From 02cf60259f0d1080cfe27ed20c03482100682a51 Mon Sep 17 00:00:00 2001 From: Xueqin Cui Date: Thu, 16 Apr 2026 11:18:50 +1000 Subject: [PATCH 1/5] update github.com/urfave/cli to 3.8.0 --- .../source/__snapshots__/command_test.snap | 33 ++++++++++--------- cmd/osv-scanner/scan/source/command_test.go | 4 +-- go.mod | 2 +- go.sum | 4 +-- 4 files changed, 22 insertions(+), 21 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index a5a3c6b0314..ed473f053d1 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -2683,14 +2683,13 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5 --- -[TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_nothing - 1] +[TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_default - 1] +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- -[TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_nothing - 2] -Incorrect Usage: flag needs an argument: --experimental-plugins= - -flag needs an argument: --experimental-plugins= +[TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_default - 2] +No package sources found, --help for usage information. --- @@ -2853,9 +2852,7 @@ could not determine extractor, requested package-lock.json --- [TestCommand_ExplicitExtractors_WithoutDefaults/empty_plugins_flag_does_nothing - 2] -Incorrect Usage: flag needs an argument: --experimental-plugins= - -flag needs an argument: --experimental-plugins= +at least one extractor must be enabled --- @@ -3509,8 +3506,8 @@ Total 1 package affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Mediu GIT +------------------------------------------------------------------------------------------------------------------+ -| Source:os:/testdata/homebrew/Cellar/libssh | -| 2/1.11.1/INSTALL_RECEIPT.json | +| Source:os:/testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_R | +| ECEIPT.json | +------------------------------------+-------------------+------------------+------------+-------------------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | +------------------------------------+-------------------+------------------+------------+-------------------------+ @@ -3541,8 +3538,8 @@ Total 1 package affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Mediu GIT +------------------------------------------------------------------------------------------------------------------+ -| Source:os:/testdata/homebrew/Cellar/libssh | -| 2/1.11.1/INSTALL_RECEIPT.json | +| Source:os:/testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_R | +| ECEIPT.json | +------------------------------------+-------------------+------------------+------------+-------------------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | +------------------------------------+-------------------+------------------+------------+-------------------------+ @@ -4527,8 +4524,8 @@ Loaded Alpine local db from /osv-scanner/Alpine/all.zip Loaded Packagist local db from /osv-scanner/Packagist/all.zip Loaded npm local db from /osv-scanner/npm/all.zip -Total 6 packages affected by 12 known vulnerabilities (1 Critical, 4 High, 3 Medium, 3 Low, 1 Unknown) from 3 ecosystems. -6 vulnerabilities can be fixed. +Total 6 packages affected by 14 known vulnerabilities (1 Critical, 4 High, 3 Medium, 3 Low, 3 Unknown) from 3 ecosystems. +8 vulnerabilities can be fixed. +-----------------------------------------+------+-----------+-----------------------+-----------+---------------+-----------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | @@ -4541,6 +4538,8 @@ Total 6 packages affected by 12 known vulnerabilities (1 Critical, 4 High, 3 Med | https://osv.dev/GHSA-h89p-5896-f4q8 | | | | | | | | https://osv.dev/DRUPAL-CORE-2025-008 | 3.7 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-mhpg-hpj5-73r2 | | | | | | | +| https://osv.dev/DRUPAL-CORE-2026-001 | | Packagist | drupal/core | 10.4.5 | 10.5.9 | testdata/locks-many-with-insecure/composer.lock | +| https://osv.dev/DRUPAL-CORE-2026-002 | | Packagist | drupal/core | 10.4.5 | 10.5.9 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/DRUPAL-CONTRIB-2025-083 | | Packagist | drupal/simple_sitemap | 4.2.1 | -- | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json | @@ -4570,8 +4569,8 @@ Loaded Alpine local db from /osv-scanner/Alpine/all.zip Loaded Packagist local db from /osv-scanner/Packagist/all.zip Loaded npm local db from /osv-scanner/npm/all.zip -Total 6 packages affected by 12 known vulnerabilities (1 Critical, 4 High, 3 Medium, 3 Low, 1 Unknown) from 3 ecosystems. -6 vulnerabilities can be fixed. +Total 6 packages affected by 14 known vulnerabilities (1 Critical, 4 High, 3 Medium, 3 Low, 3 Unknown) from 3 ecosystems. +8 vulnerabilities can be fixed. +-----------------------------------------+------+-----------+-----------------------+-----------+---------------+-----------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | @@ -4584,6 +4583,8 @@ Total 6 packages affected by 12 known vulnerabilities (1 Critical, 4 High, 3 Med | https://osv.dev/GHSA-h89p-5896-f4q8 | | | | | | | | https://osv.dev/DRUPAL-CORE-2025-008 | 3.7 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-mhpg-hpj5-73r2 | | | | | | | +| https://osv.dev/DRUPAL-CORE-2026-001 | | Packagist | drupal/core | 10.4.5 | 10.5.9 | testdata/locks-many-with-insecure/composer.lock | +| https://osv.dev/DRUPAL-CORE-2026-002 | | Packagist | drupal/core | 10.4.5 | 10.5.9 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/DRUPAL-CONTRIB-2025-083 | | Packagist | drupal/simple_sitemap | 4.2.1 | -- | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json | diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index f5fae2b96cc..a87a79eeb0c 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -489,9 +489,9 @@ func TestCommand_ExplicitExtractors_WithDefaults(t *testing.T) { tests := []testcmd.Case{ { - Name: "empty_plugins_flag_does_nothing", + Name: "empty_plugins_flag_does_default", Args: []string{"", "source", "--experimental-plugins="}, - Exit: 127, + Exit: 128, }, { Name: "extractors_cancelled_out_specified_individually", diff --git a/go.mod b/go.mod index 99d6f97a6e6..54f088a63cb 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/tidwall/gjson v1.18.0 github.com/tidwall/pretty v1.2.1 github.com/tidwall/sjson v1.2.5 - github.com/urfave/cli/v3 v3.7.0 + github.com/urfave/cli/v3 v3.8.0 go.yaml.in/yaml/v4 v4.0.0-rc.4 golang.org/x/sync v0.20.0 golang.org/x/term v0.40.0 diff --git a/go.sum b/go.sum index b3d2b9550a6..3748cfa4f5c 100644 --- a/go.sum +++ b/go.sum @@ -488,8 +488,8 @@ github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0 h1:2f304B10 github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0/go.mod h1:278M4p8WsNh3n4a1eqiFcV2FGk7wE5fwUpUom9mK9lE= github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= -github.com/urfave/cli/v3 v3.7.0 h1:AGSnbUyjtLiM+WJUb4dzXKldl/gL+F8OwmRDtVr6g2U= -github.com/urfave/cli/v3 v3.7.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso= +github.com/urfave/cli/v3 v3.8.0 h1:XqKPrm0q4P0q5JpoclYoCAv0/MIvH/jZ2umzuf8pNTI= +github.com/urfave/cli/v3 v3.8.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso= github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo= github.com/vbatts/tar-split v0.12.1/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA= github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= From 21021af4594d580aa68bf365e58b5db4c65e7070 Mon Sep 17 00:00:00 2001 From: Xueqin Cui Date: Thu, 16 Apr 2026 13:28:09 +1000 Subject: [PATCH 2/5] snapshot --- .../source/__snapshots__/command_test.snap | 8 +- .../testdata/cassettes/TestCommand.yaml | 100 ++++++++++++++++++ 2 files changed, 104 insertions(+), 4 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index ed473f053d1..1fabe60e0c4 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -3506,8 +3506,8 @@ Total 1 package affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Mediu GIT +------------------------------------------------------------------------------------------------------------------+ -| Source:os:/testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_R | -| ECEIPT.json | +| Source:os:/testdata/homebrew/Cellar/libssh | +| 2/1.11.1/INSTALL_RECEIPT.json | | +------------------------------------+-------------------+------------------+------------+-------------------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | +------------------------------------+-------------------+------------------+------------+-------------------------+ @@ -3538,8 +3538,8 @@ Total 1 package affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Mediu GIT +------------------------------------------------------------------------------------------------------------------+ -| Source:os:/testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_R | -| ECEIPT.json | +| Source:os:/testdata/homebrew/Cellar/libssh | +| 2/1.11.1/INSTALL_RECEIPT.json | +------------------------------------+-------------------+------------------+------------+-------------------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | +------------------------------------+-------------------+------------------+------------+-------------------------+ diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml index 8a33739c19a..974cba64f69 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml @@ -53,6 +53,106 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1024 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "ast" + }, + "version": "2.4.2" + }, + { + "package": { + "ecosystem": "Packagist", + "name": "sentry/sdk" + }, + "version": "2.0.4" + }, + { + "package": { + "ecosystem": "RubyGems", + "name": "ast" + }, + "version": "2.4.2" + }, + { + "package": { + "ecosystem": "npm", + "name": "balanced-match" + }, + "version": "1.0.2" + }, + { + "package": { + "ecosystem": "RubyGems", + "name": "ast" + }, + "version": "2.4.2" + }, + { + "package": { + "ecosystem": "Packagist", + "name": "sentry/sdk" + }, + "version": "2.0.4" + }, + { + "package": { + "ecosystem": "npm", + "name": "balanced-match" + }, + "version": "1.0.2" + }, + { + "package": { + "ecosystem": "npm", + "name": "balanced-match" + }, + "version": "1.0.2" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand/.gitignored_files + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 37 + body: | + { + "results": [ + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {} + ] + } + headers: + Content-Length: + - "37" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s - request: proto: HTTP/1.1 proto_major: 1 From b30fb8d2e9538123c09ff837f3722a52e55d2af7 Mon Sep 17 00:00:00 2001 From: Xueqin Cui Date: Thu, 16 Apr 2026 13:32:51 +1000 Subject: [PATCH 3/5] snapshot --- cmd/osv-scanner/scan/source/__snapshots__/command_test.snap | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 1fabe60e0c4..e856aee0c66 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -3507,7 +3507,7 @@ Total 1 package affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Mediu GIT +------------------------------------------------------------------------------------------------------------------+ | Source:os:/testdata/homebrew/Cellar/libssh | -| 2/1.11.1/INSTALL_RECEIPT.json | | +| 2/1.11.1/INSTALL_RECEIPT.json | | +------------------------------------+-------------------+------------------+------------+-------------------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | +------------------------------------+-------------------+------------------+------------+-------------------------+ From 033ccdac9ddf28ae472516032dfd07a00ecf102a Mon Sep 17 00:00:00 2001 From: Xueqin Cui Date: Thu, 16 Apr 2026 13:34:49 +1000 Subject: [PATCH 4/5] snapshot --- .../source/__snapshots__/command_test.snap | 2 +- .../testdata/cassettes/TestCommand.yaml | 100 ------------------ 2 files changed, 1 insertion(+), 101 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index e856aee0c66..76fcba88022 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -3507,7 +3507,7 @@ Total 1 package affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Mediu GIT +------------------------------------------------------------------------------------------------------------------+ | Source:os:/testdata/homebrew/Cellar/libssh | -| 2/1.11.1/INSTALL_RECEIPT.json | | +| 2/1.11.1/INSTALL_RECEIPT.json | | +------------------------------------+-------------------+------------------+------------+-------------------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | +------------------------------------+-------------------+------------------+------------+-------------------------+ diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml index 974cba64f69..8a33739c19a 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml @@ -53,106 +53,6 @@ interactions: status: 200 OK code: 200 duration: 0s - - request: - proto: HTTP/1.1 - proto_major: 1 - proto_minor: 1 - content_length: 1024 - host: api.osv.dev - body: | - { - "queries": [ - { - "package": { - "ecosystem": "RubyGems", - "name": "ast" - }, - "version": "2.4.2" - }, - { - "package": { - "ecosystem": "Packagist", - "name": "sentry/sdk" - }, - "version": "2.0.4" - }, - { - "package": { - "ecosystem": "RubyGems", - "name": "ast" - }, - "version": "2.4.2" - }, - { - "package": { - "ecosystem": "npm", - "name": "balanced-match" - }, - "version": "1.0.2" - }, - { - "package": { - "ecosystem": "RubyGems", - "name": "ast" - }, - "version": "2.4.2" - }, - { - "package": { - "ecosystem": "Packagist", - "name": "sentry/sdk" - }, - "version": "2.0.4" - }, - { - "package": { - "ecosystem": "npm", - "name": "balanced-match" - }, - "version": "1.0.2" - }, - { - "package": { - "ecosystem": "npm", - "name": "balanced-match" - }, - "version": "1.0.2" - } - ] - } - headers: - Content-Type: - - application/json - X-Test-Name: - - TestCommand/.gitignored_files - url: https://api.osv.dev/v1/querybatch - method: POST - response: - proto: HTTP/2.0 - proto_major: 2 - proto_minor: 0 - content_length: 37 - body: | - { - "results": [ - {}, - {}, - {}, - {}, - {}, - {}, - {}, - {} - ] - } - headers: - Content-Length: - - "37" - Content-Type: - - application/json - status: 200 OK - code: 200 - duration: 0s - request: proto: HTTP/1.1 proto_major: 1 From 8a31a0b443ebf3baec604aaada264eabf5517b5e Mon Sep 17 00:00:00 2001 From: Xueqin Cui Date: Thu, 16 Apr 2026 13:35:30 +1000 Subject: [PATCH 5/5] snapshot --- cmd/osv-scanner/scan/source/__snapshots__/command_test.snap | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 76fcba88022..8dc17662fa1 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -3507,7 +3507,7 @@ Total 1 package affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Mediu GIT +------------------------------------------------------------------------------------------------------------------+ | Source:os:/testdata/homebrew/Cellar/libssh | -| 2/1.11.1/INSTALL_RECEIPT.json | | +| 2/1.11.1/INSTALL_RECEIPT.json | +------------------------------------+-------------------+------------------+------------+-------------------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | +------------------------------------+-------------------+------------------+------------+-------------------------+