From 0c8192c3e72292daec76c424093966c149548f81 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 31 Mar 2026 23:29:19 +0000 Subject: [PATCH 01/10] ci: split tests into separate workflow to avoid running on irrelevant changes Moved the `prepare_test_image_testdata`, `tests`, and `docker` jobs from `checks.yml` into a new `tests.yml` workflow file. Configured `paths-ignore` for the `tests.yml` workflow so that these long-running tests are skipped if changes only affect markdown files, documentation, scripts, or other unrelated GitHub Actions workflows. This prevents unnecessary test runs while still executing quick lint and formatting checks in `checks.yml`. Co-authored-by: another-rex <106129829+another-rex@users.noreply.github.com> --- .github/workflows/checks.yml | 90 ----------------------- .github/workflows/tests.yml | 138 +++++++++++++++++++++++++++++++++++ 2 files changed, 138 insertions(+), 90 deletions(-) create mode 100644 .github/workflows/tests.yml diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 20074881d35..da04536f9ad 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -97,93 +97,3 @@ jobs: check-latest: true - name: Run lint action uses: ./.github/workflows/lint-action - prepare_test_image_testdata: - permissions: - contents: read # to fetch code (actions/checkout) - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - run: scripts/build_test_images.sh - - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 - with: - name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }} - path: cmd/osv-scanner/scan/image/testdata/*.tar - retention-days: 1 - tests: - permissions: - contents: read # to fetch code (actions/checkout) - needs: - - prepare_test_image_testdata - name: Run unit tests - strategy: - fail-fast: false - matrix: - os: [ubuntu-latest, macos-latest, windows-latest] - runs-on: ${{ matrix.os }} - steps: - - name: Check out code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - with: - pattern: image-testdata-${{ github.run_number }}-* - path: cmd/osv-scanner/scan/image/testdata/ - - name: Set up Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 - with: - go-version-file: "go.mod" - check-latest: true - - name: Run test action - uses: ./.github/workflows/test-action - with: - codecov_token: ${{ secrets.CODECOV_TOKEN }} - docker: - permissions: - contents: read # to fetch code (actions/checkout) - runs-on: ubuntu-latest - env: - # Required for buildx on docker 19.x - DOCKER_CLI_EXPERIMENTAL: "enabled" - steps: - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 0 - - name: Set up Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 - with: - go-version-file: "go.mod" - check-latest: true - - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - - name: Run GoReleaser - id: run-goreleaser - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 - with: - distribution: goreleaser - version: "~> v2" - args: release --clean --snapshot - - env: - ARTIFACTS: ${{ steps.run-goreleaser.outputs.artifacts }} - run: | - echo "$ARTIFACTS" > output.json - jq -r '.[] | select( - .type == "Docker Image" and - .goarch == "amd64" and - .goos == "linux" and - .extra.DockerConfig.dockerfile == "goreleaser.dockerfile" - ) | .name' output.json | while read -r image; do - echo "Testing image $image" - - exit_code=0 - docker run -v ${PWD}:/src $image -L /src/go.mod || exit_code=$? - - # fail if we get a non-zero exit code other than "vulnerabilities were found" - if [[ $exit_code -ne 0 && $exit_code -ne 1 ]]; then - exit $exit_code - fi - done diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 00000000000..3631377e871 --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,138 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Tests + +on: + push: + branches: ["main", "v1", "mcp"] + paths-ignore: + - '**/*.md' + - 'docs/**' + - '.github/workflows/*' + - '!.github/workflows/tests.yml' + - '!.github/workflows/test-action/**' + - 'scripts/**' + pull_request: + # The branches below must be a subset of the branches above + branches: ["main", "v1", "mcp"] + paths-ignore: + - '**/*.md' + - 'docs/**' + - '.github/workflows/*' + - '!.github/workflows/tests.yml' + - '!.github/workflows/test-action/**' + - 'scripts/**' + workflow_dispatch: + +concurrency: + # Pushing new changes to a branch will cancel any in-progress CI runs + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +# Restrict jobs in this workflow to have no permissions by default; permissions +# should be granted per job as needed using a dedicated `permissions` block +permissions: {} + +jobs: + prepare_test_image_testdata: + permissions: + contents: read # to fetch code (actions/checkout) + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - run: scripts/build_test_images.sh + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }} + path: cmd/osv-scanner/scan/image/testdata/*.tar + retention-days: 1 + tests: + permissions: + contents: read # to fetch code (actions/checkout) + needs: + - prepare_test_image_testdata + name: Run unit tests + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, macos-latest, windows-latest] + runs-on: ${{ matrix.os }} + steps: + - name: Check out code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + pattern: image-testdata-${{ github.run_number }}-* + path: cmd/osv-scanner/scan/image/testdata/ + - name: Set up Go + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 + with: + go-version-file: "go.mod" + check-latest: true + - name: Run test action + uses: ./.github/workflows/test-action + with: + codecov_token: ${{ secrets.CODECOV_TOKEN }} + docker: + permissions: + contents: read # to fetch code (actions/checkout) + runs-on: ubuntu-latest + env: + # Required for buildx on docker 19.x + DOCKER_CLI_EXPERIMENTAL: "enabled" + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + - name: Set up Go + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 + with: + go-version-file: "go.mod" + check-latest: true + - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 + - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + - name: Run GoReleaser + id: run-goreleaser + uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 + with: + distribution: goreleaser + version: "~> v2" + args: release --clean --snapshot + - env: + ARTIFACTS: ${{ steps.run-goreleaser.outputs.artifacts }} + run: | + echo "$ARTIFACTS" > output.json + jq -r '.[] | select( + .type == "Docker Image" and + .goarch == "amd64" and + .goos == "linux" and + .extra.DockerConfig.dockerfile == "goreleaser.dockerfile" + ) | .name' output.json | while read -r image; do + echo "Testing image $image" + + exit_code=0 + docker run -v ${PWD}:/src $image -L /src/go.mod || exit_code=$? + + # fail if we get a non-zero exit code other than "vulnerabilities were found" + if [[ $exit_code -ne 0 && $exit_code -ne 1 ]]; then + exit $exit_code + fi + done From c6866cd215d513a3066459207549c9f3aa87ecdc Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 31 Mar 2026 23:38:33 +0000 Subject: [PATCH 02/10] ci: split tests into separate workflow to avoid running on irrelevant changes Moved the `prepare_test_image_testdata`, `tests`, and `docker` jobs from `checks.yml` into a new `tests.yml` workflow file. Configured `paths-ignore` for the `tests.yml` workflow so that these long-running tests are skipped if changes only affect markdown files, documentation, scripts, or other unrelated GitHub Actions workflows. This prevents unnecessary test runs while still executing quick lint and formatting checks in `checks.yml`. Additionally, fixed zizmor alerts for cache poisoning and credential persistence in the docker job, and formatted the new file with prettier. Co-authored-by: another-rex <106129829+another-rex@users.noreply.github.com> --- .github/workflows/tests.yml | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 3631377e871..794cf4be541 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -18,22 +18,22 @@ on: push: branches: ["main", "v1", "mcp"] paths-ignore: - - '**/*.md' - - 'docs/**' - - '.github/workflows/*' - - '!.github/workflows/tests.yml' - - '!.github/workflows/test-action/**' - - 'scripts/**' + - "**/*.md" + - "docs/**" + - ".github/workflows/*" + - "!.github/workflows/tests.yml" + - "!.github/workflows/test-action/**" + - "scripts/**" pull_request: # The branches below must be a subset of the branches above branches: ["main", "v1", "mcp"] paths-ignore: - - '**/*.md' - - 'docs/**' - - '.github/workflows/*' - - '!.github/workflows/tests.yml' - - '!.github/workflows/test-action/**' - - 'scripts/**' + - "**/*.md" + - "docs/**" + - ".github/workflows/*" + - "!.github/workflows/tests.yml" + - "!.github/workflows/test-action/**" + - "scripts/**" workflow_dispatch: concurrency: @@ -102,11 +102,13 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "go.mod" check-latest: true + cache: false - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Run GoReleaser From 59dce7cdc9aad2059bcf045c0c10843597de1f7d Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 7 Apr 2026 02:37:14 +0000 Subject: [PATCH 03/10] ci: split tests into separate workflow to avoid running on irrelevant changes Moved the `prepare_test_image_testdata`, `tests`, and `docker` jobs from `checks.yml` into a new `tests.yml` workflow file. Configured `paths-ignore` for the `tests.yml` workflow so that these long-running tests are skipped if changes only affect markdown files, documentation, or other unrelated GitHub Actions workflows. This prevents unnecessary test runs while still executing quick lint and formatting checks in `checks.yml`. Additionally, fixed zizmor alerts for cache poisoning and credential persistence in the docker job, and formatted the new file with prettier. Co-authored-by: another-rex <106129829+another-rex@users.noreply.github.com> --- .github/workflows/tests.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 794cf4be541..774fb1f3426 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -23,7 +23,6 @@ on: - ".github/workflows/*" - "!.github/workflows/tests.yml" - "!.github/workflows/test-action/**" - - "scripts/**" pull_request: # The branches below must be a subset of the branches above branches: ["main", "v1", "mcp"] @@ -33,7 +32,6 @@ on: - ".github/workflows/*" - "!.github/workflows/tests.yml" - "!.github/workflows/test-action/**" - - "scripts/**" workflow_dispatch: concurrency: From 1c461349e4db534e0092719a8603bb0c36776ea9 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 7 Apr 2026 03:03:59 +0000 Subject: [PATCH 04/10] ci: split tests into separate workflow to avoid running on irrelevant changes Moved the `prepare_test_image_testdata`, `tests`, and `docker` jobs from `checks.yml` into a new `tests.yml` workflow file. Configured `paths-ignore` for the `tests.yml` workflow so that these long-running tests are skipped if changes only affect markdown files, documentation, or other unrelated GitHub Actions workflows. This prevents unnecessary test runs while still executing quick lint and formatting checks in `checks.yml`. Additionally, fixed zizmor alerts for cache poisoning and credential persistence in the docker job, and formatted the new file with prettier. Fixed out-of-date test snapshots that were causing CI failures. Co-authored-by: another-rex <106129829+another-rex@users.noreply.github.com> --- .../scan/source/__snapshots__/command_test.snap | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 753171a74f8..959ee2f946e 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -897,7 +897,7 @@ Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 10 local/unscannable package/s from the scan. -Total 26 packages affected by 181 known vulnerabilities (20 Critical, 78 High, 56 Medium, 3 Low, 24 Unknown) from 4 ecosystems. +Total 26 packages affected by 181 known vulnerabilities (20 Critical, 78 High, 56 Medium, 4 Low, 23 Unknown) from 4 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ @@ -1109,7 +1109,7 @@ Total 26 packages affected by 181 known vulnerabilities (20 Critical, 78 High, 5 | https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-3184 | 3.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2156,7 +2156,7 @@ Filtered 8 vulnerabilities from output testdata/osv-scanner-partial-ignores-config.toml has unused ignores: - CVE-2019-5188 -Total 24 packages affected by 175 known vulnerabilities (20 Critical, 73 High, 55 Medium, 3 Low, 24 Unknown) from 4 ecosystems. +Total 24 packages affected by 175 known vulnerabilities (20 Critical, 73 High, 55 Medium, 4 Low, 23 Unknown) from 4 ecosystems. 10 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ @@ -2360,7 +2360,7 @@ Total 24 packages affected by 175 known vulnerabilities (20 Critical, 73 High, 5 | https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-3184 | 3.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2387,7 +2387,7 @@ Filtered 6 vulnerabilities from output testdata/osv-scanner-partial-ignores-config.toml has unused ignores: - CVE-2019-5188 -Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 53 Medium, 3 Low, 24 Unknown) from 3 ecosystems. +Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 53 Medium, 4 Low, 23 Unknown) from 3 ecosystems. 10 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -2585,7 +2585,7 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5 | https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-3184 | 3.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -3356,7 +3356,7 @@ Warning: plugin transitivedependency/pomxml can be risky when run on untrusted a Scanned /testdata/locks-insecure/osv-scanner-custom-git-tag.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. -Total 1 package affected by 40 known vulnerabilities (5 Critical, 15 High, 20 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +Total 1 package affected by 40 known vulnerabilities (4 Critical, 16 High, 20 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+ @@ -3393,7 +3393,7 @@ Total 1 package affected by 40 known vulnerabilities (5 Critical, 15 High, 20 Me | https://osv.dev/CVE-2024-4741 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-5535 | 9.1 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-9143 | 4.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2025-15467 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2025-15467 | 8.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-68160 | 4.7 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-69418 | 4.0 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-69419 | 7.4 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | From cb13cbdcae0fc6fa4cb14693a64db0db542932f5 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 7 Apr 2026 03:25:23 +0000 Subject: [PATCH 05/10] ci: split tests into separate workflow to avoid running on irrelevant changes Moved the `prepare_test_image_testdata`, `tests`, and `docker` jobs from `checks.yml` into a new `tests.yml` workflow file. Configured `paths-ignore` for the `tests.yml` workflow so that these long-running tests are skipped if changes only affect markdown files, documentation, or other unrelated GitHub Actions workflows. This prevents unnecessary test runs while still executing quick lint and formatting checks in `checks.yml`. Additionally, fixed zizmor alerts for cache poisoning and credential persistence in the docker job, and formatted the new file with prettier. Fixed out-of-date test snapshots and updated VCR cassettes that were causing CI failures. Co-authored-by: another-rex <106129829+another-rex@users.noreply.github.com> --- .../source/__snapshots__/command_test.snap | 56 ++++- .../testdata/cassettes/TestCommand.yaml | 120 ++++++----- .../cassettes/TestCommand_CallAnalysis.yaml | 12 +- .../TestCommand_Config_UnusedIgnores.yaml | 52 +++-- .../cassettes/TestCommand_GithubActions.yaml | 194 +++++++++++++++--- 5 files changed, 331 insertions(+), 103 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 959ee2f946e..2c7ca134391 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -897,7 +897,7 @@ Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 10 local/unscannable package/s from the scan. -Total 26 packages affected by 181 known vulnerabilities (20 Critical, 78 High, 56 Medium, 4 Low, 23 Unknown) from 4 ecosystems. +Total 26 packages affected by 184 known vulnerabilities (20 Critical, 78 High, 57 Medium, 5 Low, 24 Unknown) from 4 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ @@ -1094,6 +1094,7 @@ Total 26 packages affected by 181 known vulnerabilities (20 Critical, 78 High, 5 | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2026-5704 | | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -1109,10 +1110,12 @@ Total 26 packages affected by 181 known vulnerabilities (20 Critical, 78 High, 5 | https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-27456 | 4.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-3184 | 3.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-34743 | 1.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ --- @@ -1616,8 +1619,8 @@ Scanned /testdata/locks-requirements/requirements.txt file and found 3 Scanned /testdata/locks-requirements/the_requirements_for_test.txt file and found 1 package Scanned /testdata/locks-requirements/unresolvable-requirements.txt file and found 3 packages -Total 12 packages affected by 50 known vulnerabilities (5 Critical, 20 High, 20 Medium, 4 Low, 1 Unknown) from 1 ecosystem. -50 vulnerabilities can be fixed. +Total 12 packages affected by 52 known vulnerabilities (5 Critical, 20 High, 22 Medium, 4 Low, 1 Unknown) from 1 ecosystem. +52 vulnerabilities can be fixed. +-------------------------------------+------+-----------+------------+---------+---------------+-----------------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | @@ -1641,6 +1644,7 @@ Total 12 packages affected by 50 known vulnerabilities (5 Critical, 20 High, 20 | https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | | | https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements-transitive.txt | | https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements-transitive.txt | +| https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4 | PyPI | requests | 2.20.0 | 2.33.0 | testdata/locks-requirements/requirements-transitive.txt | | https://osv.dev/PYSEC-2021-439 | 7.3 | PyPI | django | 2.2.24 | 2.2.25 | testdata/locks-requirements/requirements.prod.txt | | https://osv.dev/GHSA-v6rh-hp5x-86rv | | | | | | | | https://osv.dev/PYSEC-2022-1 | 8.7 | PyPI | django | 2.2.24 | 2.2.26 | testdata/locks-requirements/requirements.prod.txt | @@ -1678,6 +1682,7 @@ Total 12 packages affected by 50 known vulnerabilities (5 Critical, 20 High, 20 | https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | | | https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt | +| https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4 | PyPI | requests | 2.20.0 | 2.33.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | | | https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/unresolvable-requirements.txt | @@ -2156,7 +2161,7 @@ Filtered 8 vulnerabilities from output testdata/osv-scanner-partial-ignores-config.toml has unused ignores: - CVE-2019-5188 -Total 24 packages affected by 175 known vulnerabilities (20 Critical, 73 High, 55 Medium, 4 Low, 23 Unknown) from 4 ecosystems. +Total 24 packages affected by 178 known vulnerabilities (20 Critical, 73 High, 56 Medium, 5 Low, 24 Unknown) from 4 ecosystems. 10 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ @@ -2345,6 +2350,7 @@ Total 24 packages affected by 175 known vulnerabilities (20 Critical, 73 High, 5 | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2026-5704 | | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2360,10 +2366,12 @@ Total 24 packages affected by 175 known vulnerabilities (20 Critical, 73 High, 5 | https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-27456 | 4.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-3184 | 3.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-34743 | 1.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ --- @@ -2387,7 +2395,7 @@ Filtered 6 vulnerabilities from output testdata/osv-scanner-partial-ignores-config.toml has unused ignores: - CVE-2019-5188 -Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 53 Medium, 4 Low, 23 Unknown) from 3 ecosystems. +Total 22 packages affected by 172 known vulnerabilities (18 Critical, 71 High, 54 Medium, 5 Low, 24 Unknown) from 3 ecosystems. 10 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -2570,6 +2578,7 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5 | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2026-5704 | | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2585,10 +2594,12 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5 | https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-27456 | 4.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-3184 | 3.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-34743 | 1.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ --- @@ -3356,14 +3367,41 @@ Warning: plugin transitivedependency/pomxml can be risky when run on untrusted a Scanned /testdata/locks-insecure/osv-scanner-custom-git-tag.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. -Total 1 package affected by 40 known vulnerabilities (4 Critical, 16 High, 20 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +Total 1 package affected by 73 known vulnerabilities (8 Critical, 31 High, 32 Medium, 2 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+ +| https://osv.dev/CVE-2016-0701 | 3.7 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-0703 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-0704 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-0798 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-0799 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-0800 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-2106 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-2108 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-2109 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-2176 | 8.2 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2016-2177 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-2179 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-2181 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2016-2182 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-2842 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-6302 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-6305 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-6307 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-6308 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-6309 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-7053 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-7056 | 5.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2016-8610 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2017-3730 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2017-3733 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2017-3735 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2017-3737 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2020-1968 | 3.7 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2022-2097 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2022-2274 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2022-3358 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2022-3996 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | @@ -3387,21 +3425,27 @@ Total 1 package affected by 40 known vulnerabilities (4 Critical, 16 High, 20 Me | https://osv.dev/CVE-2023-5678 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-6129 | 6.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-6237 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2024-0727 | 5.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-13176 | 4.1 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-2511 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-4603 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-4741 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-5535 | 9.1 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2024-6119 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-9143 | 4.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-15467 | 8.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2025-4575 | 6.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-68160 | 4.7 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-69418 | 4.0 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-69419 | 7.4 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-69420 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2025-69421 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-9230 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-9232 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2026-22795 | 5.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2026-22796 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +| https://osv.dev/CVE-2026-2673 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+ --- diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml index 8a33739c19a..eae04b0d8b0 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml @@ -366,7 +366,7 @@ interactions: }, { "id": "GO-2025-3447", - "modified": "2026-02-04T04:23:04.020664Z" + "modified": "2026-03-24T23:48:06.694170Z" }, { "id": "GO-2025-3563", @@ -382,7 +382,7 @@ interactions: }, { "id": "GO-2025-3849", - "modified": "2026-02-04T02:26:50.866679Z" + "modified": "2026-03-24T23:55:13.286144Z" }, { "id": "GO-2025-3956", @@ -422,7 +422,7 @@ interactions: }, { "id": "GO-2025-4014", - "modified": "2026-03-23T10:29:12.189807Z" + "modified": "2026-04-04T10:29:23.225210Z" }, { "id": "GO-2025-4015", @@ -430,7 +430,7 @@ interactions: }, { "id": "GO-2025-4155", - "modified": "2026-03-23T10:29:12.451671Z" + "modified": "2026-04-04T10:29:23.487831Z" }, { "id": "GO-2025-4175", @@ -438,7 +438,7 @@ interactions: }, { "id": "GO-2026-4337", - "modified": "2026-03-20T10:43:57.595965Z" + "modified": "2026-04-04T10:29:23.753183Z" }, { "id": "GO-2026-4340", @@ -446,11 +446,11 @@ interactions: }, { "id": "GO-2026-4341", - "modified": "2026-03-23T10:29:12.350209Z" + "modified": "2026-04-04T10:29:23.387166Z" }, { "id": "GO-2026-4342", - "modified": "2026-03-17T10:28:56.226379Z" + "modified": "2026-04-04T10:29:23.020657Z" }, { "id": "GO-2026-4403", @@ -458,7 +458,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-03-10T10:43:54.660319Z" + "modified": "2026-04-02T13:44:28.715638Z" }, { "id": "GO-2026-4602", @@ -580,7 +580,7 @@ interactions: }, { "id": "GO-2025-3447", - "modified": "2026-02-04T04:23:04.020664Z" + "modified": "2026-03-24T23:48:06.694170Z" }, { "id": "GO-2025-3563", @@ -596,7 +596,7 @@ interactions: }, { "id": "GO-2025-3849", - "modified": "2026-02-04T02:26:50.866679Z" + "modified": "2026-03-24T23:55:13.286144Z" }, { "id": "GO-2025-3956", @@ -636,7 +636,7 @@ interactions: }, { "id": "GO-2025-4014", - "modified": "2026-03-23T10:29:12.189807Z" + "modified": "2026-04-04T10:29:23.225210Z" }, { "id": "GO-2025-4015", @@ -644,7 +644,7 @@ interactions: }, { "id": "GO-2025-4155", - "modified": "2026-03-23T10:29:12.451671Z" + "modified": "2026-04-04T10:29:23.487831Z" }, { "id": "GO-2025-4175", @@ -652,7 +652,7 @@ interactions: }, { "id": "GO-2026-4337", - "modified": "2026-03-20T10:43:57.595965Z" + "modified": "2026-04-04T10:29:23.753183Z" }, { "id": "GO-2026-4340", @@ -660,11 +660,11 @@ interactions: }, { "id": "GO-2026-4341", - "modified": "2026-03-23T10:29:12.350209Z" + "modified": "2026-04-04T10:29:23.387166Z" }, { "id": "GO-2026-4342", - "modified": "2026-03-17T10:28:56.226379Z" + "modified": "2026-04-04T10:29:23.020657Z" }, { "id": "GO-2026-4403", @@ -672,7 +672,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-03-10T10:43:54.660319Z" + "modified": "2026-04-02T13:44:28.715638Z" }, { "id": "GO-2026-4602", @@ -744,7 +744,7 @@ interactions: }, { "id": "GO-2025-3447", - "modified": "2026-02-04T04:23:04.020664Z" + "modified": "2026-03-24T23:48:06.694170Z" }, { "id": "GO-2025-3563", @@ -760,7 +760,7 @@ interactions: }, { "id": "GO-2025-3849", - "modified": "2026-02-04T02:26:50.866679Z" + "modified": "2026-03-24T23:55:13.286144Z" }, { "id": "GO-2025-3956", @@ -800,7 +800,7 @@ interactions: }, { "id": "GO-2025-4014", - "modified": "2026-03-23T10:29:12.189807Z" + "modified": "2026-04-04T10:29:23.225210Z" }, { "id": "GO-2025-4015", @@ -808,7 +808,7 @@ interactions: }, { "id": "GO-2025-4155", - "modified": "2026-03-23T10:29:12.451671Z" + "modified": "2026-04-04T10:29:23.487831Z" }, { "id": "GO-2025-4175", @@ -816,7 +816,7 @@ interactions: }, { "id": "GO-2026-4337", - "modified": "2026-03-20T10:43:57.595965Z" + "modified": "2026-04-04T10:29:23.753183Z" }, { "id": "GO-2026-4340", @@ -824,11 +824,11 @@ interactions: }, { "id": "GO-2026-4341", - "modified": "2026-03-23T10:29:12.350209Z" + "modified": "2026-04-04T10:29:23.387166Z" }, { "id": "GO-2026-4342", - "modified": "2026-03-17T10:28:56.226379Z" + "modified": "2026-04-04T10:29:23.020657Z" }, { "id": "GO-2026-4403", @@ -836,7 +836,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-03-10T10:43:54.660319Z" + "modified": "2026-04-02T13:44:28.715638Z" }, { "id": "GO-2026-4602", @@ -951,7 +951,7 @@ interactions: }, { "id": "GO-2025-3447", - "modified": "2026-02-04T04:23:04.020664Z" + "modified": "2026-03-24T23:48:06.694170Z" }, { "id": "GO-2025-3563", @@ -967,7 +967,7 @@ interactions: }, { "id": "GO-2025-3849", - "modified": "2026-02-04T02:26:50.866679Z" + "modified": "2026-03-24T23:55:13.286144Z" }, { "id": "GO-2025-3956", @@ -1007,7 +1007,7 @@ interactions: }, { "id": "GO-2025-4014", - "modified": "2026-03-23T10:29:12.189807Z" + "modified": "2026-04-04T10:29:23.225210Z" }, { "id": "GO-2025-4015", @@ -1015,7 +1015,7 @@ interactions: }, { "id": "GO-2025-4155", - "modified": "2026-03-23T10:29:12.451671Z" + "modified": "2026-04-04T10:29:23.487831Z" }, { "id": "GO-2025-4175", @@ -1023,7 +1023,7 @@ interactions: }, { "id": "GO-2026-4337", - "modified": "2026-03-20T10:43:57.595965Z" + "modified": "2026-04-04T10:29:23.753183Z" }, { "id": "GO-2026-4340", @@ -1031,11 +1031,11 @@ interactions: }, { "id": "GO-2026-4341", - "modified": "2026-03-23T10:29:12.350209Z" + "modified": "2026-04-04T10:29:23.387166Z" }, { "id": "GO-2026-4342", - "modified": "2026-03-17T10:28:56.226379Z" + "modified": "2026-04-04T10:29:23.020657Z" }, { "id": "GO-2026-4403", @@ -1043,7 +1043,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-03-10T10:43:54.660319Z" + "modified": "2026-04-02T13:44:28.715638Z" }, { "id": "GO-2026-4602", @@ -3600,7 +3600,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 22298 + content_length: 22513 body: | { "results": [ @@ -4273,19 +4273,19 @@ interactions: }, { "id": "DEBIAN-CVE-2026-0989", - "modified": "2026-01-16T11:05:07.928323Z" + "modified": "2026-03-27T10:02:52.786818Z" }, { "id": "DEBIAN-CVE-2026-0990", - "modified": "2026-01-16T11:05:23.527352Z" + "modified": "2026-03-27T10:02:55.759355Z" }, { "id": "DEBIAN-CVE-2026-0992", - "modified": "2026-01-16T11:05:10.515041Z" + "modified": "2026-03-27T10:02:35.574410Z" }, { "id": "DEBIAN-CVE-2026-1757", - "modified": "2026-02-03T11:16:44.779248Z" + "modified": "2026-03-27T10:02:04.914884Z" }, { "id": "DLA-3012-1", @@ -4934,6 +4934,10 @@ interactions: "id": "DEBIAN-CVE-2023-39804", "modified": "2025-11-20T10:16:41.587973Z" }, + { + "id": "DEBIAN-CVE-2026-5704", + "modified": "2026-04-06T22:00:20.522062Z" + }, { "id": "DLA-3755-1", "modified": "2026-03-09T01:18:04.185679Z" @@ -5030,9 +5034,13 @@ interactions: "id": "DEBIAN-CVE-2025-14104", "modified": "2026-03-05T17:00:58.361610Z" }, + { + "id": "DEBIAN-CVE-2026-27456", + "modified": "2026-04-04T10:03:13.427021Z" + }, { "id": "DEBIAN-CVE-2026-3184", - "modified": "2026-02-26T09:30:44.219098Z" + "modified": "2026-04-04T10:03:07.405618Z" }, { "id": "DLA-3782-1", @@ -5062,6 +5070,10 @@ interactions: "id": "DEBIAN-CVE-2025-31115", "modified": "2025-11-20T10:18:07.484724Z" }, + { + "id": "DEBIAN-CVE-2026-34743", + "modified": "2026-04-03T10:03:21.198279Z" + }, { "id": "DSA-5123-1", "modified": "2026-03-09T02:10:46.054497Z" @@ -5118,7 +5130,7 @@ interactions: } headers: Content-Length: - - "22298" + - "22513" Content-Type: - application/json status: 200 OK @@ -5219,7 +5231,7 @@ interactions: "vulns": [ { "id": "GO-2025-3849", - "modified": "2026-02-04T02:26:50.866679Z" + "modified": "2026-03-24T23:55:13.286144Z" }, { "id": "GO-2025-3956", @@ -5259,7 +5271,7 @@ interactions: }, { "id": "GO-2025-4014", - "modified": "2026-03-23T10:29:12.189807Z" + "modified": "2026-04-04T10:29:23.225210Z" }, { "id": "GO-2025-4015", @@ -5267,7 +5279,7 @@ interactions: }, { "id": "GO-2025-4155", - "modified": "2026-03-23T10:29:12.451671Z" + "modified": "2026-04-04T10:29:23.487831Z" }, { "id": "GO-2025-4175", @@ -5275,7 +5287,7 @@ interactions: }, { "id": "GO-2026-4337", - "modified": "2026-03-20T10:43:57.595965Z" + "modified": "2026-04-04T10:29:23.753183Z" }, { "id": "GO-2026-4340", @@ -5283,15 +5295,15 @@ interactions: }, { "id": "GO-2026-4341", - "modified": "2026-03-23T10:29:12.350209Z" + "modified": "2026-04-04T10:29:23.387166Z" }, { "id": "GO-2026-4342", - "modified": "2026-03-17T10:28:56.226379Z" + "modified": "2026-04-04T10:29:23.020657Z" }, { "id": "GO-2026-4601", - "modified": "2026-03-10T10:43:54.660319Z" + "modified": "2026-04-02T13:44:28.715638Z" }, { "id": "GO-2026-4602", @@ -5311,11 +5323,11 @@ interactions: }, { "id": "GO-2026-4339", - "modified": "2026-02-04T04:20:19.626029Z" + "modified": "2026-03-27T10:40:21.183038Z" }, { "id": "GO-2026-4433", - "modified": "2026-03-02T10:44:08.411132Z" + "modified": "2026-04-04T10:29:23.122159Z" } ] } @@ -6914,7 +6926,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 4809 + content_length: 4949 body: | { "results": [ @@ -7005,6 +7017,10 @@ interactions: "id": "GHSA-9wx4-h78v-vm56", "modified": "2026-02-04T02:43:42.271895Z" }, + { + "id": "GHSA-gc5v-m9x4-r6x2", + "modified": "2026-03-27T22:17:33.595885Z" + }, { "id": "GHSA-j8r2-6x86-q33q", "modified": "2026-02-04T03:34:13.807518Z" @@ -7169,6 +7185,10 @@ interactions: "id": "GHSA-9wx4-h78v-vm56", "modified": "2026-02-04T02:43:42.271895Z" }, + { + "id": "GHSA-gc5v-m9x4-r6x2", + "modified": "2026-03-27T22:17:33.595885Z" + }, { "id": "GHSA-j8r2-6x86-q33q", "modified": "2026-02-04T03:34:13.807518Z" @@ -7244,7 +7264,7 @@ interactions: } headers: Content-Length: - - "4809" + - "4949" Content-Type: - application/json status: 200 OK diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CallAnalysis.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CallAnalysis.yaml index 163c05b99db..42854269ca2 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CallAnalysis.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CallAnalysis.yaml @@ -44,7 +44,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 798 + content_length: 931 body: | { "results": [ @@ -74,6 +74,10 @@ interactions: }, { "vulns": [ + { + "id": "GHSA-44p7-9xx4-hf2g", + "modified": "2026-03-30T22:29:16.268586Z" + }, { "id": "GHSA-9phm-fm57-rhg8", "modified": "2026-02-04T03:56:37.185672Z" @@ -105,6 +109,10 @@ interactions: { "id": "GO-2024-2937", "modified": "2026-02-04T03:54:25.251608Z" + }, + { + "id": "GO-2026-4815", + "modified": "2026-04-06T21:15:14.818900Z" } ] } @@ -112,7 +120,7 @@ interactions: } headers: Content-Length: - - "798" + - "931" Content-Type: - application/json status: 200 OK diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml index 487902f1177..2d839e5c008 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml @@ -1408,7 +1408,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 22298 + content_length: 22513 body: | { "results": [ @@ -2081,19 +2081,19 @@ interactions: }, { "id": "DEBIAN-CVE-2026-0989", - "modified": "2026-01-16T11:05:07.928323Z" + "modified": "2026-03-27T10:02:52.786818Z" }, { "id": "DEBIAN-CVE-2026-0990", - "modified": "2026-01-16T11:05:23.527352Z" + "modified": "2026-03-27T10:02:55.759355Z" }, { "id": "DEBIAN-CVE-2026-0992", - "modified": "2026-01-16T11:05:10.515041Z" + "modified": "2026-03-27T10:02:35.574410Z" }, { "id": "DEBIAN-CVE-2026-1757", - "modified": "2026-02-03T11:16:44.779248Z" + "modified": "2026-03-27T10:02:04.914884Z" }, { "id": "DLA-3012-1", @@ -2742,6 +2742,10 @@ interactions: "id": "DEBIAN-CVE-2023-39804", "modified": "2025-11-20T10:16:41.587973Z" }, + { + "id": "DEBIAN-CVE-2026-5704", + "modified": "2026-04-06T22:00:20.522062Z" + }, { "id": "DLA-3755-1", "modified": "2026-03-09T01:18:04.185679Z" @@ -2838,9 +2842,13 @@ interactions: "id": "DEBIAN-CVE-2025-14104", "modified": "2026-03-05T17:00:58.361610Z" }, + { + "id": "DEBIAN-CVE-2026-27456", + "modified": "2026-04-04T10:03:13.427021Z" + }, { "id": "DEBIAN-CVE-2026-3184", - "modified": "2026-02-26T09:30:44.219098Z" + "modified": "2026-04-04T10:03:07.405618Z" }, { "id": "DLA-3782-1", @@ -2870,6 +2878,10 @@ interactions: "id": "DEBIAN-CVE-2025-31115", "modified": "2025-11-20T10:18:07.484724Z" }, + { + "id": "DEBIAN-CVE-2026-34743", + "modified": "2026-04-03T10:03:21.198279Z" + }, { "id": "DSA-5123-1", "modified": "2026-03-09T02:10:46.054497Z" @@ -2926,7 +2938,7 @@ interactions: } headers: Content-Length: - - "22298" + - "22513" Content-Type: - application/json status: 200 OK @@ -3997,7 +4009,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 21542 + content_length: 21757 body: | { "results": [ @@ -4638,19 +4650,19 @@ interactions: }, { "id": "DEBIAN-CVE-2026-0989", - "modified": "2026-01-16T11:05:07.928323Z" + "modified": "2026-03-27T10:02:52.786818Z" }, { "id": "DEBIAN-CVE-2026-0990", - "modified": "2026-01-16T11:05:23.527352Z" + "modified": "2026-03-27T10:02:55.759355Z" }, { "id": "DEBIAN-CVE-2026-0992", - "modified": "2026-01-16T11:05:10.515041Z" + "modified": "2026-03-27T10:02:35.574410Z" }, { "id": "DEBIAN-CVE-2026-1757", - "modified": "2026-02-03T11:16:44.779248Z" + "modified": "2026-03-27T10:02:04.914884Z" }, { "id": "DLA-3012-1", @@ -5299,6 +5311,10 @@ interactions: "id": "DEBIAN-CVE-2023-39804", "modified": "2025-11-20T10:16:41.587973Z" }, + { + "id": "DEBIAN-CVE-2026-5704", + "modified": "2026-04-06T22:00:20.522062Z" + }, { "id": "DLA-3755-1", "modified": "2026-03-09T01:18:04.185679Z" @@ -5395,9 +5411,13 @@ interactions: "id": "DEBIAN-CVE-2025-14104", "modified": "2026-03-05T17:00:58.361610Z" }, + { + "id": "DEBIAN-CVE-2026-27456", + "modified": "2026-04-04T10:03:13.427021Z" + }, { "id": "DEBIAN-CVE-2026-3184", - "modified": "2026-02-26T09:30:44.219098Z" + "modified": "2026-04-04T10:03:07.405618Z" }, { "id": "DLA-3782-1", @@ -5427,6 +5447,10 @@ interactions: "id": "DEBIAN-CVE-2025-31115", "modified": "2025-11-20T10:18:07.484724Z" }, + { + "id": "DEBIAN-CVE-2026-34743", + "modified": "2026-04-03T10:03:21.198279Z" + }, { "id": "DSA-5123-1", "modified": "2026-03-09T02:10:46.054497Z" @@ -5443,7 +5467,7 @@ interactions: } headers: Content-Length: - - "21542" + - "21757" Content-Type: - application/json status: 200 OK diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml index 78f71c69858..1a7550391b1 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml @@ -148,19 +148,127 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 2593 + content_length: 4706 body: | { "results": [ { "vulns": [ + { + "id": "CVE-2016-0701", + "modified": "2026-04-01T23:26:39.451139Z" + }, + { + "id": "CVE-2016-0703", + "modified": "2026-04-01T23:26:24.342221Z" + }, + { + "id": "CVE-2016-0704", + "modified": "2026-04-01T23:26:24.349093Z" + }, + { + "id": "CVE-2016-0798", + "modified": "2026-04-01T23:30:03.342358Z" + }, + { + "id": "CVE-2016-0799", + "modified": "2026-04-01T23:29:08.132236Z" + }, + { + "id": "CVE-2016-0800", + "modified": "2026-04-01T23:29:55.194175Z" + }, + { + "id": "CVE-2016-2106", + "modified": "2026-04-01T23:36:11.824548Z" + }, + { + "id": "CVE-2016-2108", + "modified": "2026-04-01T23:36:14.552979Z" + }, + { + "id": "CVE-2016-2109", + "modified": "2026-04-01T23:36:09.516812Z" + }, + { + "id": "CVE-2016-2176", + "modified": "2026-04-01T23:36:25.131388Z" + }, { "id": "CVE-2016-2177", - "modified": "2026-03-15T22:22:35.782155Z" + "modified": "2026-04-01T23:36:20.413546Z" + }, + { + "id": "CVE-2016-2179", + "modified": "2026-04-01T23:36:17.896736Z" + }, + { + "id": "CVE-2016-2181", + "modified": "2026-04-01T23:36:29.127761Z" }, { "id": "CVE-2016-2182", - "modified": "2026-03-15T22:06:16.823524Z" + "modified": "2026-04-01T23:36:30.932915Z" + }, + { + "id": "CVE-2016-2842", + "modified": "2026-04-01T23:38:31.723546Z" + }, + { + "id": "CVE-2016-6302", + "modified": "2026-04-01T23:53:30.080722Z" + }, + { + "id": "CVE-2016-6305", + "modified": "2026-04-01T23:53:43.877761Z" + }, + { + "id": "CVE-2016-6307", + "modified": "2026-04-01T23:53:42.461031Z" + }, + { + "id": "CVE-2016-6308", + "modified": "2026-04-01T23:53:26.454277Z" + }, + { + "id": "CVE-2016-6309", + "modified": "2026-04-01T23:53:43.736712Z" + }, + { + "id": "CVE-2016-7053", + "modified": "2026-04-01T23:54:07.855301Z" + }, + { + "id": "CVE-2016-7056", + "modified": "2026-04-01T23:54:13.235667Z" + }, + { + "id": "CVE-2016-8610", + "modified": "2026-04-01T23:54:51.824504Z" + }, + { + "id": "CVE-2017-3730", + "modified": "2026-04-02T00:11:21.102504Z" + }, + { + "id": "CVE-2017-3733", + "modified": "2026-04-02T00:11:29.586943Z" + }, + { + "id": "CVE-2017-3735", + "modified": "2026-04-02T00:11:22.330095Z" + }, + { + "id": "CVE-2017-3737", + "modified": "2026-04-02T00:08:44.798469Z" + }, + { + "id": "CVE-2020-1968", + "modified": "2026-04-02T04:29:27.597946Z" + }, + { + "id": "CVE-2022-2097", + "modified": "2026-04-02T07:42:20.259535Z" }, { "id": "CVE-2022-2274", @@ -172,7 +280,7 @@ interactions: }, { "id": "CVE-2022-3996", - "modified": "2026-03-15T22:44:21.336918Z" + "modified": "2026-04-02T08:13:39.523587Z" }, { "id": "CVE-2022-4203", @@ -188,7 +296,7 @@ interactions: }, { "id": "CVE-2023-0215", - "modified": "2026-03-15T22:46:35.699581Z" + "modified": "2026-04-02T08:32:42.981492Z" }, { "id": "CVE-2023-0216", @@ -196,27 +304,27 @@ interactions: }, { "id": "CVE-2023-0217", - "modified": "2026-03-15T22:46:23.122521Z" + "modified": "2026-04-02T08:32:14.606159Z" }, { "id": "CVE-2023-0286", - "modified": "2026-03-23T05:08:02.726984Z" + "modified": "2026-04-02T08:32:43.026586Z" }, { "id": "CVE-2023-0401", - "modified": "2026-03-14T12:00:52.936954Z" + "modified": "2026-04-02T08:32:29.442023Z" }, { "id": "CVE-2023-0464", - "modified": "2026-03-23T05:01:38.442879Z" + "modified": "2026-04-02T08:33:05.745831Z" }, { "id": "CVE-2023-0465", - "modified": "2026-03-15T22:45:58.975327Z" + "modified": "2026-04-02T08:33:05.758811Z" }, { "id": "CVE-2023-0466", - "modified": "2026-03-15T22:46:04.107702Z" + "modified": "2026-04-02T08:33:05.761800Z" }, { "id": "CVE-2023-1255", @@ -224,15 +332,15 @@ interactions: }, { "id": "CVE-2023-2650", - "modified": "2026-03-23T05:00:34.487377Z" + "modified": "2026-04-02T08:51:31.735985Z" }, { "id": "CVE-2023-2975", - "modified": "2026-03-15T14:49:55.221034Z" + "modified": "2026-04-02T08:54:18.679841Z" }, { "id": "CVE-2023-3817", - "modified": "2026-03-15T22:45:38.616987Z" + "modified": "2026-04-02T09:08:17.588425Z" }, { "id": "CVE-2023-4807", @@ -240,47 +348,59 @@ interactions: }, { "id": "CVE-2023-5363", - "modified": "2026-03-15T22:49:01.513389Z" + "modified": "2026-04-02T09:46:04.662763Z" }, { "id": "CVE-2023-5678", - "modified": "2026-03-15T22:49:18.011924Z" + "modified": "2026-04-02T09:47:56.258535Z" }, { "id": "CVE-2023-6129", - "modified": "2026-03-15T21:45:17.017844Z" + "modified": "2026-04-02T09:47:11.223590Z" }, { "id": "CVE-2023-6237", - "modified": "2026-03-15T22:49:35.974149Z" + "modified": "2026-04-02T09:48:01.881441Z" + }, + { + "id": "CVE-2024-0727", + "modified": "2026-04-02T09:49:17.983670Z" }, { "id": "CVE-2024-13176", - "modified": "2026-03-23T05:00:52.882982Z" + "modified": "2026-04-02T09:59:53.877093Z" }, { "id": "CVE-2024-2511", - "modified": "2026-03-23T05:00:41.236875Z" + "modified": "2026-04-02T10:08:02.801311Z" }, { "id": "CVE-2024-4603", - "modified": "2026-03-23T05:09:27.414549Z" + "modified": "2026-04-02T12:21:16.410893Z" }, { "id": "CVE-2024-4741", - "modified": "2026-03-23T05:03:57.853457Z" + "modified": "2026-04-02T12:21:07.617700Z" }, { "id": "CVE-2024-5535", - "modified": "2026-03-23T05:10:32.616432Z" + "modified": "2026-04-02T12:28:22.047392Z" + }, + { + "id": "CVE-2024-6119", + "modified": "2026-04-02T12:26:17.322430Z" }, { "id": "CVE-2024-9143", - "modified": "2026-03-15T22:52:44.104304Z" + "modified": "2026-04-02T12:30:23.094298Z" }, { "id": "CVE-2025-15467", - "modified": "2026-03-23T05:02:57.782932Z" + "modified": "2026-04-02T12:34:51.332716Z" + }, + { + "id": "CVE-2025-4575", + "modified": "2026-04-02T12:48:51.065458Z" }, { "id": "CVE-2025-68160", @@ -288,23 +408,31 @@ interactions: }, { "id": "CVE-2025-69418", - "modified": "2026-03-23T05:03:12.246510Z" + "modified": "2026-04-02T13:05:42.562613Z" }, { "id": "CVE-2025-69419", - "modified": "2026-03-23T05:03:26.083494Z" + "modified": "2026-04-02T13:05:53.476082Z" }, { "id": "CVE-2025-69420", "modified": "2026-03-23T05:13:16.365472Z" }, + { + "id": "CVE-2025-69421", + "modified": "2026-04-02T13:05:42.582269Z" + }, { "id": "CVE-2025-9230", - "modified": "2026-03-23T05:00:34.923543Z" + "modified": "2026-04-02T13:07:48.305234Z" + }, + { + "id": "CVE-2025-9231", + "modified": "2026-04-02T13:07:41.821305Z" }, { "id": "CVE-2025-9232", - "modified": "2026-03-23T05:05:02.628675Z" + "modified": "2026-04-02T13:07:48.699162Z" }, { "id": "CVE-2026-22795", @@ -312,7 +440,11 @@ interactions: }, { "id": "CVE-2026-22796", - "modified": "2026-03-23T05:11:54.223561Z" + "modified": "2026-04-02T13:13:17.422878Z" + }, + { + "id": "CVE-2026-2673", + "modified": "2026-04-02T13:20:25.921852Z" } ] } @@ -320,7 +452,7 @@ interactions: } headers: Content-Length: - - "2593" + - "4706" Content-Type: - application/json status: 200 OK From 730e1936e96cc55a003e7051a4edb3a821f24810 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 7 Apr 2026 03:48:03 +0000 Subject: [PATCH 06/10] ci: split tests into separate workflow to avoid running on irrelevant changes Moved the `prepare_test_image_testdata`, `tests`, and `docker` jobs from `checks.yml` into a new `tests.yml` workflow file. Configured `paths-ignore` for the `tests.yml` workflow so that these long-running tests are skipped if changes only affect markdown files, documentation, or other unrelated GitHub Actions workflows. This prevents unnecessary test runs while still executing quick lint and formatting checks in `checks.yml`. Additionally, fixed zizmor alerts for cache poisoning and credential persistence in the docker job, and formatted the new file with prettier. Fixed out-of-date test snapshots and updated VCR cassettes for all tests (including long-running ones) that were causing CI failures. Co-authored-by: another-rex <106129829+another-rex@users.noreply.github.com> --- .../source/__snapshots__/command_test.snap | 106 ++- .../cassettes/TestCommand_Transitive.yaml | 723 +++++++++++++++++- 2 files changed, 805 insertions(+), 24 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 2c7ca134391..461fa62d12e 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -1994,7 +1994,7 @@ Scanned /testdata/locks-git/osv-scanner.json file and found 11 packages Loaded GIT local db from /osv-scanner/GIT/all.zip Skipping commit scanning for: 45fda76bc1b9fd74d10e85e0ce9b65a12dcc58b0 -Total 8 packages affected by 28 known vulnerabilities (5 Critical, 5 High, 11 Medium, 0 Low, 7 Unknown) from 1 ecosystem. +Total 8 packages affected by 96 known vulnerabilities (14 Critical, 34 High, 39 Medium, 3 Low, 6 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------------+------+-----------+----------------------------+----------------------------+---------------+-------------------------------------+ @@ -2009,8 +2009,75 @@ Total 8 packages affected by 28 known vulnerabilities (5 Critical, 5 High, 11 Me | https://osv.dev/CVE-2024-51757 | 9.3 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-61927 | 7.2 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-62410 | 9.4 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2026-34226 | 7.5 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0701 | 3.7 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0702 | 5.1 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0703 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0704 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0705 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0797 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0798 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0799 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0800 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2105 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2106 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2107 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2108 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2109 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2176 | 8.2 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2177 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2178 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2179 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2181 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2182 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2183 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2842 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6302 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6303 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6304 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6305 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6306 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6307 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6308 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6309 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-7052 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-7053 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-7056 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-8610 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3730 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3731 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3732 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3733 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3735 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3737 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3738 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2018-0734 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2018-0735 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2018-5407 | 4.7 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2020-1968 | 3.7 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2021-23839 | 3.7 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2021-23841 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2021-3449 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2021-3711 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2021-3712 | 7.4 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2022-2068 | 7.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2022-2097 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-0215 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-0286 | 7.4 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-0401 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-3446 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-6129 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-6237 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-0727 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-13176 | 4.1 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-2511 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-4603 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-4741 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-5535 | 9.1 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-6119 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-9143 | 4.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-11187 | 6.1 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-15467 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-15467 | 8.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-15468 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-15469 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-4575 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | @@ -2019,12 +2086,13 @@ Total 8 packages affected by 28 known vulnerabilities (5 Critical, 5 High, 11 Me | https://osv.dev/CVE-2025-69418 | 4.0 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-69419 | 7.4 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-69420 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-69421 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2026-22795 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2026-22796 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2026-2673 | | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2026-2673 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2016-10931 | 8.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2018-20997 | 9.8 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | @@ -2040,7 +2108,7 @@ Total 8 packages affected by 28 known vulnerabilities (5 Critical, 5 High, 11 Me Scanned /testdata/locks-git/osv-scanner.json file and found 11 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. -Total 11 packages affected by 56 known vulnerabilities (7 Critical, 12 High, 23 Medium, 7 Low, 7 Unknown) from 1 ecosystem. +Total 11 packages affected by 56 known vulnerabilities (6 Critical, 14 High, 23 Medium, 7 Low, 6 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------+ @@ -2080,7 +2148,7 @@ Total 11 packages affected by 56 known vulnerabilities (7 Critical, 12 High, 23 | https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-11187 | 6.1 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-15467 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-15467 | 8.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-15468 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-15469 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-66199 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | @@ -2093,7 +2161,7 @@ Total 11 packages affected by 56 known vulnerabilities (7 Critical, 12 High, 23 | https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2026-22795 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2026-22796 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2026-2673 | | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2026-2673 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2023-6180 | 5.3 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-24898 | 6.3 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json | @@ -4655,7 +4723,7 @@ Filtered 1 local/unscannable package/s from the scan. Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded Go local db from /osv-scanner/Go/all.zip -Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 53 Medium, 3 Low, 24 Unknown) from 2 ecosystems. +Total 21 packages affected by 171 known vulnerabilities (17 Critical, 71 High, 54 Medium, 5 Low, 24 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -4749,7 +4817,6 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5 | https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2017-20229 | 9.8 | Debian | mawk | 1.3.3-17+b3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -4840,6 +4907,7 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5 | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2026-5704 | | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -4855,10 +4923,12 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5 | https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-27456 | 4.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-3184 | 3.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-34743 | 1.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ --- @@ -4874,7 +4944,7 @@ Filtered 1 local/unscannable package/s from the scan. Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded Go local db from /osv-scanner/Go/all.zip -Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 53 Medium, 3 Low, 24 Unknown) from 2 ecosystems. +Total 21 packages affected by 171 known vulnerabilities (17 Critical, 71 High, 54 Medium, 5 Low, 24 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -4968,7 +5038,6 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5 | https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2017-20229 | 9.8 | Debian | mawk | 1.3.3-17+b3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -5059,6 +5128,7 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5 | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | +| https://osv.dev/DEBIAN-CVE-2026-5704 | | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -5074,10 +5144,12 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5 | https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-27456 | 4.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-3184 | 3.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-34743 | 1.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ --- @@ -5887,8 +5959,8 @@ Total 3 packages affected by 9 known vulnerabilities (0 Critical, 3 High, 4 Medi Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. -Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Medium, 1 Low, 1 Unknown) from 1 ecosystem. -22 vulnerabilities can be fixed. +Total 5 packages affected by 23 known vulnerabilities (1 Critical, 9 High, 11 Medium, 1 Low, 1 Unknown) from 1 ecosystem. +23 vulnerabilities can be fixed. +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | @@ -5908,6 +5980,7 @@ Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Me | https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | | | https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt | +| https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4 | PyPI | requests | 2.20.0 | 2.33.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2024-60 | 7.5 | PyPI | idna | 2.7.0 | 3.7 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-jjg7-2v4v-x38h | | | | | | | | https://osv.dev/PYSEC-2020-148 | 6.9 | PyPI | urllib3 | 1.24.3 | 1.25.9 | testdata/locks-requirements/requirements.txt | @@ -5934,8 +6007,8 @@ Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Me Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. -Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Medium, 1 Low, 1 Unknown) from 1 ecosystem. -22 vulnerabilities can be fixed. +Total 5 packages affected by 23 known vulnerabilities (1 Critical, 9 High, 11 Medium, 1 Low, 1 Unknown) from 1 ecosystem. +23 vulnerabilities can be fixed. +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | @@ -5955,6 +6028,7 @@ Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Me | https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | | | https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt | +| https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4 | PyPI | requests | 2.20.0 | 2.33.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2024-60 | 7.5 | PyPI | idna | 2.7 | 3.7 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-jjg7-2v4v-x38h | | | | | | | | https://osv.dev/PYSEC-2020-148 | 6.9 | PyPI | urllib3 | 1.24.3 | 1.25.9 | testdata/locks-requirements/requirements.txt | diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml index feb703f160c..1dd867a211f 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml @@ -1632,6 +1632,163 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 997 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "PyPI", + "name": "click" + }, + "version": "8.3.2" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "flask" + }, + "version": "1.0.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "flask-cors" + }, + "version": "1.0.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "itsdangerous" + }, + "version": "2.2.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "jinja2" + }, + "version": "3.1.6" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "markupsafe" + }, + "version": "3.0.3" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "pandas" + }, + "version": "0.23.4" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug" + }, + "version": "3.1.8" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_Transitive/requirements.txt_resolution_fallback + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 880 + body: | + { + "results": [ + {}, + { + "vulns": [ + { + "id": "GHSA-68rp-wp8r-4726", + "modified": "2026-02-23T23:43:45.778179Z" + }, + { + "id": "GHSA-m2qf-hxjv-5gpq", + "modified": "2025-02-21T05:42:17.337040Z" + }, + { + "id": "PYSEC-2023-62", + "modified": "2023-11-08T04:12:28.231927Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-43qf-4rqw-9q2g", + "modified": "2026-02-04T02:30:19.251090Z" + }, + { + "id": "GHSA-7rxf-gvfg-47g4", + "modified": "2026-02-04T04:27:15.173118Z" + }, + { + "id": "GHSA-84pr-m4jr-85g5", + "modified": "2026-02-04T02:57:32.875272Z" + }, + { + "id": "GHSA-8vgw-p6qm-5gr7", + "modified": "2026-02-04T02:42:09.564281Z" + }, + { + "id": "GHSA-hxwh-jpp2-84pm", + "modified": "2026-02-04T02:15:39.891834Z" + }, + { + "id": "GHSA-xc3p-ff3m-f46v", + "modified": "2024-09-20T20:01:25.449661Z" + }, + { + "id": "PYSEC-2020-43", + "modified": "2025-10-09T07:22:50.566622Z" + }, + { + "id": "PYSEC-2024-71", + "modified": "2025-10-09T08:27:44.186589Z" + } + ] + }, + {}, + {}, + {}, + { + "vulns": [ + { + "id": "PYSEC-2020-73", + "modified": "2023-11-08T04:02:12.263851Z" + } + ] + }, + {} + ] + } + headers: + Content-Length: + - "880" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s - request: proto: HTTP/1.1 proto_major: 1 @@ -1674,14 +1831,560 @@ interactions: "ecosystem": "PyPI", "name": "flask" }, - "version": "1.0.0" + "version": "1.0.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "idna" + }, + "version": "2.7.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "itsdangerous" + }, + "version": "2.2.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "jinja2" + }, + "version": "3.1.6" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "markupsafe" + }, + "version": "3.0.3" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "pytz" + }, + "version": "2026.1.0.post1" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "requests" + }, + "version": "2.20.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "urllib3" + }, + "version": "1.24.3" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug" + }, + "version": "3.1.7" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_Transitive/requirements.txt_transitive_default + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 2083 + body: | + { + "results": [ + {}, + {}, + {}, + { + "vulns": [ + { + "id": "GHSA-68w8-qjq3-2gfm", + "modified": "2024-09-20T15:46:52.557962Z" + }, + { + "id": "GHSA-6w2r-r2m5-xq5w", + "modified": "2026-02-04T04:00:06.061990Z" + }, + { + "id": "GHSA-7xr5-9hcq-chf9", + "modified": "2026-02-04T03:48:05.224740Z" + }, + { + "id": "GHSA-8x94-hmjh-97hq", + "modified": "2026-02-04T02:45:55.690257Z" + }, + { + "id": "GHSA-frmv-pr5f-9mcr", + "modified": "2025-11-27T09:10:30.649595Z" + }, + { + "id": "GHSA-qw25-v68c-qjf3", + "modified": "2026-02-04T04:08:30.303132Z" + }, + { + "id": "GHSA-rrqc-c2jx-6jgv", + "modified": "2024-10-30T19:23:59.139649Z" + }, + { + "id": "PYSEC-2021-98", + "modified": "2023-12-06T01:01:16.755410Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-68rp-wp8r-4726", + "modified": "2026-02-23T23:43:45.778179Z" + }, + { + "id": "GHSA-m2qf-hxjv-5gpq", + "modified": "2025-02-21T05:42:17.337040Z" + }, + { + "id": "PYSEC-2023-62", + "modified": "2023-11-08T04:12:28.231927Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-jjg7-2v4v-x38h", + "modified": "2026-02-04T03:49:45.087439Z" + }, + { + "id": "PYSEC-2024-60", + "modified": "2024-07-11T17:42:33.704488Z" + } + ] + }, + {}, + {}, + {}, + {}, + { + "vulns": [ + { + "id": "GHSA-9hjg-9r4m-mvj7", + "modified": "2026-02-04T03:44:00.676479Z" + }, + { + "id": "GHSA-9wx4-h78v-vm56", + "modified": "2026-02-04T02:43:42.271895Z" + }, + { + "id": "GHSA-j8r2-6x86-q33q", + "modified": "2026-02-04T03:34:13.807518Z" + }, + { + "id": "PYSEC-2023-74", + "modified": "2023-11-08T04:12:35.436175Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2xpw-w6gg-jr37", + "modified": "2026-02-04T02:36:12.983430Z" + }, + { + "id": "GHSA-34jh-p97f-mpxf", + "modified": "2026-02-04T03:37:44.850742Z" + }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "2026-02-04T03:51:36.162029Z" + }, + { + "id": "GHSA-g4mx-q9vg-27p4", + "modified": "2026-02-04T03:30:16.767903Z" + }, + { + "id": "GHSA-gm62-xv2j-4w53", + "modified": "2026-02-04T03:37:15.919661Z" + }, + { + "id": "GHSA-pq67-6m6q-mj2v", + "modified": "2026-02-04T04:38:01.163387Z" + }, + { + "id": "GHSA-v845-jxx5-vc9f", + "modified": "2026-02-04T02:58:30.152562Z" + }, + { + "id": "GHSA-wqvq-5m8c-6g24", + "modified": "2024-11-18T22:47:07.792720Z" + }, + { + "id": "PYSEC-2020-148", + "modified": "2023-11-08T04:03:14.251187Z" + }, + { + "id": "PYSEC-2021-108", + "modified": "2023-11-08T04:06:04.829992Z" + }, + { + "id": "PYSEC-2023-192", + "modified": "2023-11-08T04:13:33.452167Z" + }, + { + "id": "PYSEC-2023-212", + "modified": "2023-11-08T04:13:39.165450Z" + } + ] + }, + {} + ] + } + headers: + Content-Length: + - "2083" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1610 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "PyPI", + "name": "certifi" + }, + "version": "2026.2.25" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "chardet" + }, + "version": "3.0.4" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "click" + }, + "version": "8.3.2" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django" + }, + "version": "1.11.29" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "flask" + }, + "version": "1.0.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "idna" + }, + "version": "2.7.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "itsdangerous" + }, + "version": "2.2.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "jinja2" + }, + "version": "3.1.6" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "markupsafe" + }, + "version": "3.0.3" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "pytz" + }, + "version": "2026.1.0.post1" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "requests" + }, + "version": "2.20.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "urllib3" + }, + "version": "1.24.3" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug" + }, + "version": "3.1.8" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_Transitive/requirements.txt_transitive_default + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 2153 + body: | + { + "results": [ + {}, + {}, + {}, + { + "vulns": [ + { + "id": "GHSA-68w8-qjq3-2gfm", + "modified": "2024-09-20T15:46:52.557962Z" + }, + { + "id": "GHSA-6w2r-r2m5-xq5w", + "modified": "2026-02-04T04:00:06.061990Z" + }, + { + "id": "GHSA-7xr5-9hcq-chf9", + "modified": "2026-02-04T03:48:05.224740Z" + }, + { + "id": "GHSA-8x94-hmjh-97hq", + "modified": "2026-02-04T02:45:55.690257Z" + }, + { + "id": "GHSA-frmv-pr5f-9mcr", + "modified": "2025-11-27T09:10:30.649595Z" + }, + { + "id": "GHSA-qw25-v68c-qjf3", + "modified": "2026-02-04T04:08:30.303132Z" + }, + { + "id": "GHSA-rrqc-c2jx-6jgv", + "modified": "2024-10-30T19:23:59.139649Z" + }, + { + "id": "PYSEC-2021-98", + "modified": "2023-12-06T01:01:16.755410Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-68rp-wp8r-4726", + "modified": "2026-02-23T23:43:45.778179Z" + }, + { + "id": "GHSA-m2qf-hxjv-5gpq", + "modified": "2025-02-21T05:42:17.337040Z" + }, + { + "id": "PYSEC-2023-62", + "modified": "2023-11-08T04:12:28.231927Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-jjg7-2v4v-x38h", + "modified": "2026-02-04T03:49:45.087439Z" + }, + { + "id": "PYSEC-2024-60", + "modified": "2024-07-11T17:42:33.704488Z" + } + ] + }, + {}, + {}, + {}, + {}, + { + "vulns": [ + { + "id": "GHSA-9hjg-9r4m-mvj7", + "modified": "2026-02-04T03:44:00.676479Z" + }, + { + "id": "GHSA-9wx4-h78v-vm56", + "modified": "2026-02-04T02:43:42.271895Z" + }, + { + "id": "GHSA-gc5v-m9x4-r6x2", + "modified": "2026-03-27T22:17:33.595885Z" + }, + { + "id": "GHSA-j8r2-6x86-q33q", + "modified": "2026-02-04T03:34:13.807518Z" + }, + { + "id": "PYSEC-2023-74", + "modified": "2023-11-08T04:12:35.436175Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2xpw-w6gg-jr37", + "modified": "2026-02-04T02:36:12.983430Z" + }, + { + "id": "GHSA-34jh-p97f-mpxf", + "modified": "2026-02-04T03:37:44.850742Z" + }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "2026-02-04T03:51:36.162029Z" + }, + { + "id": "GHSA-g4mx-q9vg-27p4", + "modified": "2026-02-04T03:30:16.767903Z" + }, + { + "id": "GHSA-gm62-xv2j-4w53", + "modified": "2026-02-04T03:37:15.919661Z" + }, + { + "id": "GHSA-pq67-6m6q-mj2v", + "modified": "2026-02-04T04:38:01.163387Z" + }, + { + "id": "GHSA-v845-jxx5-vc9f", + "modified": "2026-02-04T02:58:30.152562Z" + }, + { + "id": "GHSA-wqvq-5m8c-6g24", + "modified": "2024-11-18T22:47:07.792720Z" + }, + { + "id": "PYSEC-2020-148", + "modified": "2023-11-08T04:03:14.251187Z" + }, + { + "id": "PYSEC-2021-108", + "modified": "2023-11-08T04:06:04.829992Z" + }, + { + "id": "PYSEC-2023-192", + "modified": "2023-11-08T04:13:33.452167Z" + }, + { + "id": "PYSEC-2023-212", + "modified": "2023-11-08T04:13:39.165450Z" + } + ] + }, + {} + ] + } + headers: + Content-Length: + - "2153" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1604 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "PyPI", + "name": "certifi" + }, + "version": "2026.2.25" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "chardet" + }, + "version": "3.0.4" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "click" + }, + "version": "8.3.1" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django" + }, + "version": "1.11.29" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "flask" + }, + "version": "1.0" }, { "package": { "ecosystem": "PyPI", "name": "idna" }, - "version": "2.7.0" + "version": "2.7" }, { "package": { @@ -1709,7 +2412,7 @@ interactions: "ecosystem": "PyPI", "name": "pytz" }, - "version": "2026.1.0.post1" + "version": "2026.1.post1" }, { "package": { @@ -1738,7 +2441,7 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_Transitive/requirements.txt_transitive_default + - TestCommand_Transitive/requirements.txt_transitive_native_source url: https://api.osv.dev/v1/querybatch method: POST response: @@ -1931,7 +2634,7 @@ interactions: "ecosystem": "PyPI", "name": "click" }, - "version": "8.3.1" + "version": "8.3.2" }, { "package": { @@ -2001,7 +2704,7 @@ interactions: "ecosystem": "PyPI", "name": "werkzeug" }, - "version": "3.1.7" + "version": "3.1.8" } ] } @@ -2016,7 +2719,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 2083 + content_length: 2153 body: | { "results": [ @@ -2101,6 +2804,10 @@ interactions: "id": "GHSA-9wx4-h78v-vm56", "modified": "2026-02-04T02:43:42.271895Z" }, + { + "id": "GHSA-gc5v-m9x4-r6x2", + "modified": "2026-03-27T22:17:33.595885Z" + }, { "id": "GHSA-j8r2-6x86-q33q", "modified": "2026-02-04T03:34:13.807518Z" @@ -2168,7 +2875,7 @@ interactions: } headers: Content-Length: - - "2083" + - "2153" Content-Type: - application/json status: 200 OK From c02fe521827155bd4413a47353b0f0051fe2113d Mon Sep 17 00:00:00 2001 From: Rex P <106129829+another-rex@users.noreply.github.com> Date: Thu, 9 Apr 2026 15:08:35 +1000 Subject: [PATCH 07/10] Apply suggestion from @another-rex --- .github/workflows/tests.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 774fb1f3426..f06acb9c8ae 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -78,6 +78,7 @@ jobs: - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: image-testdata-${{ github.run_number }}-* + merge-multiple: true path: cmd/osv-scanner/scan/image/testdata/ - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 From e401e69a30514003f3a7f48728a4252d05ff37bb Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 9 Apr 2026 05:46:07 +0000 Subject: [PATCH 08/10] ci: split tests into separate workflow to avoid running on irrelevant changes Moved the `prepare_test_image_testdata`, `tests`, and `docker` jobs from `checks.yml` into a new `tests.yml` workflow file. Configured `paths-ignore` for the `tests.yml` workflow so that these long-running tests are skipped if changes only affect markdown files, documentation, or other unrelated GitHub Actions workflows. This prevents unnecessary test runs while still executing quick lint and formatting checks in `checks.yml`. Additionally, fixed zizmor alerts for cache poisoning and credential persistence in the docker job, and formatted the new file with prettier. Co-authored-by: another-rex <106129829+another-rex@users.noreply.github.com> --- .github/workflows/tests.yml | 1 - .../fix/__snapshots__/command_test.snap | 12 +- .../mcp/__snapshots__/integration_test.snap | 3 +- .../image/__snapshots__/command_test.snap | 28 + cmd/osv-scanner/scan/image/command_test.go | 11 + .../cassettes/TestCommand_OCIImage.yaml | 59 ++ .../testdata/test-ubuntu-homebrew.Dockerfile | 13 + .../source/__snapshots__/command_test.snap | 566 ++++++++------ cmd/osv-scanner/scan/source/command_test.go | 32 + .../testdata/cassettes/TestCommand.yaml | 120 ++- .../cassettes/TestCommand_CallAnalysis.yaml | 12 +- .../cassettes/TestCommand_CommitSupport.yaml | 707 ++++++++++++++++++ .../TestCommand_Config_UnusedIgnores.yaml | 52 +- .../cassettes/TestCommand_GithubActions.yaml | 194 +---- .../TestCommand_HomebrewWithAnnotators.yaml | 137 ++++ .../Cellar/libssh2/1.11.1/.brew/libssh2.rb | 55 ++ .../libssh2/1.11.1/INSTALL_RECEIPT.json | 57 ++ docs/Gemfile.lock | 4 +- .../clientimpl/osvmatcher/osvmatcher.go | 7 + internal/imodels/imodels.go | 6 + .../output/__snapshots__/vertical_test.snap | 51 -- internal/output/githubannotation.go | 10 + internal/output/githubannotation_test.go | 56 ++ internal/output/vertical.go | 2 +- .../__snapshots__/resolve_test.snap | 8 + internal/scalibrplugin/presets.go | 9 +- internal/scalibrplugin/resolve_test.go | 10 + internal/utility/vulns/vulnerability.go | 3 +- .../__snapshots__/osvscanner_test.snap | 2 +- renovate.json | 1 + 30 files changed, 1654 insertions(+), 574 deletions(-) create mode 100644 cmd/osv-scanner/scan/image/testdata/test-ubuntu-homebrew.Dockerfile create mode 100644 cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_HomebrewWithAnnotators.yaml create mode 100644 cmd/osv-scanner/scan/source/testdata/homebrew/Cellar/libssh2/1.11.1/.brew/libssh2.rb create mode 100644 cmd/osv-scanner/scan/source/testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_RECEIPT.json diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index f06acb9c8ae..774fb1f3426 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -78,7 +78,6 @@ jobs: - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: image-testdata-${{ github.run_number }}-* - merge-multiple: true path: cmd/osv-scanner/scan/image/testdata/ - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 diff --git a/cmd/osv-scanner/fix/__snapshots__/command_test.snap b/cmd/osv-scanner/fix/__snapshots__/command_test.snap index 3dfc6598565..4b2ba0ce765 100755 --- a/cmd/osv-scanner/fix/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/fix/__snapshots__/command_test.snap @@ -9204,7 +9204,7 @@ Guided remediation (the fix command) can be risky when run on untrusted projects { "name": "org.codehaus.plexus:plexus-utils", "versionFrom": "3.0", - "versionTo": "4.0.3", + "versionTo": "3.6.1", "transitive": false } ], @@ -9358,7 +9358,7 @@ Guided remediation (the fix command) can be risky when run on untrusted projects org.codehaus.plexus plexus-utils - 4.0.3 + 3.6.1 @@ -9512,7 +9512,7 @@ Guided remediation (the fix command) can be risky when run on untrusted projects Found 13 vulnerabilities matching the filter Can fix 13/13 matching vulnerabilities by overriding 4 dependencies OVERRIDE-PACKAGE: org.apache.httpcomponents:httpclient,4.5.13 -OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,4.0.3 +OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,3.6.1 OVERRIDE-PACKAGE: commons-io:commons-io,2.14.0 OVERRIDE-PACKAGE: org.jsoup:jsoup,1.15.3 FIXED-VULN-IDS: GHSA-2x83-r56g-cv47,GHSA-6fmv-xxpf-w3cw,GHSA-78wr-2p64-hpwj,GHSA-7r82-7xv7-xcpj,GHSA-8vhq-qq4p-grq3,GHSA-cfh5-3ghh-wfjx,GHSA-fmj5-wv96-r2ch,GHSA-g6ph-x5wf-g337,GHSA-gp7f-rwcx-9369,GHSA-gw85-4gmf-m7rh,GHSA-gwrp-pvrq-jmwv,GHSA-jcwr-x25h-x5fh,GHSA-m72m-mhq2-9p6c @@ -9566,7 +9566,7 @@ UNFIXABLE-VULNS: 0 org.codehaus.plexus plexus-utils - 4.0.3 + 3.6.1 @@ -11354,7 +11354,7 @@ Guided remediation (the fix command) can be risky when run on untrusted projects Found 13 vulnerabilities matching the filter Can fix 13/13 matching vulnerabilities by overriding 4 dependencies OVERRIDE-PACKAGE: org.apache.httpcomponents:httpclient,4.5.13 -OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,4.0.3 +OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,3.6.1 OVERRIDE-PACKAGE: commons-io:commons-io,2.14.0 OVERRIDE-PACKAGE: org.jsoup:jsoup,1.15.3 FIXED-VULN-IDS: GHSA-2x83-r56g-cv47,GHSA-6fmv-xxpf-w3cw,GHSA-78wr-2p64-hpwj,GHSA-7r82-7xv7-xcpj,GHSA-8vhq-qq4p-grq3,GHSA-cfh5-3ghh-wfjx,GHSA-fmj5-wv96-r2ch,GHSA-g6ph-x5wf-g337,GHSA-gp7f-rwcx-9369,GHSA-gw85-4gmf-m7rh,GHSA-gwrp-pvrq-jmwv,GHSA-jcwr-x25h-x5fh,GHSA-m72m-mhq2-9p6c @@ -11408,7 +11408,7 @@ UNFIXABLE-VULNS: 0 org.codehaus.plexus plexus-utils - 4.0.3 + 3.6.1 diff --git a/cmd/osv-scanner/mcp/__snapshots__/integration_test.snap b/cmd/osv-scanner/mcp/__snapshots__/integration_test.snap index 2c95059cdf7..a86e636eb93 100755 --- a/cmd/osv-scanner/mcp/__snapshots__/integration_test.snap +++ b/cmd/osv-scanner/mcp/__snapshots__/integration_test.snap @@ -24,7 +24,6 @@ lockfile:/testdata/go-project/go.mod: found 1 package with issues Severity: '5.9'; Minimal Fix Version: '1.1.0'; 1 known vulnerability found in lockfile:/testdata/go-project/go.mod -Hiding 9 number of vulnerabilities deemed unimportant, use --all-vulns to show them. - +Hiding 15 number of vulnerabilities deemed unimportant, use --all-vulns to show them. --- diff --git a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap index a034f8b16e6..22ceb3c9308 100755 --- a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap @@ -1202,6 +1202,34 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne --- +[TestCommand_OCIImage/scanning_ubuntu_image_with_homebrew_extractor - 1] +Scanning local image tarball "./testdata/test-ubuntu-homebrew.tar" +skipping file "home/linuxbrew/.linuxbrew/Homebrew/Library/Taps/homebrew/homebrew-core/.git/objects/pack/pack-0113dab039640255baab5438994e90f67a4c482c.pack" because its size (1155620741 bytes) is larger than the max size (1073741824 bytes) + + +Container Scanning Result (Ubuntu 22.04.5 LTS): +Total 1 package affected by 3 known vulnerabilities (1 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +0 vulnerabilities can be fixed. + + +GIT ++------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Source:os:/home/linuxbrew/.linuxbrew/Cellar/cjson/1.7.17/INSTALL_RECEIPT.json | ++-------------------------------------+-------------------+------------------+------------+-------------------------+------------------+---------------+ +| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | ++-------------------------------------+-------------------+------------------+------------+-------------------------+------------------+---------------+ +| https://github.com/DaveGamble/cJSON | 1.7.17 | No fix available | 3 | | # 19 Layer | -- | ++-------------------------------------+-------------------+------------------+------------+-------------------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestCommand_OCIImage/scanning_ubuntu_image_with_homebrew_extractor - 2] + +--- + [TestCommand_OCIImage_JSONFormat/Scanning_python_image_with_some_packages - 1] { "results": [ diff --git a/cmd/osv-scanner/scan/image/command_test.go b/cmd/osv-scanner/scan/image/command_test.go index 63ce381cd89..1a75a044c0c 100644 --- a/cmd/osv-scanner/scan/image/command_test.go +++ b/cmd/osv-scanner/scan/image/command_test.go @@ -352,6 +352,17 @@ func TestCommand_OCIImage(t *testing.T) { }, Exit: 1, }, + { + Name: "scanning_ubuntu_image_with_homebrew_extractor", + Args: []string{ + "", "image", + "--experimental-plugins", "os/homebrew", + "--experimental-plugins", "misc/brew-source", + "--experimental-no-default-plugins", + "--archive", "./testdata/test-ubuntu-homebrew.tar", + }, + Exit: 1, + }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { diff --git a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml index 393ec521747..c5a3284dc9a 100644 --- a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml +++ b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml @@ -15602,3 +15602,62 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 171 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "GIT", + "name": "https://github.com/davegamble/cjson" + }, + "version": "1.7.17" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_OCIImage/scanning_ubuntu_image_with_homebrew_extractor + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 220 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "CVE-2023-53154", + "modified": "2026-03-14T12:23:16.581554Z" + }, + { + "id": "CVE-2024-31755", + "modified": "2026-03-14T12:30:30.932017Z" + }, + { + "id": "CVE-2025-57052", + "modified": "2026-03-23T05:11:28.908372Z" + } + ] + } + ] + } + headers: + Content-Length: + - "220" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s diff --git a/cmd/osv-scanner/scan/image/testdata/test-ubuntu-homebrew.Dockerfile b/cmd/osv-scanner/scan/image/testdata/test-ubuntu-homebrew.Dockerfile new file mode 100644 index 00000000000..baa8fdda033 --- /dev/null +++ b/cmd/osv-scanner/scan/image/testdata/test-ubuntu-homebrew.Dockerfile @@ -0,0 +1,13 @@ +FROM ghcr.io/homebrew/ubuntu22.04:5.1.4@sha256:6b3c4bc0a7128cf5a78d2e641da6e88ac4195714e1315c4d2b522532d7fb1e7a + +USER linuxbrew +WORKDIR /home/linuxbrew + +ENV HOMEBREW_NO_AUTO_UPDATE=1 \ + NONINTERACTIVE=1 + +# Install vulnerable package +RUN brew install cjson + +# Make it vulnerable :) +RUN mv .linuxbrew/Cellar/cjson/* .linuxbrew/Cellar/cjson/1.7.17 diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 461fa62d12e..c773f57de7a 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -516,9 +516,9 @@ Total 6 packages affected by 10 known vulnerabilities (2 Critical, 2 High, 2 Med | 0BSD | Packagist | league/flysystem | 1.0.8 | testdata/locks-insecure/composer.lock | | UNKNOWN | Go | stdlib | 1.99.9 | testdata/locks-insecure/osv-scanner-custom.json | | UNKNOWN | Go | toolchain | 1.99.9 | testdata/locks-insecure/osv-scanner-custom.json | -| UNKNOWN | | https://chromium.googlesource.com/chromium/src | | testdata/locks-insecure/osv-scanner-flutter-deps.json | -| UNKNOWN | | https://github.com/brendan-duncan/archive.git | | testdata/locks-insecure/osv-scanner-flutter-deps.json | -| UNKNOWN | | https://github.com/flutter/buildroot.git | | testdata/locks-insecure/osv-scanner-flutter-deps.json | +| UNKNOWN | GIT | https://chromium.googlesource.com/chromium/src | | testdata/locks-insecure/osv-scanner-flutter-deps.json | +| UNKNOWN | GIT | https://github.com/brendan-duncan/archive.git | | testdata/locks-insecure/osv-scanner-flutter-deps.json | +| UNKNOWN | GIT | https://github.com/flutter/buildroot.git | | testdata/locks-insecure/osv-scanner-flutter-deps.json | | 0BSD | Packagist | drupal/core | 10.4.5 | testdata/locks-many-with-insecure/composer.lock | | 0BSD | Packagist | drupal/simple_sitemap | 4.2.1 | testdata/locks-many-with-insecure/composer.lock | | 0BSD | Packagist | drupal/tfa | 2.0.0-alpha4 | testdata/locks-many-with-insecure/composer.lock | @@ -897,7 +897,7 @@ Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 10 local/unscannable package/s from the scan. -Total 26 packages affected by 184 known vulnerabilities (20 Critical, 78 High, 57 Medium, 5 Low, 24 Unknown) from 4 ecosystems. +Total 26 packages affected by 181 known vulnerabilities (20 Critical, 78 High, 56 Medium, 4 Low, 23 Unknown) from 4 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ @@ -1094,7 +1094,6 @@ Total 26 packages affected by 184 known vulnerabilities (20 Critical, 78 High, 5 | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | -| https://osv.dev/DEBIAN-CVE-2026-5704 | | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -1110,12 +1109,10 @@ Total 26 packages affected by 184 known vulnerabilities (20 Critical, 78 High, 5 | https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-27456 | 4.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-3184 | 3.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-34743 | 1.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ --- @@ -1619,8 +1616,8 @@ Scanned /testdata/locks-requirements/requirements.txt file and found 3 Scanned /testdata/locks-requirements/the_requirements_for_test.txt file and found 1 package Scanned /testdata/locks-requirements/unresolvable-requirements.txt file and found 3 packages -Total 12 packages affected by 52 known vulnerabilities (5 Critical, 20 High, 22 Medium, 4 Low, 1 Unknown) from 1 ecosystem. -52 vulnerabilities can be fixed. +Total 12 packages affected by 50 known vulnerabilities (5 Critical, 20 High, 20 Medium, 4 Low, 1 Unknown) from 1 ecosystem. +50 vulnerabilities can be fixed. +-------------------------------------+------+-----------+------------+---------+---------------+-----------------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | @@ -1644,7 +1641,6 @@ Total 12 packages affected by 52 known vulnerabilities (5 Critical, 20 High, 22 | https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | | | https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements-transitive.txt | | https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements-transitive.txt | -| https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4 | PyPI | requests | 2.20.0 | 2.33.0 | testdata/locks-requirements/requirements-transitive.txt | | https://osv.dev/PYSEC-2021-439 | 7.3 | PyPI | django | 2.2.24 | 2.2.25 | testdata/locks-requirements/requirements.prod.txt | | https://osv.dev/GHSA-v6rh-hp5x-86rv | | | | | | | | https://osv.dev/PYSEC-2022-1 | 8.7 | PyPI | django | 2.2.24 | 2.2.26 | testdata/locks-requirements/requirements.prod.txt | @@ -1682,7 +1678,6 @@ Total 12 packages affected by 52 known vulnerabilities (5 Critical, 20 High, 22 | https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | | | https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt | -| https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4 | PyPI | requests | 2.20.0 | 2.33.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | | | https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/unresolvable-requirements.txt | @@ -1992,111 +1987,110 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi [TestCommand_CommitSupport/offline_uses_git_tags - 1] Scanned /testdata/locks-git/osv-scanner.json file and found 11 packages Loaded GIT local db from /osv-scanner/GIT/all.zip -Skipping commit scanning for: 45fda76bc1b9fd74d10e85e0ce9b65a12dcc58b0 Total 8 packages affected by 96 known vulnerabilities (14 Critical, 34 High, 39 Medium, 3 Low, 6 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. -+--------------------------------+------+-----------+----------------------------+----------------------------+---------------+-------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | -+--------------------------------+------+-----------+----------------------------+----------------------------+---------------+-------------------------------------+ -| https://osv.dev/OSV-2018-389 | | GIT | git://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/OSV-2018-389 | | GIT | github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/OSV-2018-389 | | GIT | http://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/OSV-2023-1161 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/OSV-2024-340 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/OSV-2018-389 | | GIT | https://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-51757 | 9.3 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-61927 | 7.2 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-62410 | 9.4 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2026-34226 | 7.5 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-0701 | 3.7 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-0702 | 5.1 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-0703 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-0704 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-0705 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-0797 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-0798 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-0799 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-0800 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-2105 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-2106 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-2107 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-2108 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-2109 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-2176 | 8.2 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-2177 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-2178 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-2179 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-2181 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-2182 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-2183 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-2842 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-6302 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-6303 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-6304 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-6305 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-6306 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-6307 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-6308 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-6309 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-7052 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-7053 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-7056 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-8610 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2017-3730 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2017-3731 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2017-3732 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2017-3733 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2017-3735 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2017-3737 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2017-3738 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2018-0734 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2018-0735 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2018-5407 | 4.7 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2020-1968 | 3.7 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2021-23839 | 3.7 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2021-23841 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2021-3449 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2021-3711 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2021-3712 | 7.4 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2022-2068 | 7.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2022-2097 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2023-0215 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2023-0286 | 7.4 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2023-0401 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2023-3446 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2023-6129 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2023-6237 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-0727 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-13176 | 4.1 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-2511 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-4603 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-4741 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-5535 | 9.1 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-6119 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-9143 | 4.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-11187 | 6.1 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-15467 | 8.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-15468 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-15469 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-4575 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-66199 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-68160 | 4.7 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-69418 | 4.0 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-69419 | 7.4 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-69420 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-69421 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2026-22795 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2026-22796 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2026-2673 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-10931 | 8.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2018-20997 | 9.8 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | -+--------------------------------+------+-----------+---------------------------------------------------------+---------------+-------------------------------------+ ++--------------------------------+------+-----------+----------------------------------------------+----------------+---------------+-------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | ++--------------------------------+------+-----------+----------------------------------------------+----------------+---------------+-------------------------------------+ +| https://osv.dev/OSV-2018-389 | | GIT | git://github.com/boostorg/boost | boost-1.67.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2018-389 | | GIT | github.com/boostorg/boost | boost-1.67.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2018-389 | | GIT | http://github.com/boostorg/boost | boost-1.67.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2023-1161 | | GIT | https://github.com/Exiv2/exiv2 | v0.28.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2024-340 | | GIT | https://github.com/Exiv2/exiv2 | v0.28.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2018-389 | | GIT | https://github.com/boostorg/boost | boost-1.67.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-51757 | 9.3 | GIT | https://github.com/capricorn86/happy-dom.git | v11.1.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-61927 | 7.2 | GIT | https://github.com/capricorn86/happy-dom.git | v11.1.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-62410 | 9.4 | GIT | https://github.com/capricorn86/happy-dom.git | v11.1.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2026-34226 | 7.5 | GIT | https://github.com/capricorn86/happy-dom.git | v11.1.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0701 | 3.7 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0702 | 5.1 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0703 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0704 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0705 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0797 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0798 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0799 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0800 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2105 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2106 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2107 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2108 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2109 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2176 | 8.2 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2177 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2178 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2179 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2181 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2182 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2183 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2842 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6302 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6303 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6304 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6305 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6306 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6307 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6308 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6309 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-7052 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-7053 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-7056 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-8610 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3730 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3731 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3732 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3733 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3735 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3737 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3738 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2018-0734 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2018-0735 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2018-5407 | 4.7 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2020-1968 | 3.7 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2021-23839 | 3.7 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2021-23841 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2021-3449 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2021-3711 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2021-3712 | 7.4 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2022-2068 | 7.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2022-2097 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-0215 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-0286 | 7.4 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-0401 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-3446 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-6129 | 6.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-6237 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-0727 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-13176 | 4.1 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-2511 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-4603 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-4741 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-5535 | 9.1 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-6119 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-9143 | 4.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-11187 | 6.1 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-15467 | 8.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-15468 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-15469 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-4575 | 6.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-66199 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-68160 | 4.7 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-69418 | 4.0 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-69419 | 7.4 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-69420 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-69421 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2026-22795 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2026-22796 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2026-2673 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-10931 | 8.1 | GIT | https://github.com/sfackler/rust-openssl | openssl-v0.8.1 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2018-20997 | 9.8 | GIT | https://github.com/sfackler/rust-openssl | openssl-v0.8.1 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler/rust-openssl | openssl-v0.8.1 | -- | testdata/locks-git/osv-scanner.json | ++--------------------------------+------+-----------+----------------------------------------------+----------------+---------------+-------------------------------------+ --- @@ -2108,70 +2102,153 @@ Total 8 packages affected by 96 known vulnerabilities (14 Critical, 34 High, 39 Scanned /testdata/locks-git/osv-scanner.json file and found 11 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. -Total 11 packages affected by 56 known vulnerabilities (6 Critical, 14 High, 23 Medium, 7 Low, 6 Unknown) from 1 ecosystem. +Total 9 packages affected by 140 known vulnerabilities (20 Critical, 51 High, 58 Medium, 5 Low, 6 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. -+--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | -+--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------+ -| https://osv.dev/OSV-2018-389 | | GIT | git://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/OSV-2018-389 | | GIT | github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/OSV-2018-389 | | GIT | http://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2023-44398 | 8.8 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/PYSEC-2023-233 | | | | | | -| https://osv.dev/CVE-2024-24826 | 5.5 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-25112 | 5.5 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-39695 | 5.3 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-26623 | 5.3 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-54080 | 1.8 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-55304 | 1.8 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2026-25884 | 2.7 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2026-27596 | 2.7 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2026-27631 | 2.7 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/OSV-2023-1161 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/OSV-2024-340 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2021-22569 | 5.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2022-1941 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2022-3171 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2022-3509 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2022-3510 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-2410 | 9.8 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-7254 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/OSV-2018-389 | | GIT | https://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-51757 | 9.3 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-61927 | 7.2 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-62410 | 9.4 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-12797 | 6.3 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-13176 | 4.1 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2024-9143 | 4.3 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-11187 | 6.1 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-15467 | 8.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-15468 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-15469 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-66199 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-68160 | 4.7 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-69418 | 4.0 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-69419 | 7.4 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-69420 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2026-22795 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2026-22796 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2026-2673 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2023-6180 | 5.3 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-24898 | 6.3 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-3416 | 3.7 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2016-10931 | 8.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2018-20997 | 9.8 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2023-6180 | 5.3 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | -| https://osv.dev/CVE-2025-3416 | 3.7 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | -+--------------------------------+------+-----------+----------------------------------------------------------+---------------+-------------------------------------+ ++--------------------------------+------+-----------+----------------------------------------------+----------------+---------------+-------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | ++--------------------------------+------+-----------+----------------------------------------------+----------------+---------------+-------------------------------------+ +| https://osv.dev/OSV-2018-389 | | GIT | git://github.com/boostorg/boost | boost-1.67.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2018-389 | | GIT | github.com/boostorg/boost | boost-1.67.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2018-389 | | GIT | http://github.com/boostorg/boost | boost-1.67.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2023-1161 | | GIT | https://github.com/Exiv2/exiv2 | v0.28.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2024-340 | | GIT | https://github.com/Exiv2/exiv2 | v0.28.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/OSV-2018-389 | | GIT | https://github.com/boostorg/boost | boost-1.67.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-51757 | 9.3 | GIT | https://github.com/capricorn86/happy-dom.git | v11.1.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-61927 | 7.2 | GIT | https://github.com/capricorn86/happy-dom.git | v11.1.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-62410 | 9.4 | GIT | https://github.com/capricorn86/happy-dom.git | v11.1.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2026-34226 | 7.5 | GIT | https://github.com/capricorn86/happy-dom.git | v11.1.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0701 | 3.7 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0702 | 5.1 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0703 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0704 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0705 | 9.8 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0797 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0798 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0799 | 9.8 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0800 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2105 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2106 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2107 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2108 | 9.8 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2109 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2176 | 8.2 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2177 | 9.8 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2178 | 5.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2179 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2181 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2182 | 9.8 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2842 | 9.8 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6302 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6303 | 9.8 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6304 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6305 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6306 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6307 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6308 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6309 | 9.8 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-7052 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-7053 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-7056 | 5.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-8610 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3730 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3731 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3732 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3733 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3735 | 5.3 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3737 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3738 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2018-0734 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2018-0735 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2018-5407 | 4.7 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2020-1968 | 3.7 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2021-23839 | 3.7 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2021-23841 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2021-3449 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2022-2068 | 7.3 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2022-2097 | 5.3 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-0215 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-0286 | 7.4 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-0401 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-3446 | 5.3 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-6237 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-12797 | 6.3 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-13176 | 4.1 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-2511 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-4603 | 5.3 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-4741 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-5535 | 9.1 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-9143 | 4.3 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-4575 | 6.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2026-2673 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0701 | 3.7 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0703 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0704 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0798 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0799 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-0800 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2106 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2108 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2109 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2176 | 8.2 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2177 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2179 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2181 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2182 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-2842 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6302 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6305 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6307 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6308 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-6309 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-7053 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-7056 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-8610 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3730 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3733 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3735 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2017-3737 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2020-1968 | 3.7 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2022-2068 | 7.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2022-2097 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-0215 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-0286 | 7.4 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-0401 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-3446 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-6129 | 6.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-6237 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-0727 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-13176 | 4.1 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-2511 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-4603 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-4741 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-5535 | 9.1 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-6119 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2024-9143 | 4.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-11187 | 6.1 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-15467 | 8.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-15468 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-15469 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-4575 | 6.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-66199 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-68160 | 4.7 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-69418 | 4.0 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-69419 | 7.4 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-69420 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-69421 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2026-22795 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2026-22796 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2026-2673 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2016-10931 | 8.1 | GIT | https://github.com/sfackler/rust-openssl | openssl-v0.8.1 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2018-20997 | 9.8 | GIT | https://github.com/sfackler/rust-openssl | openssl-v0.8.1 | -- | testdata/locks-git/osv-scanner.json | +| https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler/rust-openssl | openssl-v0.8.1 | -- | testdata/locks-git/osv-scanner.json | ++--------------------------------+------+-----------+----------------------------------------------+----------------+---------------+-------------------------------------+ --- @@ -2229,7 +2306,7 @@ Filtered 8 vulnerabilities from output testdata/osv-scanner-partial-ignores-config.toml has unused ignores: - CVE-2019-5188 -Total 24 packages affected by 178 known vulnerabilities (20 Critical, 73 High, 56 Medium, 5 Low, 24 Unknown) from 4 ecosystems. +Total 24 packages affected by 175 known vulnerabilities (20 Critical, 73 High, 55 Medium, 4 Low, 23 Unknown) from 4 ecosystems. 10 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ @@ -2418,7 +2495,6 @@ Total 24 packages affected by 178 known vulnerabilities (20 Critical, 73 High, 5 | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | -| https://osv.dev/DEBIAN-CVE-2026-5704 | | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2434,12 +2510,10 @@ Total 24 packages affected by 178 known vulnerabilities (20 Critical, 73 High, 5 | https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-27456 | 4.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-3184 | 3.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-34743 | 1.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ --- @@ -2463,7 +2537,7 @@ Filtered 6 vulnerabilities from output testdata/osv-scanner-partial-ignores-config.toml has unused ignores: - CVE-2019-5188 -Total 22 packages affected by 172 known vulnerabilities (18 Critical, 71 High, 54 Medium, 5 Low, 24 Unknown) from 3 ecosystems. +Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 53 Medium, 4 Low, 23 Unknown) from 3 ecosystems. 10 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -2646,7 +2720,6 @@ Total 22 packages affected by 172 known vulnerabilities (18 Critical, 71 High, 5 | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | -| https://osv.dev/DEBIAN-CVE-2026-5704 | | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2662,12 +2735,10 @@ Total 22 packages affected by 172 known vulnerabilities (18 Critical, 71 High, 5 | https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-27456 | 4.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-3184 | 3.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-34743 | 1.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ --- @@ -3228,12 +3299,12 @@ Warning: plugin transitivedependency/pomxml can be risky when run on untrusted a Total 1 package affected by 2 known vulnerabilities (0 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. -+--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | -+--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------------------------+ -| https://osv.dev/CVE-2023-39137 | 7.8 | GIT | https://github.com/brendan-duncan/archive.git@9de7a054 | -- | testdata/locks-insecure/osv-scanner-flutter-deps.json | -| https://osv.dev/CVE-2023-39139 | 7.8 | GIT | https://github.com/brendan-duncan/archive.git@9de7a054 | -- | testdata/locks-insecure/osv-scanner-flutter-deps.json | -+--------------------------------+------+-----------+----------------------------------------------------------+---------------+-------------------------------------------------------+ ++--------------------------------+------+-----------+-----------------------------------------------+---------+---------------+-------------------------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | ++--------------------------------+------+-----------+-----------------------------------------------+---------+---------------+-------------------------------------------------------+ +| https://osv.dev/CVE-2023-39137 | 7.8 | GIT | https://github.com/brendan-duncan/archive.git | | -- | testdata/locks-insecure/osv-scanner-flutter-deps.json | +| https://osv.dev/CVE-2023-39139 | 7.8 | GIT | https://github.com/brendan-duncan/archive.git | | -- | testdata/locks-insecure/osv-scanner-flutter-deps.json | ++--------------------------------+------+-----------+-----------------------------------------------+---------+---------------+-------------------------------------------------------+ --- @@ -3435,41 +3506,14 @@ Warning: plugin transitivedependency/pomxml can be risky when run on untrusted a Scanned /testdata/locks-insecure/osv-scanner-custom-git-tag.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. -Total 1 package affected by 73 known vulnerabilities (8 Critical, 31 High, 32 Medium, 2 Low, 0 Unknown) from 1 ecosystem. +Total 1 package affected by 40 known vulnerabilities (4 Critical, 16 High, 20 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+ -| https://osv.dev/CVE-2016-0701 | 3.7 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-0703 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-0704 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-0798 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-0799 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-0800 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-2106 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-2108 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-2109 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-2176 | 8.2 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2016-2177 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-2179 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-2181 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2016-2182 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-2842 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-6302 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-6305 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-6307 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-6308 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-6309 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-7053 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-7056 | 5.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2016-8610 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2017-3730 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2017-3733 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2017-3735 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2017-3737 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2020-1968 | 3.7 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2022-2097 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2022-2274 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2022-3358 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2022-3996 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | @@ -3493,27 +3537,21 @@ Total 1 package affected by 73 known vulnerabilities (8 Critical, 31 High, 32 Me | https://osv.dev/CVE-2023-5678 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-6129 | 6.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-6237 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2024-0727 | 5.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-13176 | 4.1 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-2511 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-4603 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-4741 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-5535 | 9.1 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2024-6119 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-9143 | 4.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-15467 | 8.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2025-4575 | 6.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-68160 | 4.7 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-69418 | 4.0 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-69419 | 7.4 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-69420 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2025-69421 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-9230 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-9232 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2026-22795 | 5.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2026-22796 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | -| https://osv.dev/CVE-2026-2673 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+ --- @@ -3522,6 +3560,68 @@ Total 1 package affected by 73 known vulnerabilities (8 Critical, 31 High, 32 Me --- +[TestCommand_HomebrewWithAnnotators/homebrew_extractor_explicitly_enabled_with_annotator - 1] +Scanning dir ./testdata/homebrew/Cellar/ +Scanned /testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_RECEIPT.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + + +Scanning Result (package view): +Total 1 package affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 5 Unknown) from 1 ecosystem. +0 vulnerabilities can be fixed. + + +GIT ++------------------------------------------------------------------------------------------------------------------+ +| Source:os:/testdata/homebrew/Cellar/libssh | +| 2/1.11.1/INSTALL_RECEIPT.json | ++------------------------------------+-------------------+------------------+------------+-------------------------+ +| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | ++------------------------------------+-------------------+------------------+------------+-------------------------+ +| https://github.com/libssh2/libssh2 | 1.11.1 | No fix available | 5 | | ++------------------------------------+-------------------+------------------+------------+-------------------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestCommand_HomebrewWithAnnotators/homebrew_extractor_explicitly_enabled_with_annotator - 2] + +--- + +[TestCommand_HomebrewWithAnnotators/homebrew_extractor_via_artifact_plugin - 1] +Scanning dir ./testdata/homebrew/Cellar/ +Scanned /testdata/homebrew/Cellar/libssh2/1.11.1/.brew/libssh2.rb file and found 0 packages +Scanned /testdata/homebrew/Cellar/libssh2/1.11.1/.brew/libssh2.rb file and found 0 packages +Scanned /testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_RECEIPT.json file and found 1 package +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. + + +Scanning Result (package view): +Total 1 package affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 5 Unknown) from 1 ecosystem. +0 vulnerabilities can be fixed. + + +GIT ++------------------------------------------------------------------------------------------------------------------+ +| Source:os:/testdata/homebrew/Cellar/libssh | +| 2/1.11.1/INSTALL_RECEIPT.json | ++------------------------------------+-------------------+------------------+------------+-------------------------+ +| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | ++------------------------------------+-------------------+------------------+------------+-------------------------+ +| https://github.com/libssh2/libssh2 | 1.11.1 | No fix available | 5 | | ++------------------------------------+-------------------+------------------+------------+-------------------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestCommand_HomebrewWithAnnotators/homebrew_extractor_via_artifact_plugin - 2] + +--- + [TestCommand_HtmlFile - 1] --- @@ -4723,7 +4823,7 @@ Filtered 1 local/unscannable package/s from the scan. Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded Go local db from /osv-scanner/Go/all.zip -Total 21 packages affected by 171 known vulnerabilities (17 Critical, 71 High, 54 Medium, 5 Low, 24 Unknown) from 2 ecosystems. +Total 21 packages affected by 178 known vulnerabilities (17 Critical, 71 High, 55 Medium, 5 Low, 30 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -4875,6 +4975,13 @@ Total 21 packages affected by 171 known vulnerabilities (17 Critical, 71 High, 5 | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28386 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28387 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28388 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28389 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28390 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-31789 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-31790 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -4907,7 +5014,7 @@ Total 21 packages affected by 171 known vulnerabilities (17 Critical, 71 High, 5 | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | -| https://osv.dev/DEBIAN-CVE-2026-5704 | | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-5704 | 5.0 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -4944,7 +5051,7 @@ Filtered 1 local/unscannable package/s from the scan. Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded Go local db from /osv-scanner/Go/all.zip -Total 21 packages affected by 171 known vulnerabilities (17 Critical, 71 High, 54 Medium, 5 Low, 24 Unknown) from 2 ecosystems. +Total 21 packages affected by 178 known vulnerabilities (17 Critical, 71 High, 55 Medium, 5 Low, 30 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -5096,6 +5203,13 @@ Total 21 packages affected by 171 known vulnerabilities (17 Critical, 71 High, 5 | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28386 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28387 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28388 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28389 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-28390 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-31789 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-31790 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -5128,7 +5242,7 @@ Total 21 packages affected by 171 known vulnerabilities (17 Critical, 71 High, 5 | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | -| https://osv.dev/DEBIAN-CVE-2026-5704 | | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-5704 | 5.0 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index 3febffb55d7..f5fae2b96cc 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -450,6 +450,38 @@ func TestCommand_JavareachArchive(t *testing.T) { } } +func TestCommand_HomebrewWithAnnotators(t *testing.T) { + t.Parallel() + + if runtime.GOOS != "darwin" { + testutility.Skip(t, "The detector in this test only works on Darwin") + } + + client := testcmd.InsertCassette(t) + + tests := []testcmd.Case{ + { + Name: "homebrew_extractor_via_artifact_plugin", + Args: []string{"", "source", "-r", "--no-ignore", "--experimental-plugins=artifact", "./testdata/homebrew/Cellar/"}, + Exit: 1, + }, + { + Name: "homebrew_extractor_explicitly_enabled_with_annotator", + Args: []string{"", "source", "-r", "--no-ignore", "--experimental-plugins=os/homebrew", "--experimental-plugins=misc/brew-source", "./testdata/homebrew/Cellar/"}, + Exit: 1, + }, + } + for _, tt := range tests { + t.Run(tt.Name, func(t *testing.T) { + t.Parallel() + + tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) + + testcmd.RunAndMatchSnapshots(t, tt) + }) + } +} + func TestCommand_ExplicitExtractors_WithDefaults(t *testing.T) { t.Parallel() diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml index eae04b0d8b0..8a33739c19a 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml @@ -366,7 +366,7 @@ interactions: }, { "id": "GO-2025-3447", - "modified": "2026-03-24T23:48:06.694170Z" + "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", @@ -382,7 +382,7 @@ interactions: }, { "id": "GO-2025-3849", - "modified": "2026-03-24T23:55:13.286144Z" + "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", @@ -422,7 +422,7 @@ interactions: }, { "id": "GO-2025-4014", - "modified": "2026-04-04T10:29:23.225210Z" + "modified": "2026-03-23T10:29:12.189807Z" }, { "id": "GO-2025-4015", @@ -430,7 +430,7 @@ interactions: }, { "id": "GO-2025-4155", - "modified": "2026-04-04T10:29:23.487831Z" + "modified": "2026-03-23T10:29:12.451671Z" }, { "id": "GO-2025-4175", @@ -438,7 +438,7 @@ interactions: }, { "id": "GO-2026-4337", - "modified": "2026-04-04T10:29:23.753183Z" + "modified": "2026-03-20T10:43:57.595965Z" }, { "id": "GO-2026-4340", @@ -446,11 +446,11 @@ interactions: }, { "id": "GO-2026-4341", - "modified": "2026-04-04T10:29:23.387166Z" + "modified": "2026-03-23T10:29:12.350209Z" }, { "id": "GO-2026-4342", - "modified": "2026-04-04T10:29:23.020657Z" + "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", @@ -458,7 +458,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-02T13:44:28.715638Z" + "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", @@ -580,7 +580,7 @@ interactions: }, { "id": "GO-2025-3447", - "modified": "2026-03-24T23:48:06.694170Z" + "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", @@ -596,7 +596,7 @@ interactions: }, { "id": "GO-2025-3849", - "modified": "2026-03-24T23:55:13.286144Z" + "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", @@ -636,7 +636,7 @@ interactions: }, { "id": "GO-2025-4014", - "modified": "2026-04-04T10:29:23.225210Z" + "modified": "2026-03-23T10:29:12.189807Z" }, { "id": "GO-2025-4015", @@ -644,7 +644,7 @@ interactions: }, { "id": "GO-2025-4155", - "modified": "2026-04-04T10:29:23.487831Z" + "modified": "2026-03-23T10:29:12.451671Z" }, { "id": "GO-2025-4175", @@ -652,7 +652,7 @@ interactions: }, { "id": "GO-2026-4337", - "modified": "2026-04-04T10:29:23.753183Z" + "modified": "2026-03-20T10:43:57.595965Z" }, { "id": "GO-2026-4340", @@ -660,11 +660,11 @@ interactions: }, { "id": "GO-2026-4341", - "modified": "2026-04-04T10:29:23.387166Z" + "modified": "2026-03-23T10:29:12.350209Z" }, { "id": "GO-2026-4342", - "modified": "2026-04-04T10:29:23.020657Z" + "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", @@ -672,7 +672,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-02T13:44:28.715638Z" + "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", @@ -744,7 +744,7 @@ interactions: }, { "id": "GO-2025-3447", - "modified": "2026-03-24T23:48:06.694170Z" + "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", @@ -760,7 +760,7 @@ interactions: }, { "id": "GO-2025-3849", - "modified": "2026-03-24T23:55:13.286144Z" + "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", @@ -800,7 +800,7 @@ interactions: }, { "id": "GO-2025-4014", - "modified": "2026-04-04T10:29:23.225210Z" + "modified": "2026-03-23T10:29:12.189807Z" }, { "id": "GO-2025-4015", @@ -808,7 +808,7 @@ interactions: }, { "id": "GO-2025-4155", - "modified": "2026-04-04T10:29:23.487831Z" + "modified": "2026-03-23T10:29:12.451671Z" }, { "id": "GO-2025-4175", @@ -816,7 +816,7 @@ interactions: }, { "id": "GO-2026-4337", - "modified": "2026-04-04T10:29:23.753183Z" + "modified": "2026-03-20T10:43:57.595965Z" }, { "id": "GO-2026-4340", @@ -824,11 +824,11 @@ interactions: }, { "id": "GO-2026-4341", - "modified": "2026-04-04T10:29:23.387166Z" + "modified": "2026-03-23T10:29:12.350209Z" }, { "id": "GO-2026-4342", - "modified": "2026-04-04T10:29:23.020657Z" + "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", @@ -836,7 +836,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-02T13:44:28.715638Z" + "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", @@ -951,7 +951,7 @@ interactions: }, { "id": "GO-2025-3447", - "modified": "2026-03-24T23:48:06.694170Z" + "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", @@ -967,7 +967,7 @@ interactions: }, { "id": "GO-2025-3849", - "modified": "2026-03-24T23:55:13.286144Z" + "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", @@ -1007,7 +1007,7 @@ interactions: }, { "id": "GO-2025-4014", - "modified": "2026-04-04T10:29:23.225210Z" + "modified": "2026-03-23T10:29:12.189807Z" }, { "id": "GO-2025-4015", @@ -1015,7 +1015,7 @@ interactions: }, { "id": "GO-2025-4155", - "modified": "2026-04-04T10:29:23.487831Z" + "modified": "2026-03-23T10:29:12.451671Z" }, { "id": "GO-2025-4175", @@ -1023,7 +1023,7 @@ interactions: }, { "id": "GO-2026-4337", - "modified": "2026-04-04T10:29:23.753183Z" + "modified": "2026-03-20T10:43:57.595965Z" }, { "id": "GO-2026-4340", @@ -1031,11 +1031,11 @@ interactions: }, { "id": "GO-2026-4341", - "modified": "2026-04-04T10:29:23.387166Z" + "modified": "2026-03-23T10:29:12.350209Z" }, { "id": "GO-2026-4342", - "modified": "2026-04-04T10:29:23.020657Z" + "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", @@ -1043,7 +1043,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-04-02T13:44:28.715638Z" + "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", @@ -3600,7 +3600,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 22513 + content_length: 22298 body: | { "results": [ @@ -4273,19 +4273,19 @@ interactions: }, { "id": "DEBIAN-CVE-2026-0989", - "modified": "2026-03-27T10:02:52.786818Z" + "modified": "2026-01-16T11:05:07.928323Z" }, { "id": "DEBIAN-CVE-2026-0990", - "modified": "2026-03-27T10:02:55.759355Z" + "modified": "2026-01-16T11:05:23.527352Z" }, { "id": "DEBIAN-CVE-2026-0992", - "modified": "2026-03-27T10:02:35.574410Z" + "modified": "2026-01-16T11:05:10.515041Z" }, { "id": "DEBIAN-CVE-2026-1757", - "modified": "2026-03-27T10:02:04.914884Z" + "modified": "2026-02-03T11:16:44.779248Z" }, { "id": "DLA-3012-1", @@ -4934,10 +4934,6 @@ interactions: "id": "DEBIAN-CVE-2023-39804", "modified": "2025-11-20T10:16:41.587973Z" }, - { - "id": "DEBIAN-CVE-2026-5704", - "modified": "2026-04-06T22:00:20.522062Z" - }, { "id": "DLA-3755-1", "modified": "2026-03-09T01:18:04.185679Z" @@ -5034,13 +5030,9 @@ interactions: "id": "DEBIAN-CVE-2025-14104", "modified": "2026-03-05T17:00:58.361610Z" }, - { - "id": "DEBIAN-CVE-2026-27456", - "modified": "2026-04-04T10:03:13.427021Z" - }, { "id": "DEBIAN-CVE-2026-3184", - "modified": "2026-04-04T10:03:07.405618Z" + "modified": "2026-02-26T09:30:44.219098Z" }, { "id": "DLA-3782-1", @@ -5070,10 +5062,6 @@ interactions: "id": "DEBIAN-CVE-2025-31115", "modified": "2025-11-20T10:18:07.484724Z" }, - { - "id": "DEBIAN-CVE-2026-34743", - "modified": "2026-04-03T10:03:21.198279Z" - }, { "id": "DSA-5123-1", "modified": "2026-03-09T02:10:46.054497Z" @@ -5130,7 +5118,7 @@ interactions: } headers: Content-Length: - - "22513" + - "22298" Content-Type: - application/json status: 200 OK @@ -5231,7 +5219,7 @@ interactions: "vulns": [ { "id": "GO-2025-3849", - "modified": "2026-03-24T23:55:13.286144Z" + "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", @@ -5271,7 +5259,7 @@ interactions: }, { "id": "GO-2025-4014", - "modified": "2026-04-04T10:29:23.225210Z" + "modified": "2026-03-23T10:29:12.189807Z" }, { "id": "GO-2025-4015", @@ -5279,7 +5267,7 @@ interactions: }, { "id": "GO-2025-4155", - "modified": "2026-04-04T10:29:23.487831Z" + "modified": "2026-03-23T10:29:12.451671Z" }, { "id": "GO-2025-4175", @@ -5287,7 +5275,7 @@ interactions: }, { "id": "GO-2026-4337", - "modified": "2026-04-04T10:29:23.753183Z" + "modified": "2026-03-20T10:43:57.595965Z" }, { "id": "GO-2026-4340", @@ -5295,15 +5283,15 @@ interactions: }, { "id": "GO-2026-4341", - "modified": "2026-04-04T10:29:23.387166Z" + "modified": "2026-03-23T10:29:12.350209Z" }, { "id": "GO-2026-4342", - "modified": "2026-04-04T10:29:23.020657Z" + "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4601", - "modified": "2026-04-02T13:44:28.715638Z" + "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", @@ -5323,11 +5311,11 @@ interactions: }, { "id": "GO-2026-4339", - "modified": "2026-03-27T10:40:21.183038Z" + "modified": "2026-02-04T04:20:19.626029Z" }, { "id": "GO-2026-4433", - "modified": "2026-04-04T10:29:23.122159Z" + "modified": "2026-03-02T10:44:08.411132Z" } ] } @@ -6926,7 +6914,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 4949 + content_length: 4809 body: | { "results": [ @@ -7017,10 +7005,6 @@ interactions: "id": "GHSA-9wx4-h78v-vm56", "modified": "2026-02-04T02:43:42.271895Z" }, - { - "id": "GHSA-gc5v-m9x4-r6x2", - "modified": "2026-03-27T22:17:33.595885Z" - }, { "id": "GHSA-j8r2-6x86-q33q", "modified": "2026-02-04T03:34:13.807518Z" @@ -7185,10 +7169,6 @@ interactions: "id": "GHSA-9wx4-h78v-vm56", "modified": "2026-02-04T02:43:42.271895Z" }, - { - "id": "GHSA-gc5v-m9x4-r6x2", - "modified": "2026-03-27T22:17:33.595885Z" - }, { "id": "GHSA-j8r2-6x86-q33q", "modified": "2026-02-04T03:34:13.807518Z" @@ -7264,7 +7244,7 @@ interactions: } headers: Content-Length: - - "4949" + - "4809" Content-Type: - application/json status: 200 OK diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CallAnalysis.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CallAnalysis.yaml index 42854269ca2..163c05b99db 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CallAnalysis.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CallAnalysis.yaml @@ -44,7 +44,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 931 + content_length: 798 body: | { "results": [ @@ -74,10 +74,6 @@ interactions: }, { "vulns": [ - { - "id": "GHSA-44p7-9xx4-hf2g", - "modified": "2026-03-30T22:29:16.268586Z" - }, { "id": "GHSA-9phm-fm57-rhg8", "modified": "2026-02-04T03:56:37.185672Z" @@ -109,10 +105,6 @@ interactions: { "id": "GO-2024-2937", "modified": "2026-02-04T03:54:25.251608Z" - }, - { - "id": "GO-2026-4815", - "modified": "2026-04-06T21:15:14.818900Z" } ] } @@ -120,7 +112,7 @@ interactions: } headers: Content-Length: - - "931" + - "798" Content-Type: - application/json status: 200 OK diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml index a418d5e6e02..ce82ef86319 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml @@ -342,3 +342,710 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1629 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "GIT", + "name": "git://github.com/boostorg/boost" + }, + "version": "boost-1.67.0" + }, + { + "package": { + "ecosystem": "GIT", + "name": "github.com/boostorg/boost" + }, + "version": "boost-1.67.0" + }, + { + "package": { + "ecosystem": "GIT", + "name": "http://github.com/boostorg/boost" + }, + "version": "boost-1.67.0" + }, + { + "package": { + "ecosystem": "GIT", + "name": "https://github.com/Exiv2/exiv2" + }, + "version": "v0.28.0" + }, + { + "package": { + "ecosystem": "GIT", + "name": "https://github.com/apache/orc" + }, + "version": "v3.19.0" + }, + { + "package": { + "ecosystem": "GIT", + "name": "https://github.com/boostorg/boost" + }, + "version": "boost-1.67.0" + }, + { + "package": { + "ecosystem": "GIT", + "name": "https://github.com/capricorn86/happy-dom.git" + }, + "version": "v11.1.0" + }, + { + "commit": "45fda76bc1b9fd74d10e85e0ce9b65a12dcc58b0" + }, + { + "package": { + "ecosystem": "GIT", + "name": "https://github.com/openssl/openssl" + }, + "version": "openssl-3.5.0" + }, + { + "package": { + "ecosystem": "GIT", + "name": "https://github.com/sfackler-fork/rust-openssl" + }, + "version": "openssl-v0.10.23" + }, + { + "package": { + "ecosystem": "GIT", + "name": "https://github.com/sfackler/rust-openssl" + }, + "version": "openssl-v0.8.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_CommitSupport/online_uses_git_commits + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 9106 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "OSV-2018-389", + "modified": "2022-04-13T03:04:40.912286Z" + } + ] + }, + { + "vulns": [ + { + "id": "OSV-2018-389", + "modified": "2022-04-13T03:04:40.912286Z" + } + ] + }, + { + "vulns": [ + { + "id": "OSV-2018-389", + "modified": "2022-04-13T03:04:40.912286Z" + } + ] + }, + { + "vulns": [ + { + "id": "OSV-2023-1161", + "modified": "2025-03-18T00:34:06.623648Z" + }, + { + "id": "OSV-2024-340", + "modified": "2026-04-07T14:25:48.469483Z" + } + ] + }, + {}, + { + "vulns": [ + { + "id": "OSV-2018-389", + "modified": "2022-04-13T03:04:40.912286Z" + } + ] + }, + { + "vulns": [ + { + "id": "CVE-2024-51757", + "modified": "2026-04-02T12:23:17.126382Z" + }, + { + "id": "CVE-2025-61927", + "modified": "2026-04-02T12:57:34.520726Z" + }, + { + "id": "CVE-2025-62410", + "modified": "2026-04-02T12:57:47.039051Z" + }, + { + "id": "CVE-2026-34226", + "modified": "2026-04-02T13:29:31.439923Z" + } + ] + }, + { + "vulns": [ + { + "id": "CVE-2016-0701", + "modified": "2026-04-01T23:26:39.451139Z" + }, + { + "id": "CVE-2016-0702", + "modified": "2026-04-01T23:28:43.662146Z" + }, + { + "id": "CVE-2016-0703", + "modified": "2026-04-01T23:26:24.342221Z" + }, + { + "id": "CVE-2016-0704", + "modified": "2026-04-01T23:26:24.349093Z" + }, + { + "id": "CVE-2016-0705", + "modified": "2026-04-01T23:31:34.961680Z" + }, + { + "id": "CVE-2016-0797", + "modified": "2026-04-01T23:30:52.947050Z" + }, + { + "id": "CVE-2016-0798", + "modified": "2026-04-01T23:30:03.342358Z" + }, + { + "id": "CVE-2016-0799", + "modified": "2026-04-01T23:29:08.132236Z" + }, + { + "id": "CVE-2016-0800", + "modified": "2026-04-01T23:29:55.194175Z" + }, + { + "id": "CVE-2016-2105", + "modified": "2026-04-01T23:36:25.755643Z" + }, + { + "id": "CVE-2016-2106", + "modified": "2026-04-01T23:36:11.824548Z" + }, + { + "id": "CVE-2016-2107", + "modified": "2026-04-01T23:36:25.220756Z" + }, + { + "id": "CVE-2016-2108", + "modified": "2026-04-01T23:36:14.552979Z" + }, + { + "id": "CVE-2016-2109", + "modified": "2026-04-01T23:36:09.516812Z" + }, + { + "id": "CVE-2016-2176", + "modified": "2026-04-01T23:36:25.131388Z" + }, + { + "id": "CVE-2016-2177", + "modified": "2026-04-01T23:36:20.413546Z" + }, + { + "id": "CVE-2016-2178", + "modified": "2026-04-01T23:36:42.101511Z" + }, + { + "id": "CVE-2016-2179", + "modified": "2026-04-01T23:36:17.896736Z" + }, + { + "id": "CVE-2016-2181", + "modified": "2026-04-01T23:36:29.127761Z" + }, + { + "id": "CVE-2016-2182", + "modified": "2026-04-01T23:36:30.932915Z" + }, + { + "id": "CVE-2016-2842", + "modified": "2026-04-01T23:38:31.723546Z" + }, + { + "id": "CVE-2016-6302", + "modified": "2026-04-01T23:53:30.080722Z" + }, + { + "id": "CVE-2016-6303", + "modified": "2026-04-01T23:53:51.997796Z" + }, + { + "id": "CVE-2016-6304", + "modified": "2026-04-01T23:53:59.783019Z" + }, + { + "id": "CVE-2016-6305", + "modified": "2026-04-01T23:53:43.877761Z" + }, + { + "id": "CVE-2016-6306", + "modified": "2026-04-01T23:53:59.210272Z" + }, + { + "id": "CVE-2016-6307", + "modified": "2026-04-01T23:53:42.461031Z" + }, + { + "id": "CVE-2016-6308", + "modified": "2026-04-01T23:53:26.454277Z" + }, + { + "id": "CVE-2016-6309", + "modified": "2026-04-01T23:53:43.736712Z" + }, + { + "id": "CVE-2016-7052", + "modified": "2026-04-01T23:54:15.873031Z" + }, + { + "id": "CVE-2016-7053", + "modified": "2026-04-01T23:54:07.855301Z" + }, + { + "id": "CVE-2016-7056", + "modified": "2026-04-01T23:54:13.235667Z" + }, + { + "id": "CVE-2016-8610", + "modified": "2026-04-01T23:54:51.824504Z" + }, + { + "id": "CVE-2017-3730", + "modified": "2026-04-02T00:11:21.102504Z" + }, + { + "id": "CVE-2017-3731", + "modified": "2026-04-02T00:12:14.412340Z" + }, + { + "id": "CVE-2017-3732", + "modified": "2026-04-02T00:12:12.038689Z" + }, + { + "id": "CVE-2017-3733", + "modified": "2026-04-02T00:11:29.586943Z" + }, + { + "id": "CVE-2017-3735", + "modified": "2026-04-02T00:11:22.330095Z" + }, + { + "id": "CVE-2017-3737", + "modified": "2026-04-02T00:08:44.798469Z" + }, + { + "id": "CVE-2017-3738", + "modified": "2026-04-02T00:12:13.942591Z" + }, + { + "id": "CVE-2018-0734", + "modified": "2026-04-02T00:33:08.965494Z" + }, + { + "id": "CVE-2018-0735", + "modified": "2026-04-02T00:38:08.341105Z" + }, + { + "id": "CVE-2018-5407", + "modified": "2026-04-02T01:24:46.070208Z" + }, + { + "id": "CVE-2020-1968", + "modified": "2026-04-02T04:29:27.597946Z" + }, + { + "id": "CVE-2021-23839", + "modified": "2026-04-02T06:47:56.072444Z" + }, + { + "id": "CVE-2021-23841", + "modified": "2026-04-02T06:48:54.684635Z" + }, + { + "id": "CVE-2021-3449", + "modified": "2026-04-02T07:15:38.084873Z" + }, + { + "id": "CVE-2022-2068", + "modified": "2026-04-02T07:42:19.517492Z" + }, + { + "id": "CVE-2022-2097", + "modified": "2026-04-02T07:42:20.259535Z" + }, + { + "id": "CVE-2023-0215", + "modified": "2026-04-02T08:32:42.981492Z" + }, + { + "id": "CVE-2023-0286", + "modified": "2026-04-02T08:32:43.026586Z" + }, + { + "id": "CVE-2023-0401", + "modified": "2026-04-02T08:32:29.442023Z" + }, + { + "id": "CVE-2023-3446", + "modified": "2026-04-02T09:03:26.432117Z" + }, + { + "id": "CVE-2023-6237", + "modified": "2026-04-02T09:48:01.881441Z" + }, + { + "id": "CVE-2024-12797", + "modified": "2026-03-23T05:06:57.351567Z" + }, + { + "id": "CVE-2024-13176", + "modified": "2026-04-02T09:59:53.877093Z" + }, + { + "id": "CVE-2024-2511", + "modified": "2026-04-02T10:08:02.801311Z" + }, + { + "id": "CVE-2024-4603", + "modified": "2026-04-02T12:21:16.410893Z" + }, + { + "id": "CVE-2024-4741", + "modified": "2026-04-02T12:21:07.617700Z" + }, + { + "id": "CVE-2024-5535", + "modified": "2026-04-02T12:28:22.047392Z" + }, + { + "id": "CVE-2024-9143", + "modified": "2026-04-02T12:30:23.094298Z" + }, + { + "id": "CVE-2025-4575", + "modified": "2026-04-02T12:48:51.065458Z" + }, + { + "id": "CVE-2025-9230", + "modified": "2026-04-02T13:07:48.305234Z" + }, + { + "id": "CVE-2025-9231", + "modified": "2026-04-02T13:07:41.821305Z" + }, + { + "id": "CVE-2025-9232", + "modified": "2026-04-02T13:07:48.699162Z" + }, + { + "id": "CVE-2026-2673", + "modified": "2026-04-02T13:20:25.921852Z" + } + ] + }, + { + "vulns": [ + { + "id": "CVE-2016-0701", + "modified": "2026-04-01T23:26:39.451139Z" + }, + { + "id": "CVE-2016-0703", + "modified": "2026-04-01T23:26:24.342221Z" + }, + { + "id": "CVE-2016-0704", + "modified": "2026-04-01T23:26:24.349093Z" + }, + { + "id": "CVE-2016-0798", + "modified": "2026-04-01T23:30:03.342358Z" + }, + { + "id": "CVE-2016-0799", + "modified": "2026-04-01T23:29:08.132236Z" + }, + { + "id": "CVE-2016-0800", + "modified": "2026-04-01T23:29:55.194175Z" + }, + { + "id": "CVE-2016-2106", + "modified": "2026-04-01T23:36:11.824548Z" + }, + { + "id": "CVE-2016-2108", + "modified": "2026-04-01T23:36:14.552979Z" + }, + { + "id": "CVE-2016-2109", + "modified": "2026-04-01T23:36:09.516812Z" + }, + { + "id": "CVE-2016-2176", + "modified": "2026-04-01T23:36:25.131388Z" + }, + { + "id": "CVE-2016-2177", + "modified": "2026-04-01T23:36:20.413546Z" + }, + { + "id": "CVE-2016-2179", + "modified": "2026-04-01T23:36:17.896736Z" + }, + { + "id": "CVE-2016-2181", + "modified": "2026-04-01T23:36:29.127761Z" + }, + { + "id": "CVE-2016-2182", + "modified": "2026-04-01T23:36:30.932915Z" + }, + { + "id": "CVE-2016-2842", + "modified": "2026-04-01T23:38:31.723546Z" + }, + { + "id": "CVE-2016-6302", + "modified": "2026-04-01T23:53:30.080722Z" + }, + { + "id": "CVE-2016-6305", + "modified": "2026-04-01T23:53:43.877761Z" + }, + { + "id": "CVE-2016-6307", + "modified": "2026-04-01T23:53:42.461031Z" + }, + { + "id": "CVE-2016-6308", + "modified": "2026-04-01T23:53:26.454277Z" + }, + { + "id": "CVE-2016-6309", + "modified": "2026-04-01T23:53:43.736712Z" + }, + { + "id": "CVE-2016-7053", + "modified": "2026-04-01T23:54:07.855301Z" + }, + { + "id": "CVE-2016-7056", + "modified": "2026-04-01T23:54:13.235667Z" + }, + { + "id": "CVE-2016-8610", + "modified": "2026-04-01T23:54:51.824504Z" + }, + { + "id": "CVE-2017-3730", + "modified": "2026-04-02T00:11:21.102504Z" + }, + { + "id": "CVE-2017-3733", + "modified": "2026-04-02T00:11:29.586943Z" + }, + { + "id": "CVE-2017-3735", + "modified": "2026-04-02T00:11:22.330095Z" + }, + { + "id": "CVE-2017-3737", + "modified": "2026-04-02T00:08:44.798469Z" + }, + { + "id": "CVE-2020-1968", + "modified": "2026-04-02T04:29:27.597946Z" + }, + { + "id": "CVE-2022-2068", + "modified": "2026-04-02T07:42:19.517492Z" + }, + { + "id": "CVE-2022-2097", + "modified": "2026-04-02T07:42:20.259535Z" + }, + { + "id": "CVE-2023-0215", + "modified": "2026-04-02T08:32:42.981492Z" + }, + { + "id": "CVE-2023-0286", + "modified": "2026-04-02T08:32:43.026586Z" + }, + { + "id": "CVE-2023-0401", + "modified": "2026-04-02T08:32:29.442023Z" + }, + { + "id": "CVE-2023-3446", + "modified": "2026-04-02T09:03:26.432117Z" + }, + { + "id": "CVE-2023-6129", + "modified": "2026-04-02T09:47:11.223590Z" + }, + { + "id": "CVE-2023-6237", + "modified": "2026-04-02T09:48:01.881441Z" + }, + { + "id": "CVE-2024-0727", + "modified": "2026-04-02T09:49:17.983670Z" + }, + { + "id": "CVE-2024-13176", + "modified": "2026-04-02T09:59:53.877093Z" + }, + { + "id": "CVE-2024-2511", + "modified": "2026-04-02T10:08:02.801311Z" + }, + { + "id": "CVE-2024-4603", + "modified": "2026-04-02T12:21:16.410893Z" + }, + { + "id": "CVE-2024-4741", + "modified": "2026-04-02T12:21:07.617700Z" + }, + { + "id": "CVE-2024-5535", + "modified": "2026-04-02T12:28:22.047392Z" + }, + { + "id": "CVE-2024-6119", + "modified": "2026-04-02T12:26:17.322430Z" + }, + { + "id": "CVE-2024-9143", + "modified": "2026-04-02T12:30:23.094298Z" + }, + { + "id": "CVE-2025-11187", + "modified": "2026-04-02T12:31:09.087200Z" + }, + { + "id": "CVE-2025-15467", + "modified": "2026-04-02T12:34:51.332716Z" + }, + { + "id": "CVE-2025-15468", + "modified": "2026-04-02T12:35:06.860135Z" + }, + { + "id": "CVE-2025-15469", + "modified": "2026-03-23T05:05:23.819469Z" + }, + { + "id": "CVE-2025-4575", + "modified": "2026-04-02T12:48:51.065458Z" + }, + { + "id": "CVE-2025-66199", + "modified": "2026-03-23T05:00:24.564614Z" + }, + { + "id": "CVE-2025-68160", + "modified": "2026-03-23T05:12:37.160955Z" + }, + { + "id": "CVE-2025-69418", + "modified": "2026-04-02T13:05:42.562613Z" + }, + { + "id": "CVE-2025-69419", + "modified": "2026-04-02T13:05:53.476082Z" + }, + { + "id": "CVE-2025-69420", + "modified": "2026-03-23T05:13:16.365472Z" + }, + { + "id": "CVE-2025-69421", + "modified": "2026-04-02T13:05:42.582269Z" + }, + { + "id": "CVE-2025-9230", + "modified": "2026-04-02T13:07:48.305234Z" + }, + { + "id": "CVE-2025-9231", + "modified": "2026-04-02T13:07:41.821305Z" + }, + { + "id": "CVE-2025-9232", + "modified": "2026-04-02T13:07:48.699162Z" + }, + { + "id": "CVE-2026-22795", + "modified": "2026-03-23T05:12:31.733749Z" + }, + { + "id": "CVE-2026-22796", + "modified": "2026-04-02T13:13:17.422878Z" + }, + { + "id": "CVE-2026-2673", + "modified": "2026-04-02T13:20:25.921852Z" + } + ] + }, + {}, + { + "vulns": [ + { + "id": "CVE-2016-10931", + "modified": "2026-03-14T09:18:29.278606Z" + }, + { + "id": "CVE-2018-20997", + "modified": "2026-03-14T09:29:08.646634Z" + }, + { + "id": "CVE-2023-53159", + "modified": "2026-03-11T18:20:56.090230Z" + } + ] + } + ] + } + headers: + Content-Length: + - "9106" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml index 2d839e5c008..487902f1177 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml @@ -1408,7 +1408,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 22513 + content_length: 22298 body: | { "results": [ @@ -2081,19 +2081,19 @@ interactions: }, { "id": "DEBIAN-CVE-2026-0989", - "modified": "2026-03-27T10:02:52.786818Z" + "modified": "2026-01-16T11:05:07.928323Z" }, { "id": "DEBIAN-CVE-2026-0990", - "modified": "2026-03-27T10:02:55.759355Z" + "modified": "2026-01-16T11:05:23.527352Z" }, { "id": "DEBIAN-CVE-2026-0992", - "modified": "2026-03-27T10:02:35.574410Z" + "modified": "2026-01-16T11:05:10.515041Z" }, { "id": "DEBIAN-CVE-2026-1757", - "modified": "2026-03-27T10:02:04.914884Z" + "modified": "2026-02-03T11:16:44.779248Z" }, { "id": "DLA-3012-1", @@ -2742,10 +2742,6 @@ interactions: "id": "DEBIAN-CVE-2023-39804", "modified": "2025-11-20T10:16:41.587973Z" }, - { - "id": "DEBIAN-CVE-2026-5704", - "modified": "2026-04-06T22:00:20.522062Z" - }, { "id": "DLA-3755-1", "modified": "2026-03-09T01:18:04.185679Z" @@ -2842,13 +2838,9 @@ interactions: "id": "DEBIAN-CVE-2025-14104", "modified": "2026-03-05T17:00:58.361610Z" }, - { - "id": "DEBIAN-CVE-2026-27456", - "modified": "2026-04-04T10:03:13.427021Z" - }, { "id": "DEBIAN-CVE-2026-3184", - "modified": "2026-04-04T10:03:07.405618Z" + "modified": "2026-02-26T09:30:44.219098Z" }, { "id": "DLA-3782-1", @@ -2878,10 +2870,6 @@ interactions: "id": "DEBIAN-CVE-2025-31115", "modified": "2025-11-20T10:18:07.484724Z" }, - { - "id": "DEBIAN-CVE-2026-34743", - "modified": "2026-04-03T10:03:21.198279Z" - }, { "id": "DSA-5123-1", "modified": "2026-03-09T02:10:46.054497Z" @@ -2938,7 +2926,7 @@ interactions: } headers: Content-Length: - - "22513" + - "22298" Content-Type: - application/json status: 200 OK @@ -4009,7 +3997,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 21757 + content_length: 21542 body: | { "results": [ @@ -4650,19 +4638,19 @@ interactions: }, { "id": "DEBIAN-CVE-2026-0989", - "modified": "2026-03-27T10:02:52.786818Z" + "modified": "2026-01-16T11:05:07.928323Z" }, { "id": "DEBIAN-CVE-2026-0990", - "modified": "2026-03-27T10:02:55.759355Z" + "modified": "2026-01-16T11:05:23.527352Z" }, { "id": "DEBIAN-CVE-2026-0992", - "modified": "2026-03-27T10:02:35.574410Z" + "modified": "2026-01-16T11:05:10.515041Z" }, { "id": "DEBIAN-CVE-2026-1757", - "modified": "2026-03-27T10:02:04.914884Z" + "modified": "2026-02-03T11:16:44.779248Z" }, { "id": "DLA-3012-1", @@ -5311,10 +5299,6 @@ interactions: "id": "DEBIAN-CVE-2023-39804", "modified": "2025-11-20T10:16:41.587973Z" }, - { - "id": "DEBIAN-CVE-2026-5704", - "modified": "2026-04-06T22:00:20.522062Z" - }, { "id": "DLA-3755-1", "modified": "2026-03-09T01:18:04.185679Z" @@ -5411,13 +5395,9 @@ interactions: "id": "DEBIAN-CVE-2025-14104", "modified": "2026-03-05T17:00:58.361610Z" }, - { - "id": "DEBIAN-CVE-2026-27456", - "modified": "2026-04-04T10:03:13.427021Z" - }, { "id": "DEBIAN-CVE-2026-3184", - "modified": "2026-04-04T10:03:07.405618Z" + "modified": "2026-02-26T09:30:44.219098Z" }, { "id": "DLA-3782-1", @@ -5447,10 +5427,6 @@ interactions: "id": "DEBIAN-CVE-2025-31115", "modified": "2025-11-20T10:18:07.484724Z" }, - { - "id": "DEBIAN-CVE-2026-34743", - "modified": "2026-04-03T10:03:21.198279Z" - }, { "id": "DSA-5123-1", "modified": "2026-03-09T02:10:46.054497Z" @@ -5467,7 +5443,7 @@ interactions: } headers: Content-Length: - - "21757" + - "21542" Content-Type: - application/json status: 200 OK diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml index 1a7550391b1..78f71c69858 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml @@ -148,127 +148,19 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 4706 + content_length: 2593 body: | { "results": [ { "vulns": [ - { - "id": "CVE-2016-0701", - "modified": "2026-04-01T23:26:39.451139Z" - }, - { - "id": "CVE-2016-0703", - "modified": "2026-04-01T23:26:24.342221Z" - }, - { - "id": "CVE-2016-0704", - "modified": "2026-04-01T23:26:24.349093Z" - }, - { - "id": "CVE-2016-0798", - "modified": "2026-04-01T23:30:03.342358Z" - }, - { - "id": "CVE-2016-0799", - "modified": "2026-04-01T23:29:08.132236Z" - }, - { - "id": "CVE-2016-0800", - "modified": "2026-04-01T23:29:55.194175Z" - }, - { - "id": "CVE-2016-2106", - "modified": "2026-04-01T23:36:11.824548Z" - }, - { - "id": "CVE-2016-2108", - "modified": "2026-04-01T23:36:14.552979Z" - }, - { - "id": "CVE-2016-2109", - "modified": "2026-04-01T23:36:09.516812Z" - }, - { - "id": "CVE-2016-2176", - "modified": "2026-04-01T23:36:25.131388Z" - }, { "id": "CVE-2016-2177", - "modified": "2026-04-01T23:36:20.413546Z" - }, - { - "id": "CVE-2016-2179", - "modified": "2026-04-01T23:36:17.896736Z" - }, - { - "id": "CVE-2016-2181", - "modified": "2026-04-01T23:36:29.127761Z" + "modified": "2026-03-15T22:22:35.782155Z" }, { "id": "CVE-2016-2182", - "modified": "2026-04-01T23:36:30.932915Z" - }, - { - "id": "CVE-2016-2842", - "modified": "2026-04-01T23:38:31.723546Z" - }, - { - "id": "CVE-2016-6302", - "modified": "2026-04-01T23:53:30.080722Z" - }, - { - "id": "CVE-2016-6305", - "modified": "2026-04-01T23:53:43.877761Z" - }, - { - "id": "CVE-2016-6307", - "modified": "2026-04-01T23:53:42.461031Z" - }, - { - "id": "CVE-2016-6308", - "modified": "2026-04-01T23:53:26.454277Z" - }, - { - "id": "CVE-2016-6309", - "modified": "2026-04-01T23:53:43.736712Z" - }, - { - "id": "CVE-2016-7053", - "modified": "2026-04-01T23:54:07.855301Z" - }, - { - "id": "CVE-2016-7056", - "modified": "2026-04-01T23:54:13.235667Z" - }, - { - "id": "CVE-2016-8610", - "modified": "2026-04-01T23:54:51.824504Z" - }, - { - "id": "CVE-2017-3730", - "modified": "2026-04-02T00:11:21.102504Z" - }, - { - "id": "CVE-2017-3733", - "modified": "2026-04-02T00:11:29.586943Z" - }, - { - "id": "CVE-2017-3735", - "modified": "2026-04-02T00:11:22.330095Z" - }, - { - "id": "CVE-2017-3737", - "modified": "2026-04-02T00:08:44.798469Z" - }, - { - "id": "CVE-2020-1968", - "modified": "2026-04-02T04:29:27.597946Z" - }, - { - "id": "CVE-2022-2097", - "modified": "2026-04-02T07:42:20.259535Z" + "modified": "2026-03-15T22:06:16.823524Z" }, { "id": "CVE-2022-2274", @@ -280,7 +172,7 @@ interactions: }, { "id": "CVE-2022-3996", - "modified": "2026-04-02T08:13:39.523587Z" + "modified": "2026-03-15T22:44:21.336918Z" }, { "id": "CVE-2022-4203", @@ -296,7 +188,7 @@ interactions: }, { "id": "CVE-2023-0215", - "modified": "2026-04-02T08:32:42.981492Z" + "modified": "2026-03-15T22:46:35.699581Z" }, { "id": "CVE-2023-0216", @@ -304,27 +196,27 @@ interactions: }, { "id": "CVE-2023-0217", - "modified": "2026-04-02T08:32:14.606159Z" + "modified": "2026-03-15T22:46:23.122521Z" }, { "id": "CVE-2023-0286", - "modified": "2026-04-02T08:32:43.026586Z" + "modified": "2026-03-23T05:08:02.726984Z" }, { "id": "CVE-2023-0401", - "modified": "2026-04-02T08:32:29.442023Z" + "modified": "2026-03-14T12:00:52.936954Z" }, { "id": "CVE-2023-0464", - "modified": "2026-04-02T08:33:05.745831Z" + "modified": "2026-03-23T05:01:38.442879Z" }, { "id": "CVE-2023-0465", - "modified": "2026-04-02T08:33:05.758811Z" + "modified": "2026-03-15T22:45:58.975327Z" }, { "id": "CVE-2023-0466", - "modified": "2026-04-02T08:33:05.761800Z" + "modified": "2026-03-15T22:46:04.107702Z" }, { "id": "CVE-2023-1255", @@ -332,15 +224,15 @@ interactions: }, { "id": "CVE-2023-2650", - "modified": "2026-04-02T08:51:31.735985Z" + "modified": "2026-03-23T05:00:34.487377Z" }, { "id": "CVE-2023-2975", - "modified": "2026-04-02T08:54:18.679841Z" + "modified": "2026-03-15T14:49:55.221034Z" }, { "id": "CVE-2023-3817", - "modified": "2026-04-02T09:08:17.588425Z" + "modified": "2026-03-15T22:45:38.616987Z" }, { "id": "CVE-2023-4807", @@ -348,59 +240,47 @@ interactions: }, { "id": "CVE-2023-5363", - "modified": "2026-04-02T09:46:04.662763Z" + "modified": "2026-03-15T22:49:01.513389Z" }, { "id": "CVE-2023-5678", - "modified": "2026-04-02T09:47:56.258535Z" + "modified": "2026-03-15T22:49:18.011924Z" }, { "id": "CVE-2023-6129", - "modified": "2026-04-02T09:47:11.223590Z" + "modified": "2026-03-15T21:45:17.017844Z" }, { "id": "CVE-2023-6237", - "modified": "2026-04-02T09:48:01.881441Z" - }, - { - "id": "CVE-2024-0727", - "modified": "2026-04-02T09:49:17.983670Z" + "modified": "2026-03-15T22:49:35.974149Z" }, { "id": "CVE-2024-13176", - "modified": "2026-04-02T09:59:53.877093Z" + "modified": "2026-03-23T05:00:52.882982Z" }, { "id": "CVE-2024-2511", - "modified": "2026-04-02T10:08:02.801311Z" + "modified": "2026-03-23T05:00:41.236875Z" }, { "id": "CVE-2024-4603", - "modified": "2026-04-02T12:21:16.410893Z" + "modified": "2026-03-23T05:09:27.414549Z" }, { "id": "CVE-2024-4741", - "modified": "2026-04-02T12:21:07.617700Z" + "modified": "2026-03-23T05:03:57.853457Z" }, { "id": "CVE-2024-5535", - "modified": "2026-04-02T12:28:22.047392Z" - }, - { - "id": "CVE-2024-6119", - "modified": "2026-04-02T12:26:17.322430Z" + "modified": "2026-03-23T05:10:32.616432Z" }, { "id": "CVE-2024-9143", - "modified": "2026-04-02T12:30:23.094298Z" + "modified": "2026-03-15T22:52:44.104304Z" }, { "id": "CVE-2025-15467", - "modified": "2026-04-02T12:34:51.332716Z" - }, - { - "id": "CVE-2025-4575", - "modified": "2026-04-02T12:48:51.065458Z" + "modified": "2026-03-23T05:02:57.782932Z" }, { "id": "CVE-2025-68160", @@ -408,31 +288,23 @@ interactions: }, { "id": "CVE-2025-69418", - "modified": "2026-04-02T13:05:42.562613Z" + "modified": "2026-03-23T05:03:12.246510Z" }, { "id": "CVE-2025-69419", - "modified": "2026-04-02T13:05:53.476082Z" + "modified": "2026-03-23T05:03:26.083494Z" }, { "id": "CVE-2025-69420", "modified": "2026-03-23T05:13:16.365472Z" }, - { - "id": "CVE-2025-69421", - "modified": "2026-04-02T13:05:42.582269Z" - }, { "id": "CVE-2025-9230", - "modified": "2026-04-02T13:07:48.305234Z" - }, - { - "id": "CVE-2025-9231", - "modified": "2026-04-02T13:07:41.821305Z" + "modified": "2026-03-23T05:00:34.923543Z" }, { "id": "CVE-2025-9232", - "modified": "2026-04-02T13:07:48.699162Z" + "modified": "2026-03-23T05:05:02.628675Z" }, { "id": "CVE-2026-22795", @@ -440,11 +312,7 @@ interactions: }, { "id": "CVE-2026-22796", - "modified": "2026-04-02T13:13:17.422878Z" - }, - { - "id": "CVE-2026-2673", - "modified": "2026-04-02T13:20:25.921852Z" + "modified": "2026-03-23T05:11:54.223561Z" } ] } @@ -452,7 +320,7 @@ interactions: } headers: Content-Length: - - "4706" + - "2593" Content-Type: - application/json status: 200 OK diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_HomebrewWithAnnotators.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_HomebrewWithAnnotators.yaml new file mode 100644 index 00000000000..65aefb7a1d3 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_HomebrewWithAnnotators.yaml @@ -0,0 +1,137 @@ +--- +version: 2 +interactions: + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 170 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "GIT", + "name": "https://github.com/libssh2/libssh2" + }, + "version": "1.11.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_HomebrewWithAnnotators/homebrew_extractor_explicitly_enabled_with_annotator + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 337 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "OSV-2022-24", + "modified": "2025-02-01T14:16:58.476563Z" + }, + { + "id": "OSV-2024-847", + "modified": "2025-02-01T14:27:03.602163Z" + }, + { + "id": "OSV-2025-433", + "modified": "2025-06-05T00:02:57.200566Z" + }, + { + "id": "OSV-2025-90", + "modified": "2025-12-20T14:15:39.033263Z" + }, + { + "id": "OSV-2025-92", + "modified": "2025-12-20T14:25:09.128654Z" + } + ] + } + ] + } + headers: + Content-Length: + - "337" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 170 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "GIT", + "name": "https://github.com/libssh2/libssh2" + }, + "version": "1.11.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_HomebrewWithAnnotators/homebrew_extractor_via_artifact_plugin + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 337 + body: | + { + "results": [ + { + "vulns": [ + { + "id": "OSV-2022-24", + "modified": "2025-02-01T14:16:58.476563Z" + }, + { + "id": "OSV-2024-847", + "modified": "2025-02-01T14:27:03.602163Z" + }, + { + "id": "OSV-2025-433", + "modified": "2025-06-05T00:02:57.200566Z" + }, + { + "id": "OSV-2025-90", + "modified": "2025-12-20T14:15:39.033263Z" + }, + { + "id": "OSV-2025-92", + "modified": "2025-12-20T14:25:09.128654Z" + } + ] + } + ] + } + headers: + Content-Length: + - "337" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s diff --git a/cmd/osv-scanner/scan/source/testdata/homebrew/Cellar/libssh2/1.11.1/.brew/libssh2.rb b/cmd/osv-scanner/scan/source/testdata/homebrew/Cellar/libssh2/1.11.1/.brew/libssh2.rb new file mode 100644 index 00000000000..dfed079483c --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/homebrew/Cellar/libssh2/1.11.1/.brew/libssh2.rb @@ -0,0 +1,55 @@ +class Libssh2 < Formula + desc "C library implementing the SSH2 protocol" + homepage "https://libssh2.org/" + url "https://libssh2.org/download/libssh2-1.11.1.tar.gz" + mirror "https://github.com/libssh2/libssh2/releases/download/libssh2-1.11.1/libssh2-1.11.1.tar.gz" + mirror "http://download.openpkg.org/components/cache/libssh2/libssh2-1.11.1.tar.gz" + sha256 "d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7" + license "BSD-3-Clause" + + livecheck do + url "https://libssh2.org/download/" + regex(/href=.*?libssh2[._-]v?(\d+(?:\.\d+)+)\./i) + end + + head do + url "https://github.com/libssh2/libssh2.git", branch: "master" + + depends_on "autoconf" => :build + depends_on "automake" => :build + depends_on "libtool" => :build + end + + depends_on "openssl@3" + + uses_from_macos "zlib" + + def install + args = %W[ + --disable-silent-rules + --disable-examples-build + --with-openssl + --with-libz + --with-libssl-prefix=#{Formula["openssl@3"].opt_prefix} + ] + + system "./buildconf" if build.head? + system "./configure", *std_configure_args, *args + system "make", "install" + end + + test do + (testpath/"test.c").write <<~EOS + #include + + int main(void) + { + libssh2_exit(); + return 0; + } + EOS + + system ENV.cc, "test.c", "-L#{lib}", "-lssh2", "-o", "test" + system "./test" + end +end diff --git a/cmd/osv-scanner/scan/source/testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_RECEIPT.json b/cmd/osv-scanner/scan/source/testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_RECEIPT.json new file mode 100644 index 00000000000..0e39c151ef6 --- /dev/null +++ b/cmd/osv-scanner/scan/source/testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_RECEIPT.json @@ -0,0 +1,57 @@ +{ + "homebrew_version": "4.4.1-34-gaf958b2", + "used_options": [], + "unused_options": [], + "built_as_bottle": true, + "poured_from_bottle": true, + "loaded_from_api": true, + "installed_as_dependency": true, + "installed_on_request": false, + "changed_files": [ + "NEWS", + "lib/pkgconfig/libssh2.pc" + ], + "time": 1765466145, + "source_modified_time": 1729065801, + "compiler": "clang", + "aliases": [], + "runtime_dependencies": [ + { + "full_name": "ca-certificates", + "version": "2025-12-02", + "revision": 0, + "bottle_rebuild": 0, + "pkg_version": "2025-12-02", + "declared_directly": false + }, + { + "full_name": "openssl@3", + "version": "3.6.0", + "revision": 0, + "bottle_rebuild": 0, + "pkg_version": "3.6.0", + "declared_directly": true + } + ], + "source": { + "spec": "stable", + "versions": { + "stable": "1.11.1", + "head": null, + "version_scheme": 0, + "compatibility_version": null + }, + "path": "/Users/user/Library/Caches/Homebrew/api/formula.jws.json", + "tap_git_head": null, + "tap": "homebrew/core" + }, + "arch": "arm64", + "built_on": { + "os": "Macintosh", + "os_version": "macOS 15", + "cpu_family": "dunno", + "xcode": "16.0", + "clt": "16.0.0.0.1.1724870825", + "preferred_perl": "5.34" + } +} \ No newline at end of file diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock index 12bdac86e67..1afc1029749 100644 --- a/docs/Gemfile.lock +++ b/docs/Gemfile.lock @@ -1,7 +1,7 @@ GEM remote: https://rubygems.org/ specs: - addressable (2.8.9) + addressable (2.9.0) public_suffix (>= 2.0.2, < 8.0) base64 (0.3.0) bigdecimal (4.0.1) @@ -89,7 +89,7 @@ GEM sawyer (~> 0.9) pathutil (0.16.2) forwardable-extended (~> 2.6) - public_suffix (7.0.2) + public_suffix (7.0.5) rake (13.3.1) rb-fsevent (0.11.2) rb-inotify (0.11.1) diff --git a/internal/clients/clientimpl/osvmatcher/osvmatcher.go b/internal/clients/clientimpl/osvmatcher/osvmatcher.go index 0bdb82ce3bc..6ec87147c2d 100644 --- a/internal/clients/clientimpl/osvmatcher/osvmatcher.go +++ b/internal/clients/clientimpl/osvmatcher/osvmatcher.go @@ -4,9 +4,11 @@ import ( "context" "errors" "net/http" + "strings" "time" "github.com/google/osv-scalibr/extractor" + "github.com/google/osv-scalibr/purl" "github.com/google/osv-scanner/v2/internal/cachedregexp" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/imodels" @@ -149,6 +151,11 @@ func pkgToQuery(pkg *extractor.Package) *api.Query { } } + // Special case for Homebrew packages with a source code repo + if pkg.PURL().Type == purl.TypeBrew && pkg.SourceCode != nil { + name = strings.ToLower(pkg.SourceCode.Repo) + } + return &api.Query{ Package: &osvschema.Package{ Name: name, diff --git a/internal/imodels/imodels.go b/internal/imodels/imodels.go index dea4a6f2183..d4076c83060 100644 --- a/internal/imodels/imodels.go +++ b/internal/imodels/imodels.go @@ -121,6 +121,12 @@ func Ecosystem(pkg *extractor.Package) osvecosystem.Parsed { eco = newEco } + // If ecosystem is empty and the source code repo is set we set the ecosystem to GIT + // since it's likely that the vulnerabilities will be associated with the source code repo + if eco.Ecosystem == "" && pkg.SourceCode != nil { + eco = osvecosystem.MustParse("GIT") + } + // TODO(v2): SBOM special case, to be removed after PURL to ESI conversion within each extractor is complete if purlCache := toCachedPackageInfo(pkg); purlCache != nil { newEco, err := osvecosystem.Parse(purlCache.Ecosystem) diff --git a/internal/output/__snapshots__/vertical_test.snap b/internal/output/__snapshots__/vertical_test.snap index 16927b5dbc8..073e29a636b 100755 --- a/internal/output/__snapshots__/vertical_test.snap +++ b/internal/output/__snapshots__/vertical_test.snap @@ -18,7 +18,6 @@ unknown:/path/to/my/third/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found - --- [TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1] @@ -52,7 +51,6 @@ unknown:/path/to/my/third/lockfile: found 0 packages with issues 1 license violation found in unknown:/path/to/my/third/lockfile - --- [TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1] @@ -71,7 +69,6 @@ sbom:/path/to/my/second/lockfile: found 0 packages with issues unknown:/path/to/my/third/lockfile: found 0 packages with issues no known vulnerabilities found - --- [TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1] @@ -113,7 +110,6 @@ sbom:/path/to/my/second/lockfile: found 0 packages with issues 1 license violation found in sbom:/path/to/my/second/lockfile - --- [TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1] @@ -147,7 +143,6 @@ unknown:/path/to/my/third/lockfile: found 0 packages with issues 1 license violation found in unknown:/path/to/my/third/lockfile - --- [TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_no_packages - 1] @@ -169,7 +164,6 @@ unknown:/path/to/my/third/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found - --- [TestPrintVerticalResults_WithLicenseViolations/no_sources - 1] @@ -178,7 +172,6 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi 0 vulnerabilities can be fixed. - --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_no_packages - 1] @@ -192,7 +185,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found - --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1] @@ -206,7 +198,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found - --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1] @@ -220,7 +211,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found - --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1] @@ -234,7 +224,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found - --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1] @@ -252,7 +241,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues 2 license violations found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1] @@ -270,7 +258,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues 1 license violation found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1] @@ -288,7 +275,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues 1 license violation found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1] @@ -306,7 +292,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues 1 license violation found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1] @@ -324,7 +309,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues 1 license violation found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1] @@ -346,7 +330,6 @@ sbom:/path/to/my/second/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found - --- [TestPrintVerticalResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] @@ -382,7 +365,6 @@ Hiding 1 number of vulnerabilities deemed unimportant, use --all-vulns to show t 2 license violations found in unknown:/path/to/my/third/lockfile - --- [TestPrintVerticalResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] @@ -428,7 +410,6 @@ unknown:/path/to/my/third/lockfile: found 1 package with issues 2 license violations found in unknown:/path/to/my/third/lockfile - --- [TestPrintVerticalResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1] @@ -474,7 +455,6 @@ unknown:/path/to/my/third/lockfile: found 1 package with issues 2 license violations found in unknown:/path/to/my/third/lockfile - --- [TestPrintVerticalResults_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1] @@ -497,7 +477,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues 1 license violation found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithMixedIssues/one_source_with_one_deprecated_package - 1] @@ -515,7 +494,6 @@ lockfile:/path/to/lockfile: found 0 packages with issues 1 deprecated packages found: deprecated-pkg@1.0.0 - --- [TestPrintVerticalResults_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] @@ -538,7 +516,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues 1 license violation found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] @@ -556,7 +533,6 @@ Hiding 1 number of vulnerabilities deemed unimportant, use --all-vulns to show t 1 license violation found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] @@ -579,7 +555,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues 1 license violation found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] @@ -606,7 +581,6 @@ sbom:/path/to/my/second/lockfile: found 0 packages with issues 1 license violation found in sbom:/path/to/my/second/lockfile - --- [TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] @@ -642,7 +616,6 @@ sbom:/path/to/my/second/lockfile: found 2 packages with issues 3 known vulnerabilities found in sbom:/path/to/my/second/lockfile - --- [TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] @@ -678,7 +651,6 @@ sbom:/path/to/my/second/lockfile: found 2 packages with issues 3 known vulnerabilities found in sbom:/path/to/my/second/lockfile - --- [TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] @@ -697,7 +669,6 @@ sbom:/path/to/my/second/lockfile: found 0 packages with issues unknown:/path/to/my/third/lockfile: found 0 packages with issues no known vulnerabilities found - --- [TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] @@ -731,7 +702,6 @@ unknown:/path/to/my/third/lockfile: found 1 package with issues 1 known vulnerability found in unknown:/path/to/my/third/lockfile - --- [TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] @@ -781,7 +751,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues 1 known vulnerability found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] @@ -835,7 +804,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues 1 known vulnerability found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1] @@ -885,7 +853,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues 1 known vulnerability found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_no_packages - 1] @@ -904,7 +871,6 @@ sbom:/path/to/my/second/lockfile: found 0 packages with issues unknown:/path/to/my/third/lockfile: found 0 packages with issues no known vulnerabilities found - --- [TestPrintVerticalResults_WithVulnerabilities/no_sources - 1] @@ -913,7 +879,6 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi 0 vulnerabilities can be fixed. - --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_no_packages - 1] @@ -926,7 +891,6 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found - --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] @@ -939,7 +903,6 @@ npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found - --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] @@ -963,7 +926,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues 1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out) - --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1] @@ -981,7 +943,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues 1 known vulnerability found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] @@ -999,7 +960,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues 1 known vulnerability found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] @@ -1017,7 +977,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues 1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out) - --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] @@ -1035,7 +994,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues 1 known vulnerability found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1] @@ -1053,7 +1011,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues 1 known vulnerability found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] @@ -1071,7 +1028,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues 1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out) - --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1] @@ -1089,7 +1045,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues 1 known vulnerability found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1] @@ -1107,7 +1062,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues 1 known vulnerability found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1] @@ -1125,7 +1079,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues 1 known vulnerability found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1] @@ -1143,7 +1096,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues 1 known vulnerability found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1] @@ -1164,7 +1116,6 @@ lockfile:/path/to/my/first/lockfile: found 2 packages with issues 2 known vulnerabilities found in lockfile:/path/to/my/first/lockfile - --- [TestPrintVerticalResults_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1] @@ -1185,7 +1136,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues sbom:/path/to/my/second/lockfile: found 0 packages with issues no known vulnerabilities found - --- [TestPrintVerticalResults_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1] @@ -1211,5 +1161,4 @@ sbom:/path/to/my/second/lockfile: found 1 package with issues 1 known vulnerability found in sbom:/path/to/my/second/lockfile - --- diff --git a/internal/output/githubannotation.go b/internal/output/githubannotation.go index 44e6fe099f3..317a4d2d6f1 100644 --- a/internal/output/githubannotation.go +++ b/internal/output/githubannotation.go @@ -79,12 +79,20 @@ func PrintGHAnnotationReport(vulnResult *models.VulnerabilityResults, outputWrit artifactPath = filepath.ToSlash(artifactPath) + // Sanitize artifactPath to prevent GitHub Actions workflow command injection. + // \r and \n in the file= parameter can terminate the annotation early and inject + // arbitrary workflow commands (e.g. ::warning::, ::add-mask::) into the runner output. + artifactPath = strings.ReplaceAll(artifactPath, "\r", "%0D") + artifactPath = strings.ReplaceAll(artifactPath, "\n", "%0A") + remediationTable, hasVulnTable := createSourceRemediationTable(source, groupedFixedVersions) if hasVulnTable { renderedTable := remediationTable.Render() // This is required as github action annotations must be on the same terminal line // so we URL encode the new line character renderedTable = strings.ReplaceAll(renderedTable, "\n", "%0A") + // Sanitize \r to prevent workflow command injection via carriage return in package names + renderedTable = strings.ReplaceAll(renderedTable, "\r", "%0D") // Prepend the table with a new line to look nicer in the output fmt.Fprintf(outputWriter, "::error file=%s::%s%s", artifactPath, artifactPath, "%0A"+renderedTable) @@ -95,6 +103,8 @@ func PrintGHAnnotationReport(vulnResult *models.VulnerabilityResults, outputWrit if hasDeprecationTable { renderedDeprecationTable := deprecationTable.Render() renderedDeprecationTable = strings.ReplaceAll(renderedDeprecationTable, "\n", "%0A") + // Sanitize \r to prevent workflow command injection via carriage return in package names + renderedDeprecationTable = strings.ReplaceAll(renderedDeprecationTable, "\r", "%0D") fmt.Fprintf(outputWriter, "::error file=%s::%s%s", artifactPath, artifactPath, "%0A"+renderedDeprecationTable) } } diff --git a/internal/output/githubannotation_test.go b/internal/output/githubannotation_test.go index a8c6c1773b8..d436c22c419 100644 --- a/internal/output/githubannotation_test.go +++ b/internal/output/githubannotation_test.go @@ -2,10 +2,12 @@ package output_test import ( "bytes" + "strings" "testing" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/internal/testutility" + "github.com/google/osv-scanner/v2/pkg/models" ) func TestPrintGHAnnotationReport_WithVulnerabilities(t *testing.T) { @@ -58,3 +60,57 @@ func TestPrintGHAnnotationReport_WithMixedIssues(t *testing.T) { testutility.NewSnapshot().MatchText(t, outputWriter.String()) }) } + +// TestPrintGHAnnotationReport_CRSanitization verifies that carriage return characters +// in package paths and names are URL-encoded as %0D rather than emitted raw. +// Raw \r in GitHub Actions annotation output is treated as a line boundary by the +// runner, enabling workflow command injection (e.g. ::warning::, ::add-mask::). +func TestPrintGHAnnotationReport_CRSanitization(t *testing.T) { + t.Parallel() + + // Construct a VulnerabilityResults with \r embedded in the source path, + // simulating a crafted file path that could be used for command injection. + vulnResult := &models.VulnerabilityResults{ + Results: []models.PackageSource{ + { + Source: models.SourceInfo{ + Path: "legitimate-scan\r::warning::INJECTED/package-lock.json", + Type: "lockfile", + }, + Packages: []models.PackageVulns{ + { + Package: models.PackageInfo{ + Name: "lodash", + Version: "4.17.20", + Ecosystem: "npm", + }, + Groups: []models.GroupInfo{ + { + IDs: []string{"GHSA-35jh-r3h4-6jhm"}, + MaxSeverity: "7.2", + }, + }, + }, + }, + }, + }, + } + + outputWriter := &bytes.Buffer{} + err := output.PrintGHAnnotationReport(vulnResult, outputWriter) + if err != nil { + t.Errorf("Error writing GH annotation output: %s", err) + } + + result := outputWriter.String() + + // The output must not contain a raw carriage return — it must be encoded as %0D. + if strings.Contains(result, "\r") { + t.Errorf("GH annotation output contains raw \\r character, which enables workflow command injection.\nOutput: %q", result) + } + + // The encoded form must be present instead. + if !strings.Contains(result, "%0D") { + t.Errorf("GH annotation output does not contain %%0D encoding for \\r character.\nOutput: %q", result) + } +} diff --git a/internal/output/vertical.go b/internal/output/vertical.go index 7bb232c5e3a..4286a493cee 100644 --- a/internal/output/vertical.go +++ b/internal/output/vertical.go @@ -51,7 +51,7 @@ func PrintVerticalResults(vulnResult *models.VulnerabilityResults, outputWriter } } - fmt.Fprintln(outputWriter) + fmt.Fprint(outputWriter) } func printVerticalLicenseSummary(licenseSummary LicenseSummary, out io.Writer) { diff --git a/internal/scalibrplugin/__snapshots__/resolve_test.snap b/internal/scalibrplugin/__snapshots__/resolve_test.snap index 52d89aa2114..78775b5c3d1 100755 --- a/internal/scalibrplugin/__snapshots__/resolve_test.snap +++ b/internal/scalibrplugin/__snapshots__/resolve_test.snap @@ -30,8 +30,10 @@ javascript/packagelockjson javascript/pnpmlock javascript/yarnlock license/depsdev +misc/brew-source os/apk os/dpkg +os/homebrew osv/osvscannerjson php/composerlock python/pdmlock @@ -65,8 +67,10 @@ baseimage go/binary java/archive javascript/nodemodules +misc/brew-source os/apk os/dpkg +os/homebrew python/wheelegg rust/cargoauditable vex/os-duplicate/apk @@ -102,8 +106,10 @@ baseimage go/binary java/archive javascript/nodemodules +misc/brew-source os/apk os/dpkg +os/homebrew python/wheelegg rust/cargoauditable vex/os-duplicate/apk @@ -128,8 +134,10 @@ baseimage go/binary java/archive javascript/nodemodules +misc/brew-source os/apk os/dpkg +os/homebrew python/wheelegg rust/cargoauditable vex/os-duplicate/apk diff --git a/internal/scalibrplugin/presets.go b/internal/scalibrplugin/presets.go index fa757147eab..c4194ed96da 100644 --- a/internal/scalibrplugin/presets.go +++ b/internal/scalibrplugin/presets.go @@ -4,6 +4,7 @@ import ( "fmt" annotatorlist "github.com/google/osv-scalibr/annotator/list" + "github.com/google/osv-scalibr/annotator/misc/brewsource" apkanno "github.com/google/osv-scalibr/annotator/osduplicate/apk" dpkganno "github.com/google/osv-scalibr/annotator/osduplicate/dpkg" cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto" @@ -46,6 +47,7 @@ import ( extractors "github.com/google/osv-scalibr/extractor/filesystem/list" "github.com/google/osv-scalibr/extractor/filesystem/os/apk" "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" + "github.com/google/osv-scalibr/extractor/filesystem/os/homebrew" "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx" "github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx" "github.com/google/osv-scanner/v2/internal/datasource" @@ -153,6 +155,8 @@ var ExtractorPresets = map[string]extractors.InitMap{ apk.Name: {apk.New}, // Debian dpkg.Name: {dpkg.New}, + // Homebrew + homebrew.Name: {homebrew.New}, }, } @@ -170,8 +174,9 @@ var enricherPresets = map[string]enricherlist.InitMap{ var annotatorPresets = map[string]annotatorlist.InitMap{ "artifact": { - apkanno.Name: {apkanno.New}, - dpkganno.Name: {dpkganno.New}, + apkanno.Name: {apkanno.New}, + dpkganno.Name: {dpkganno.New}, + brewsource.Name: {brewsource.New}, }, } diff --git a/internal/scalibrplugin/resolve_test.go b/internal/scalibrplugin/resolve_test.go index 55abea2507b..169b9b83150 100644 --- a/internal/scalibrplugin/resolve_test.go +++ b/internal/scalibrplugin/resolve_test.go @@ -6,6 +6,7 @@ import ( "testing" "github.com/google/go-cmp/cmp" + "github.com/google/osv-scalibr/annotator/misc/brewsource" apkanno "github.com/google/osv-scalibr/annotator/osduplicate/apk" dpkganno "github.com/google/osv-scalibr/annotator/osduplicate/dpkg" cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto" @@ -29,6 +30,7 @@ import ( chromeextensions "github.com/google/osv-scalibr/extractor/filesystem/misc/chrome/extensions" "github.com/google/osv-scalibr/extractor/filesystem/os/apk" "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" + "github.com/google/osv-scalibr/extractor/filesystem/os/homebrew" "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx" "github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx" "github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored" @@ -516,11 +518,13 @@ func TestResolve_Extractors(t *testing.T) { baseimage.Name, cargoauditable.Name, dpkg.Name, + homebrew.Name, gobinary.Name, nodemodules.Name, wheelegg.Name, apkanno.Name, dpkganno.Name, + brewsource.Name, }, }, { @@ -535,11 +539,13 @@ func TestResolve_Extractors(t *testing.T) { baseimage.Name, cargoauditable.Name, dpkg.Name, + homebrew.Name, gobinary.Name, nodemodules.Name, wheelegg.Name, apkanno.Name, dpkganno.Name, + brewsource.Name, }, }, { @@ -561,9 +567,11 @@ func TestResolve_Extractors(t *testing.T) { baseimage.Name, dpkg.Name, gobinary.Name, + homebrew.Name, nodemodules.Name, apkanno.Name, dpkganno.Name, + brewsource.Name, }, }, // @@ -579,6 +587,7 @@ func TestResolve_Extractors(t *testing.T) { baseimage.Name, cargoauditable.Name, dpkg.Name, + homebrew.Name, gitrepo.Name, gobinary.Name, nodemodules.Name, @@ -586,6 +595,7 @@ func TestResolve_Extractors(t *testing.T) { wheelegg.Name, apkanno.Name, dpkganno.Name, + brewsource.Name, }, }, // diff --git a/internal/utility/vulns/vulnerability.go b/internal/utility/vulns/vulnerability.go index 58c3d320a42..590c0a19f40 100644 --- a/internal/utility/vulns/vulnerability.go +++ b/internal/utility/vulns/vulnerability.go @@ -132,9 +132,10 @@ func hasGitRangeForRepo(affected *osvschema.Affected, repo string) bool { func IsAffected(v *osvschema.Vulnerability, pkg *extractor.Package) bool { for _, affected := range v.GetAffected() { + pkgEcosystem := imodels.Ecosystem(pkg) // assume we're dealing with a git-source package whose name is the git repository, and that the version is the tag // the underlying commit has been resolved to (somehow), meaning we can check if it's in the versions listed by the advisory - if imodels.Ecosystem(pkg).IsEmpty() && imodels.Commit(pkg) != "" && imodels.Version(pkg) != "" { + if (pkgEcosystem.IsEmpty() || pkgEcosystem.Ecosystem == "GIT") && imodels.Commit(pkg) != "" && imodels.Version(pkg) != "" { if hasGitRangeForRepo(affected, imodels.Name(pkg)) && slices.Contains(affected.GetVersions(), imodels.Version(pkg)) { return true } diff --git a/pkg/osvscanner/__snapshots__/osvscanner_test.snap b/pkg/osvscanner/__snapshots__/osvscanner_test.snap index 8e3a00fd192..0d955fb3748 100755 --- a/pkg/osvscanner/__snapshots__/osvscanner_test.snap +++ b/pkg/osvscanner/__snapshots__/osvscanner_test.snap @@ -12,7 +12,7 @@ "package": { "name": "", "version": "", - "ecosystem": "", + "ecosystem": "GIT", "commit": "33dffa3909a67e1b5d22647128ab7eb6e53fd0c7" }, "groups": [ diff --git a/renovate.json b/renovate.json index e43220beffc..15a9f46ad48 100644 --- a/renovate.json +++ b/renovate.json @@ -6,6 +6,7 @@ "labels": ["dependencies"], "postUpdateOptions": ["gomodTidy"], "osvVulnerabilityAlerts": true, + "minimumReleaseAge": "7 days", "lockFileMaintenance": { "enabled": true }, From ba75b8a5876d941e8000b392cb77d3cfffbdb618 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 24 Apr 2026 05:31:37 +0000 Subject: [PATCH 09/10] ci: split tests into separate workflow to avoid running on irrelevant changes Moved the `prepare_test_image_testdata`, `tests`, and `docker` jobs from `checks.yml` into a new `tests.yml` workflow file. Configured `paths-ignore` for the `tests.yml` workflow so that these long-running tests are skipped if changes only affect markdown files, documentation, or other unrelated GitHub Actions workflows. This prevents unnecessary test runs while still executing quick lint and formatting checks in `checks.yml`. Additionally, fixed zizmor alerts for cache poisoning and credential persistence in the docker job, and formatted the new file with prettier. Co-authored-by: another-rex <106129829+another-rex@users.noreply.github.com> From 34f6b73ce9a0414b34684a14116a039263cc83e5 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 24 Apr 2026 06:20:15 +0000 Subject: [PATCH 10/10] ci: split tests into separate workflow to avoid running on irrelevant changes Moved the `prepare_test_image_testdata`, `tests`, and `docker` jobs from `checks.yml` into a new `tests.yml` workflow file. Configured `paths-ignore` for the `tests.yml` workflow so that these long-running tests are skipped if changes only affect markdown files, documentation, or other unrelated GitHub Actions workflows. This prevents unnecessary test runs while still executing quick lint and formatting checks in `checks.yml`. Additionally, fixed zizmor alerts for cache poisoning and credential persistence in the docker job, and formatted the new file with prettier. Co-authored-by: another-rex <106129829+another-rex@users.noreply.github.com>