-test.toml had unused ignores that were removed: - GHSA-2g4f-4pwh-qvx6 -/osv-scanner-test.toml had unused ignores that were removed: Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 8 vulnerabilities can be fixed. @@ -7406,7 +7404,6 @@ Filtered 2 vulnerabilities from output - GHSA-2g4f-4pwh-qvx6 /nested-3/osv-scanner-test.toml had unused ignores that were removed: - GHSA-2g4f-4pwh-qvx6 -/osv-scanner-test.toml had unused ignores that were removed: Total 8 packages affected by 9 known vulnerabilities (0 Critical, 4 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 9 vulnerabilities can be fixed. @@ -7922,7 +7919,6 @@ Scanned /composer.lock file and found 0 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml -/osv-scanner-test.toml had unused ignores that were removed: Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 2 vulnerabilities can be fixed. diff --git a/pkg/osvscanner/configs.go b/pkg/osvscanner/configs.go index c2511886f4d..6ff6a87f715 100644 --- a/pkg/osvscanner/configs.go +++ b/pkg/osvscanner/configs.go @@ -68,7 +68,9 @@ func removeAllUnusedConfigIgnoresAndSave(manager *config.Manager) (map[string][] return entries, err } - entries[manager.OverrideConfig.LoadPath] = removed + if len(removed) > 0 { + entries[manager.OverrideConfig.LoadPath] = removed + } } for _, c := range manager.ConfigMap { @@ -83,7 +85,9 @@ func removeAllUnusedConfigIgnoresAndSave(manager *config.Manager) (map[string][] return entries, err } - entries[c.LoadPath] = removed + if len(removed) > 0 { + entries[c.LoadPath] = removed + } } return entries, nil From 57749cbfa01374683b58517f2fb02d212a6bddf5 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 11 Mar 2026 08:53:54 +1300 Subject: [PATCH 36/43] feat: print when config ignores have been updated --- .../source/__snapshots__/command_test.snap | 11 +++++++++++ pkg/osvscanner/configs.go | 10 +++++++--- pkg/osvscanner/osvscanner.go | 19 +++++++++++++++++-- 3 files changed, 35 insertions(+), 5 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 560b756986c..ded9d705294 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -5891,6 +5891,10 @@ Loaded filter from: /nested-3/osv-scanner-test.toml Package npm/ajv/6.0.0 has been filtered out because: (no reason given) Package npm/ajv/8.0.0 has been filtered out because: (no reason given) Filtered 2 ignored package/s from the scan. +/nested-1/osv-scanner-test.toml has been updated to ignore 3 vulnerabilities +/nested-2/osv-scanner-test.toml has been updated to ignore 3 vulnerabilities +/nested-3/osv-scanner-test.toml has been updated to ignore 1 vulnerability +/osv-scanner-test.toml has been updated to ignore 2 vulnerabilities CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) @@ -6076,6 +6080,7 @@ Loaded filter from: /nested-3/osv-scanner-test.toml Package npm/ajv/6.0.0 has been filtered out because: (no reason given) Package npm/ajv/8.0.0 has been filtered out because: (no reason given) Filtered 2 ignored package/s from the scan. +/nested-3/osv-scanner-test.toml has been updated to ignore 1 vulnerability /nested-3/osv-scanner-test.toml has unused ignores: - GHSA-2g4f-4pwh-qvx6 @@ -6287,6 +6292,9 @@ Loaded filter from: /nested-3/osv-scanner-test.toml Package npm/ajv/6.0.0 has been filtered out because: (no reason given) Package npm/ajv/8.0.0 has been filtered out because: (no reason given) Filtered 2 ignored package/s from the scan. +/nested-2/osv-scanner-test.toml has been updated to ignore 3 vulnerabilities +/nested-3/osv-scanner-test.toml has been updated to ignore 1 vulnerability +/osv-scanner-test.toml has been updated to ignore 2 vulnerabilities GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) Filtered 2 vulnerabilities from output @@ -6478,6 +6486,7 @@ Scanned /nested-2/package-lock.json file and found 3 packages Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +/custom-config.toml has been updated to ignore 4 vulnerabilities GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) @@ -6636,6 +6645,7 @@ Scanned /Gemfile.lock file and found 1 package Scanned /composer.lock file and found 0 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. +/custom-config.toml has been updated to ignore 2 vulnerabilities /custom-config.toml has unused ignores: - CVE-123-456-789 - GHSA-2g4f-4pwh-qvx6 @@ -6735,6 +6745,7 @@ Scanned /composer.lock file and found 0 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml +/osv-scanner-test.toml has been updated to ignore 2 vulnerabilities Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 2 vulnerabilities can be fixed. diff --git a/pkg/osvscanner/configs.go b/pkg/osvscanner/configs.go index 6ff6a87f715..389695e3e16 100644 --- a/pkg/osvscanner/configs.go +++ b/pkg/osvscanner/configs.go @@ -6,10 +6,12 @@ import ( "github.com/ossf/osv-schema/bindings/go/osvschema" ) -func addVulnConfigIgnoresAndSave(vulnResults *models.VulnerabilityResults, manager *config.Manager) error { +func addVulnConfigIgnoresAndSave(vulnResults *models.VulnerabilityResults, manager *config.Manager) (map[string]int, error) { configVulns := make(map[string][]*osvschema.Vulnerability) configPaths := make(map[string]config.Config) + counts := make(map[string]int) + for _, pkgSrc := range vulnResults.Results { c := manager.Get(pkgSrc.Source.Path) @@ -34,11 +36,13 @@ func addVulnConfigIgnoresAndSave(vulnResults *models.VulnerabilityResults, manag err := c.Save() if err != nil { - return err + return counts, err } + + counts[c.LoadPath] = len(c.IgnoredVulns) } - return nil + return counts, nil } func removeUnusedConfigIgnoresAndSave(conf *config.Config) ([]*config.IgnoreEntry, error) { diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index bcdd2633cdd..12b4c08a2ea 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -396,8 +396,23 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) // - p: might be a better UX to present the vulns we're ignoring // - c: filtering removes vulns from results, so need to account for that if actions.UpdateConfigIgnores == "all" { - // todo: add output about having ignored vulns - err := addVulnConfigIgnoresAndSave(&vulnerabilityResults, &scanResult.ConfigManager) + ignoreCounts, err := addVulnConfigIgnoresAndSave(&vulnerabilityResults, &scanResult.ConfigManager) + + // for once, we do this before checking the error as we might have successfully + // updated some configs before hitting an error saving, if running recursively + if len(ignoreCounts) != 0 { + configFiles := slices.Collect(maps.Keys(ignoreCounts)) + slices.Sort(configFiles) + + for _, configFile := range configFiles { + cmdlogger.Warnf( + "%s has been updated to ignore %d %s", + configFile, + ignoreCounts[configFile], + output.Form(ignoreCounts[configFile], "vulnerability", "vulnerabilities"), + ) + } + } if err != nil { return models.VulnerabilityResults{}, err From 2583e91a38954bc907496b2a7fafe45889d911d1 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 11 Mar 2026 09:12:51 +1300 Subject: [PATCH 37/43] refactor: deduplicate "reporting on unused ignore action" --- pkg/osvscanner/configs.go | 17 +++++++++++++++++ pkg/osvscanner/osvscanner.go | 23 ++--------------------- 2 files changed, 19 insertions(+), 21 deletions(-) diff --git a/pkg/osvscanner/configs.go b/pkg/osvscanner/configs.go index 389695e3e16..7e2091de71c 100644 --- a/pkg/osvscanner/configs.go +++ b/pkg/osvscanner/configs.go @@ -1,6 +1,10 @@ package osvscanner import ( + "maps" + "slices" + + "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/config" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" @@ -96,3 +100,16 @@ func removeAllUnusedConfigIgnoresAndSave(manager *config.Manager) (map[string][] return entries, nil } + +func reportOnUnusedIgnoreActions(unusedIgnoreEntries map[string][]*config.IgnoreEntry, action string) { + configFiles := slices.Collect(maps.Keys(unusedIgnoreEntries)) + slices.Sort(configFiles) + + for _, configFile := range configFiles { + cmdlogger.Warnf("%s %s:", configFile, action) + + for _, iv := range unusedIgnoreEntries[configFile] { + cmdlogger.Warnf(" - %s", iv.ID) + } + } +} diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 12b4c08a2ea..f3df513b552 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -436,17 +436,7 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) // for once, we do this before checking the error as we might have successfully // updated some configs before hitting an error saving, if running recursively if len(removedIgnoreEntries) != 0 { - // todo: look at deduplicating this with "warn unused ignores" - configFiles := slices.Collect(maps.Keys(removedIgnoreEntries)) - slices.Sort(configFiles) - - for _, configFile := range configFiles { - cmdlogger.Warnf("%s had unused ignores that were removed:", configFile) - - for _, iv := range removedIgnoreEntries[configFile] { - cmdlogger.Warnf(" - %s", iv.ID) - } - } + reportOnUnusedIgnoreActions(removedIgnoreEntries, "had unused ignores that were removed") } if err != nil { @@ -455,16 +445,7 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) } if unusedIgnoredEntries := scanResult.ConfigManager.GetUnusedIgnoreEntries(); len(unusedIgnoredEntries) != 0 { - configFiles := slices.Collect(maps.Keys(unusedIgnoredEntries)) - slices.Sort(configFiles) - - for _, configFile := range configFiles { - cmdlogger.Warnf("%s has unused ignores:", configFile) - - for _, iv := range unusedIgnoredEntries[configFile] { - cmdlogger.Warnf(" - %s", iv.ID) - } - } + reportOnUnusedIgnoreActions(unusedIgnoredEntries, "has unused ignores") } return vulnerabilityResults, determineReturnErr(vulnerabilityResults, actions.ShowAllVulns) From c23b5be0a762eb01ee05f1091b5815e1f758c365 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 11 Mar 2026 09:22:54 +1300 Subject: [PATCH 38/43] refactor: deduplicate the whole "unused ignore entries" section --- pkg/osvscanner/configs.go | 24 ++++++++++++++++++++++++ pkg/osvscanner/osvscanner.go | 20 +++----------------- 2 files changed, 27 insertions(+), 17 deletions(-) diff --git a/pkg/osvscanner/configs.go b/pkg/osvscanner/configs.go index 7e2091de71c..ce1c24f6af9 100644 --- a/pkg/osvscanner/configs.go +++ b/pkg/osvscanner/configs.go @@ -113,3 +113,27 @@ func reportOnUnusedIgnoreActions(unusedIgnoreEntries map[string][]*config.Ignore } } } + +func handleUnusedIgnoreEntries(manager *config.Manager, remove bool) error { + if remove { + removedIgnoreEntries, err := removeAllUnusedConfigIgnoresAndSave(manager) + + // for once, we do this before checking the error as we might have successfully + // updated some configs before hitting an error saving, if running recursively + if len(removedIgnoreEntries) != 0 { + reportOnUnusedIgnoreActions(removedIgnoreEntries, "had unused ignores that were removed") + } + + if err != nil { + return err + } + + return nil + } + + if unusedIgnoredEntries := manager.GetUnusedIgnoreEntries(); len(unusedIgnoredEntries) != 0 { + reportOnUnusedIgnoreActions(unusedIgnoredEntries, "has unused ignores") + } + + return nil +} diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index f3df513b552..fc1fdbfbfaa 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -428,24 +428,10 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) ) } - // todo: this + reporting unused ignores can probably be encapsulated, - // since it should be impossible to have unused ignores if we are updating... - if actions.UpdateConfigIgnores == "unused" { - removedIgnoreEntries, err := removeAllUnusedConfigIgnoresAndSave(&scanResult.ConfigManager) + err := handleUnusedIgnoreEntries(&scanResult.ConfigManager, actions.UpdateConfigIgnores == "unused") - // for once, we do this before checking the error as we might have successfully - // updated some configs before hitting an error saving, if running recursively - if len(removedIgnoreEntries) != 0 { - reportOnUnusedIgnoreActions(removedIgnoreEntries, "had unused ignores that were removed") - } - - if err != nil { - return models.VulnerabilityResults{}, err - } - } - - if unusedIgnoredEntries := scanResult.ConfigManager.GetUnusedIgnoreEntries(); len(unusedIgnoredEntries) != 0 { - reportOnUnusedIgnoreActions(unusedIgnoredEntries, "has unused ignores") + if err != nil { + return models.VulnerabilityResults{}, err } return vulnerabilityResults, determineReturnErr(vulnerabilityResults, actions.ShowAllVulns) From c04b54d7c23ab54969abc36de8d392e36b49abb1 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 11 Mar 2026 09:27:14 +1300 Subject: [PATCH 39/43] refactor: deduplicate for when we're ignoring all entries too --- pkg/osvscanner/configs.go | 32 ++++++++++++++++++++++++-------- pkg/osvscanner/osvscanner.go | 16 +++------------- 2 files changed, 27 insertions(+), 21 deletions(-) diff --git a/pkg/osvscanner/configs.go b/pkg/osvscanner/configs.go index ce1c24f6af9..ffc47bbfe1f 100644 --- a/pkg/osvscanner/configs.go +++ b/pkg/osvscanner/configs.go @@ -6,15 +6,19 @@ import ( "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/config" + "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" ) -func addVulnConfigIgnoresAndSave(vulnResults *models.VulnerabilityResults, manager *config.Manager) (map[string]int, error) { +func addVulnConfigIgnoresAndSave( + vulnResults *models.VulnerabilityResults, + manager *config.Manager, +) (map[string][]*config.IgnoreEntry, error) { configVulns := make(map[string][]*osvschema.Vulnerability) configPaths := make(map[string]config.Config) - counts := make(map[string]int) + entries := make(map[string][]*config.IgnoreEntry) for _, pkgSrc := range vulnResults.Results { c := manager.Get(pkgSrc.Source.Path) @@ -40,13 +44,13 @@ func addVulnConfigIgnoresAndSave(vulnResults *models.VulnerabilityResults, manag err := c.Save() if err != nil { - return counts, err + return entries, err } - counts[c.LoadPath] = len(c.IgnoredVulns) + entries[c.LoadPath] = c.IgnoredVulns } - return counts, nil + return entries, nil } func removeUnusedConfigIgnoresAndSave(conf *config.Config) ([]*config.IgnoreEntry, error) { @@ -101,11 +105,23 @@ func removeAllUnusedConfigIgnoresAndSave(manager *config.Manager) (map[string][] return entries, nil } -func reportOnUnusedIgnoreActions(unusedIgnoreEntries map[string][]*config.IgnoreEntry, action string) { +func reportOnConfigIgnoreEntriesAction(unusedIgnoreEntries map[string][]*config.IgnoreEntry, action string) { configFiles := slices.Collect(maps.Keys(unusedIgnoreEntries)) slices.Sort(configFiles) for _, configFile := range configFiles { + // don't list the entries if we've ignored all of them, as there might be a lot + if action == "has been updated to ignore" { + cmdlogger.Warnf( + "%s has been updated to ignore %d %s", + configFile, + len(unusedIgnoreEntries[configFile]), + output.Form(len(unusedIgnoreEntries[configFile]), "vulnerability", "vulnerabilities"), + ) + + continue + } + cmdlogger.Warnf("%s %s:", configFile, action) for _, iv := range unusedIgnoreEntries[configFile] { @@ -121,7 +137,7 @@ func handleUnusedIgnoreEntries(manager *config.Manager, remove bool) error { // for once, we do this before checking the error as we might have successfully // updated some configs before hitting an error saving, if running recursively if len(removedIgnoreEntries) != 0 { - reportOnUnusedIgnoreActions(removedIgnoreEntries, "had unused ignores that were removed") + reportOnConfigIgnoreEntriesAction(removedIgnoreEntries, "had unused ignores that were removed") } if err != nil { @@ -132,7 +148,7 @@ func handleUnusedIgnoreEntries(manager *config.Manager, remove bool) error { } if unusedIgnoredEntries := manager.GetUnusedIgnoreEntries(); len(unusedIgnoredEntries) != 0 { - reportOnUnusedIgnoreActions(unusedIgnoredEntries, "has unused ignores") + reportOnConfigIgnoreEntriesAction(unusedIgnoredEntries, "has unused ignores") } return nil diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index fc1fdbfbfaa..244ac32f49a 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -396,22 +396,12 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) // - p: might be a better UX to present the vulns we're ignoring // - c: filtering removes vulns from results, so need to account for that if actions.UpdateConfigIgnores == "all" { - ignoreCounts, err := addVulnConfigIgnoresAndSave(&vulnerabilityResults, &scanResult.ConfigManager) + ignoreEntries, err := addVulnConfigIgnoresAndSave(&vulnerabilityResults, &scanResult.ConfigManager) // for once, we do this before checking the error as we might have successfully // updated some configs before hitting an error saving, if running recursively - if len(ignoreCounts) != 0 { - configFiles := slices.Collect(maps.Keys(ignoreCounts)) - slices.Sort(configFiles) - - for _, configFile := range configFiles { - cmdlogger.Warnf( - "%s has been updated to ignore %d %s", - configFile, - ignoreCounts[configFile], - output.Form(ignoreCounts[configFile], "vulnerability", "vulnerabilities"), - ) - } + if len(ignoreEntries) != 0 { + reportOnConfigIgnoreEntriesAction(ignoreEntries, "has been updated to ignore") } if err != nil { From 47496f113cb87045fc34bb26499c205e19eb8cbc Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 11 Mar 2026 09:54:38 +1300 Subject: [PATCH 40/43] fix: omit empty fields from package overrides --- .../source/__snapshots__/command_test.snap | 54 ------------------- internal/config/config.go | 18 +++---- 2 files changed, 9 insertions(+), 63 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index ded9d705294..d369277c7db 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -6018,16 +6018,7 @@ id = "GHSA-whgm-jr23-g3j9" [[PackageOverrides]] name = "ajv" -version = "" -ecosystem = "" -group = "" ignore = true -effectiveUntil = 0001-01-01T00:00:00Z -reason = "" -[PackageOverrides.vulnerability] -ignore = false -[PackageOverrides.license] -ignore = false --- @@ -6185,16 +6176,7 @@ id = "GHSA-whgm-jr23-g3j9" [[PackageOverrides]] name = "ajv" -version = "" -ecosystem = "" -group = "" ignore = true -effectiveUntil = 0001-01-01T00:00:00Z -reason = "" -[PackageOverrides.vulnerability] -ignore = false -[PackageOverrides.license] -ignore = false --- @@ -6412,16 +6394,7 @@ id = "GHSA-whgm-jr23-g3j9" [[PackageOverrides]] name = "ajv" -version = "" -ecosystem = "" -group = "" ignore = true -effectiveUntil = 0001-01-01T00:00:00Z -reason = "" -[PackageOverrides.vulnerability] -ignore = false -[PackageOverrides.license] -ignore = false --- @@ -7083,16 +7056,7 @@ IgnoredVulns = [] [[PackageOverrides]] name = "ajv" -version = "" -ecosystem = "" -group = "" ignore = true -effectiveUntil = 0001-01-01T00:00:00Z -reason = "" -[PackageOverrides.vulnerability] -ignore = false -[PackageOverrides.license] -ignore = false --- @@ -7295,16 +7259,7 @@ IgnoredVulns = [] [[PackageOverrides]] name = "ajv" -version = "" -ecosystem = "" -group = "" ignore = true -effectiveUntil = 0001-01-01T00:00:00Z -reason = "" -[PackageOverrides.vulnerability] -ignore = false -[PackageOverrides.license] -ignore = false --- @@ -7513,16 +7468,7 @@ IgnoredVulns = [] [[PackageOverrides]] name = "ajv" -version = "" -ecosystem = "" -group = "" ignore = true -effectiveUntil = 0001-01-01T00:00:00Z -reason = "" -[PackageOverrides.vulnerability] -ignore = false -[PackageOverrides.license] -ignore = false --- diff --git a/internal/config/config.go b/internal/config/config.go index 904bd99267b..0e90d2e34d7 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -38,16 +38,16 @@ func (ie *IgnoreEntry) MarkAsUsed() { } type PackageOverrideEntry struct { - Name string `toml:"name"` + Name string `toml:"name,omitempty"` // If the version is empty, the entry applies to all versions. - Version string `toml:"version"` - Ecosystem string `toml:"ecosystem"` - Group string `toml:"group"` - Ignore bool `toml:"ignore"` - Vulnerability Vulnerability `toml:"vulnerability"` - License License `toml:"license"` - EffectiveUntil time.Time `toml:"effectiveUntil"` - Reason string `toml:"reason"` + Version string `toml:"version,omitempty"` + Ecosystem string `toml:"ecosystem,omitempty"` + Group string `toml:"group,omitempty"` + Ignore bool `toml:"ignore,omitempty"` + Vulnerability Vulnerability `toml:"vulnerability,omitempty"` + License License `toml:"license,omitempty"` + EffectiveUntil time.Time `toml:"effectiveUntil,omitempty"` + Reason string `toml:"reason,omitempty"` } func (e PackageOverrideEntry) matches(pkg *extractor.Package) bool { From 7641656c1571938a13e7850ca5c3af802230232d Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 11 Mar 2026 09:56:48 +1300 Subject: [PATCH 41/43] fix: omit ignored vulns and package overrides entirely if empty --- .../scan/source/__snapshots__/command_test.snap | 7 ------- internal/config/config.go | 4 ++-- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index d369277c7db..65a3d204574 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -7052,8 +7052,6 @@ id = "GHSA-2g4f-4pwh-qvx6" --- [TestCommand_UpdateConfigIgnores_Unused/deep - 7] -IgnoredVulns = [] - [[PackageOverrides]] name = "ajv" ignore = true @@ -7255,8 +7253,6 @@ id = "GHSA-2g4f-4pwh-qvx6" --- [TestCommand_UpdateConfigIgnores_Unused/deep_with_no_configs - 7] -IgnoredVulns = [] - [[PackageOverrides]] name = "ajv" ignore = true @@ -7464,8 +7460,6 @@ id = "GHSA-2g4f-4pwh-qvx6" --- [TestCommand_UpdateConfigIgnores_Unused/deep_with_removed_config - 7] -IgnoredVulns = [] - [[PackageOverrides]] name = "ajv" ignore = true @@ -7801,7 +7795,6 @@ lockfile:/package-lock.json: found 1 package with issues --- [TestCommand_UpdateConfigIgnores_Unused/global_config_shallow - 4] -IgnoredVulns = [] GoVersionOverride = "1.20.0" --- diff --git a/internal/config/config.go b/internal/config/config.go index 0e90d2e34d7..e5680ec1cdb 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -17,8 +17,8 @@ import ( var OSVScannerConfigName = "osv-scanner.toml" type Config struct { - IgnoredVulns []*IgnoreEntry `toml:"IgnoredVulns"` - PackageOverrides []PackageOverrideEntry `toml:"PackageOverrides"` + IgnoredVulns []*IgnoreEntry `toml:"IgnoredVulns,omitempty"` + PackageOverrides []PackageOverrideEntry `toml:"PackageOverrides,omitempty"` GoVersionOverride string `toml:"GoVersionOverride,omitempty"` // The path to config file that this config was loaded from, // set by the scanner after having successfully parsed the file From 7e4942aeb535200ba28872b4209b258751321496 Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 11 Mar 2026 09:57:41 +1300 Subject: [PATCH 42/43] fix: reorder top level `Config` fields --- .../source/__snapshots__/command_test.snap | 18 +++++++++--------- internal/config/config.go | 4 ++-- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 65a3d204574..6cabd9e46c9 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -6013,13 +6013,13 @@ id = "GHSA-whgm-jr23-g3j9" --- [TestCommand_UpdateConfigIgnores_All/deep - 7] -[[IgnoredVulns]] -id = "GHSA-whgm-jr23-g3j9" - [[PackageOverrides]] name = "ajv" ignore = true +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + --- [TestCommand_UpdateConfigIgnores_All/deep - 8] @@ -6171,13 +6171,13 @@ id = "GHSA-2g4f-4pwh-qvx6" --- [TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 7] -[[IgnoredVulns]] -id = "GHSA-whgm-jr23-g3j9" - [[PackageOverrides]] name = "ajv" ignore = true +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + --- [TestCommand_UpdateConfigIgnores_All/deep_with_no_configs - 8] @@ -6389,13 +6389,13 @@ id = "GHSA-whgm-jr23-g3j9" --- [TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 7] -[[IgnoredVulns]] -id = "GHSA-whgm-jr23-g3j9" - [[PackageOverrides]] name = "ajv" ignore = true +[[IgnoredVulns]] +id = "GHSA-whgm-jr23-g3j9" + --- [TestCommand_UpdateConfigIgnores_All/deep_with_removed_config - 8] diff --git a/internal/config/config.go b/internal/config/config.go index e5680ec1cdb..c905070ec9b 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -17,9 +17,9 @@ import ( var OSVScannerConfigName = "osv-scanner.toml" type Config struct { - IgnoredVulns []*IgnoreEntry `toml:"IgnoredVulns,omitempty"` - PackageOverrides []PackageOverrideEntry `toml:"PackageOverrides,omitempty"` GoVersionOverride string `toml:"GoVersionOverride,omitempty"` + PackageOverrides []PackageOverrideEntry `toml:"PackageOverrides,omitempty"` + IgnoredVulns []*IgnoreEntry `toml:"IgnoredVulns,omitempty"` // The path to config file that this config was loaded from, // set by the scanner after having successfully parsed the file LoadPath string `toml:"-"` From 0ba5d861619388d2a096b304248fd645f729a72c Mon Sep 17 00:00:00 2001 From: Gareth Jones <3151613+G-Rath@users.noreply.github.com> Date: Wed, 11 Mar 2026 10:17:57 +1300 Subject: [PATCH 43/43] feat: don't filter when ignoring all vulns --- .../source/__snapshots__/command_test.snap | 93 +++++++++---------- pkg/osvscanner/osvscanner.go | 32 +++---- 2 files changed, 61 insertions(+), 64 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 6cabd9e46c9..16795ce4f44 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -5895,17 +5895,9 @@ Filtered 2 ignored package/s from the scan. /nested-2/osv-scanner-test.toml has been updated to ignore 3 vulnerabilities /nested-3/osv-scanner-test.toml has been updated to ignore 1 vulnerability /osv-scanner-test.toml has been updated to ignore 2 vulnerabilities -CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -Filtered 3 vulnerabilities from output -/nested-2/osv-scanner-test.toml has unused ignores: - - GHSA-2g4f-4pwh-qvx6 -/nested-3/osv-scanner-test.toml has unused ignores: - - GHSA-2g4f-4pwh-qvx6 -Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -8 vulnerabilities can be fixed. +Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +11 vulnerabilities can be fixed. RubyGems @@ -5919,7 +5911,7 @@ lockfile:/Gemfile.lock: found 1 package with issues npm -lockfile:/nested-1/package-lock.json: found 2 packages with issues +lockfile:/nested-1/package-lock.json: found 3 packages with issues ajv@6.0.0 has the following known vulnerabilities: GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option @@ -5929,19 +5921,27 @@ lockfile:/nested-1/package-lock.json: found 2 packages with issues ajv@8.0.0 has the following known vulnerabilities: GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option Severity: '5.5'; Minimal Fix Version: '8.18.0'; + ansi-html@0.0.1 has the following known vulnerabilities: + GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html + Severity: '7.5'; Minimal Fix Version: '0.0.8'; - 3 known vulnerabilities found in lockfile:/nested-1/package-lock.json + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json -lockfile:/nested-2/package-lock.json: found 2 packages with issues +lockfile:/nested-2/package-lock.json: found 3 packages with issues ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; ansi-html@0.0.1 has the following known vulnerabilities: GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html Severity: '7.5'; Minimal Fix Version: '0.0.8'; - 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json lockfile:/nested-3/package-lock.json: found 1 package with issues @@ -6072,8 +6072,6 @@ Package npm/ajv/6.0.0 has been filtered out because: (no reason given) Package npm/ajv/8.0.0 has been filtered out because: (no reason given) Filtered 2 ignored package/s from the scan. /nested-3/osv-scanner-test.toml has been updated to ignore 1 vulnerability -/nested-3/osv-scanner-test.toml has unused ignores: - - GHSA-2g4f-4pwh-qvx6 Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. @@ -6277,16 +6275,9 @@ Filtered 2 ignored package/s from the scan. /nested-2/osv-scanner-test.toml has been updated to ignore 3 vulnerabilities /nested-3/osv-scanner-test.toml has been updated to ignore 1 vulnerability /osv-scanner-test.toml has been updated to ignore 2 vulnerabilities -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -Filtered 2 vulnerabilities from output -/nested-2/osv-scanner-test.toml has unused ignores: - - GHSA-2g4f-4pwh-qvx6 -/nested-3/osv-scanner-test.toml has unused ignores: - - GHSA-2g4f-4pwh-qvx6 -Total 8 packages affected by 9 known vulnerabilities (0 Critical, 4 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -9 vulnerabilities can be fixed. +Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +11 vulnerabilities can be fixed. RubyGems @@ -6316,16 +6307,21 @@ lockfile:/nested-1/package-lock.json: found 3 packages with issues 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json -lockfile:/nested-2/package-lock.json: found 2 packages with issues +lockfile:/nested-2/package-lock.json: found 3 packages with issues ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; ansi-html@0.0.1 has the following known vulnerabilities: GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html Severity: '7.5'; Minimal Fix Version: '0.0.8'; - 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json lockfile:/nested-3/package-lock.json: found 1 package with issues @@ -6460,18 +6456,9 @@ Scanned /nested-3/package-lock.json file and found 3 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. /custom-config.toml has been updated to ignore 4 vulnerabilities -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given) -Filtered 6 vulnerabilities from output -/custom-config.toml has unused ignores: - - CVE-123-456-789 -Total 8 packages affected by 8 known vulnerabilities (0 Critical, 4 High, 4 Medium, 0 Low, 0 Unknown) from 2 ecosystems. -8 vulnerabilities can be fixed. +Total 11 packages affected by 14 known vulnerabilities (0 Critical, 4 High, 10 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +14 vulnerabilities can be fixed. RubyGems @@ -6485,38 +6472,53 @@ lockfile:/Gemfile.lock: found 1 package with issues npm -lockfile:/nested-1/package-lock.json: found 2 packages with issues +lockfile:/nested-1/package-lock.json: found 3 packages with issues ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; ansi-html@0.0.1 has the following known vulnerabilities: GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html Severity: '7.5'; Minimal Fix Version: '0.0.8'; - 2 known vulnerabilities found in lockfile:/nested-1/package-lock.json + 4 known vulnerabilities found in lockfile:/nested-1/package-lock.json -lockfile:/nested-2/package-lock.json: found 2 packages with issues +lockfile:/nested-2/package-lock.json: found 3 packages with issues ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; ansi-html@0.0.1 has the following known vulnerabilities: GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html Severity: '7.5'; Minimal Fix Version: '0.0.8'; - 2 known vulnerabilities found in lockfile:/nested-2/package-lock.json + 4 known vulnerabilities found in lockfile:/nested-2/package-lock.json -lockfile:/nested-3/package-lock.json: found 2 packages with issues +lockfile:/nested-3/package-lock.json: found 3 packages with issues ajv@6.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '6.14.0'; GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv Severity: '5.6'; Minimal Fix Version: '6.12.3'; + ajv@8.0.0 has the following known vulnerabilities: + GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option + Severity: '5.5'; Minimal Fix Version: '8.18.0'; ansi-html@0.0.1 has the following known vulnerabilities: GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html Severity: '7.5'; Minimal Fix Version: '0.0.8'; - 2 known vulnerabilities found in lockfile:/nested-3/package-lock.json + 4 known vulnerabilities found in lockfile:/nested-3/package-lock.json lockfile:/package-lock.json: found 1 package with issues @@ -6619,9 +6621,6 @@ Scanned /composer.lock file and found 0 packages Scanned /package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. /custom-config.toml has been updated to ignore 2 vulnerabilities -/custom-config.toml has unused ignores: - - CVE-123-456-789 - - GHSA-2g4f-4pwh-qvx6 Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 2 vulnerabilities can be fixed. diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 244ac32f49a..d3c8a24fddb 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -391,10 +391,8 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) vulnerabilityResults.LicenseSummary = buildLicenseSummary(&scanResult) } - // todo: consider moving this after filtering - // - p: should allow deduplicating some logic - // - p: might be a better UX to present the vulns we're ignoring - // - c: filtering removes vulns from results, so need to account for that + // we skip filtering vulns if we're going to ignore everything, + // as the output will serve as a list of what actually got ignored if actions.UpdateConfigIgnores == "all" { ignoreEntries, err := addVulnConfigIgnoresAndSave(&vulnerabilityResults, &scanResult.ConfigManager) @@ -407,21 +405,21 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) if err != nil { return models.VulnerabilityResults{}, err } - } - - filtered := filterResults(&vulnerabilityResults, &scanResult.ConfigManager, actions.ShowAllPackages) - if filtered > 0 { - cmdlogger.Infof( - "Filtered %d %s from output", - filtered, - output.Form(filtered, "vulnerability", "vulnerabilities"), - ) - } + } else { + filtered := filterResults(&vulnerabilityResults, &scanResult.ConfigManager, actions.ShowAllPackages) + if filtered > 0 { + cmdlogger.Infof( + "Filtered %d %s from output", + filtered, + output.Form(filtered, "vulnerability", "vulnerabilities"), + ) + } - err := handleUnusedIgnoreEntries(&scanResult.ConfigManager, actions.UpdateConfigIgnores == "unused") + err := handleUnusedIgnoreEntries(&scanResult.ConfigManager, actions.UpdateConfigIgnores == "unused") - if err != nil { - return models.VulnerabilityResults{}, err + if err != nil { + return models.VulnerabilityResults{}, err + } } return vulnerabilityResults, determineReturnErr(vulnerabilityResults, actions.ShowAllVulns)