From d4397fe8bbc188cb562f7ecb362cfef5a1500c0c Mon Sep 17 00:00:00 2001 From: Joey L Date: Thu, 23 Apr 2026 06:37:37 +0000 Subject: [PATCH 1/7] update osv-scalibr --- go.mod | 2 +- go.sum | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 0f90f6bfec8..b700f2258a6 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/go-git/go-git/v5 v5.18.0 github.com/gobwas/glob v0.2.3 github.com/google/go-cmp v0.7.0 - github.com/google/osv-scalibr v0.4.6-0.20260318175007-ec4239d68fb9 + github.com/google/osv-scalibr v0.4.6-0.20260421235914-2420ff40f95a github.com/ianlancetaylor/demangle v0.0.0-20251118225945-96ee0021ea0f github.com/jedib0t/go-pretty/v6 v6.7.8 github.com/modelcontextprotocol/go-sdk v1.4.1 diff --git a/go.sum b/go.sum index 02240ee5406..437ed37d361 100644 --- a/go.sum +++ b/go.sum @@ -273,6 +273,14 @@ github.com/google/jsonschema-go v0.4.2 h1:tmrUohrwoLZZS/P3x7ex0WAVknEkBZM46iALbc github.com/google/jsonschema-go v0.4.2/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE= github.com/google/osv-scalibr v0.4.6-0.20260318175007-ec4239d68fb9 h1:bOqoTMcFFJf0yuXgH+EdPWzcgIIUzyCWxT/agq2u4lw= github.com/google/osv-scalibr v0.4.6-0.20260318175007-ec4239d68fb9/go.mod h1:0yLzHje112PqLC/q9GKwcmaKrKWotOvc49xc+SegKV0= +github.com/google/osv-scalibr v0.4.6-0.20260323230016-5c269244c4f4 h1:yUvllk4CcpMfP9eaV8gcs6LIa7lWlzZaQEYxN7TSwRE= +github.com/google/osv-scalibr v0.4.6-0.20260323230016-5c269244c4f4/go.mod h1:0yLzHje112PqLC/q9GKwcmaKrKWotOvc49xc+SegKV0= +github.com/google/osv-scalibr v0.4.6-0.20260324023151-bcaae8454948 h1:A8qzYrCmLoWSiXlluaPeXjm7ssteSd9tJo5YsHm50Rs= +github.com/google/osv-scalibr v0.4.6-0.20260324023151-bcaae8454948/go.mod h1:0yLzHje112PqLC/q9GKwcmaKrKWotOvc49xc+SegKV0= +github.com/google/osv-scalibr v0.4.6-0.20260415191203-0f0777e173df h1:/bbH6BbBKG+60kmksW6/R9KOJYakH5CLaJNRs+nb+ZA= +github.com/google/osv-scalibr v0.4.6-0.20260415191203-0f0777e173df/go.mod h1:0yLzHje112PqLC/q9GKwcmaKrKWotOvc49xc+SegKV0= +github.com/google/osv-scalibr v0.4.6-0.20260421235914-2420ff40f95a h1:Bi6owRs6mUltiQu+TNYSKAH6SM1ple4ArQFznChqS70= +github.com/google/osv-scalibr v0.4.6-0.20260421235914-2420ff40f95a/go.mod h1:0yLzHje112PqLC/q9GKwcmaKrKWotOvc49xc+SegKV0= github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 h1:EEHtgt9IwisQ2AZ4pIsMjahcegHh6rmhqxzIRQIyepY= github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= From 788a74078052d178a0c45fe21902b9b19f68b513 Mon Sep 17 00:00:00 2001 From: Joey L Date: Thu, 23 Apr 2026 06:44:56 +0000 Subject: [PATCH 2/7] New metadata with scalibr update --- .../language/osv/osvscannerjson/metadata.go | 36 +++- .../osv/osvscannerjson/proto/metadata.pb.go | 190 ++++++++++++++++++ .../osv/osvscannerjson/proto/metadata.proto | 15 ++ 3 files changed, 240 insertions(+), 1 deletion(-) create mode 100644 internal/scalibrextract/language/osv/osvscannerjson/proto/metadata.pb.go create mode 100644 internal/scalibrextract/language/osv/osvscannerjson/proto/metadata.proto diff --git a/internal/scalibrextract/language/osv/osvscannerjson/metadata.go b/internal/scalibrextract/language/osv/osvscannerjson/metadata.go index 26943fe92f3..8bbe4cc4d8e 100644 --- a/internal/scalibrextract/language/osv/osvscannerjson/metadata.go +++ b/internal/scalibrextract/language/osv/osvscannerjson/metadata.go @@ -1,9 +1,43 @@ package osvscannerjson -import "github.com/google/osv-scanner/v2/pkg/models" +import ( + "github.com/google/osv-scalibr/binary/proto/metadata" + pb "github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson/proto" + "github.com/google/osv-scanner/v2/pkg/models" +) + +//nolint:gochecknoinits // Using init to register the metadata is by design +func init() { + metadata.Register(ToStruct, ToProto) +} // Metadata holds the metadata for osvscanner.json type Metadata struct { Ecosystem string SourceInfo models.SourceInfo } + +// ToProto converts the metadata struct to the OSVScannerJsonMetadata proto. +func ToProto(m *Metadata) *pb.OSVScannerJsonMetadata { + return &pb.OSVScannerJsonMetadata{ + Ecosystem: m.Ecosystem, + SourceInfo: &pb.SourceInfo{ + Path: m.SourceInfo.Path, + Type: string(m.SourceInfo.Type), + }, + } +} + +// IsProtoable marks the struct as a metadata type. +func (m *Metadata) IsProtoable() {} + +// ToStruct converts the OSVScannerJsonMetadata proto to the Metadata struct. +func ToStruct(m *pb.OSVScannerJsonMetadata) *Metadata { + return &Metadata{ + Ecosystem: m.GetEcosystem(), + SourceInfo: models.SourceInfo{ + Path: m.GetSourceInfo().GetPath(), + Type: models.SourceType(m.GetSourceInfo().GetType()), + }, + } +} diff --git a/internal/scalibrextract/language/osv/osvscannerjson/proto/metadata.pb.go b/internal/scalibrextract/language/osv/osvscannerjson/proto/metadata.pb.go new file mode 100644 index 00000000000..cea6f465d5b --- /dev/null +++ b/internal/scalibrextract/language/osv/osvscannerjson/proto/metadata.pb.go @@ -0,0 +1,190 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.11 +// protoc v3.21.12 +// source: internal/scalibrextract/language/osv/osvscannerjson/proto/metadata.proto + +package proto + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" + unsafe "unsafe" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +type OSVScannerJsonMetadata struct { + state protoimpl.MessageState `protogen:"open.v1"` + Ecosystem string `protobuf:"bytes,1,opt,name=ecosystem,proto3" json:"ecosystem,omitempty"` + SourceInfo *SourceInfo `protobuf:"bytes,2,opt,name=source_info,json=sourceInfo,proto3" json:"source_info,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *OSVScannerJsonMetadata) Reset() { + *x = OSVScannerJsonMetadata{} + mi := &file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *OSVScannerJsonMetadata) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*OSVScannerJsonMetadata) ProtoMessage() {} + +func (x *OSVScannerJsonMetadata) ProtoReflect() protoreflect.Message { + mi := &file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use OSVScannerJsonMetadata.ProtoReflect.Descriptor instead. +func (*OSVScannerJsonMetadata) Descriptor() ([]byte, []int) { + return file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_rawDescGZIP(), []int{0} +} + +func (x *OSVScannerJsonMetadata) GetEcosystem() string { + if x != nil { + return x.Ecosystem + } + return "" +} + +func (x *OSVScannerJsonMetadata) GetSourceInfo() *SourceInfo { + if x != nil { + return x.SourceInfo + } + return nil +} + +type SourceInfo struct { + state protoimpl.MessageState `protogen:"open.v1"` + Path string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"` + Type string `protobuf:"bytes,2,opt,name=type,proto3" json:"type,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *SourceInfo) Reset() { + *x = SourceInfo{} + mi := &file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SourceInfo) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SourceInfo) ProtoMessage() {} + +func (x *SourceInfo) ProtoReflect() protoreflect.Message { + mi := &file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SourceInfo.ProtoReflect.Descriptor instead. +func (*SourceInfo) Descriptor() ([]byte, []int) { + return file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_rawDescGZIP(), []int{1} +} + +func (x *SourceInfo) GetPath() string { + if x != nil { + return x.Path + } + return "" +} + +func (x *SourceInfo) GetType() string { + if x != nil { + return x.Type + } + return "" +} + +var File_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto protoreflect.FileDescriptor + +const file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_rawDesc = "" + + "\n" + + "Hinternal/scalibrextract/language/osv/osvscannerjson/proto/metadata.proto\x12\x0eosvscannerjson\"s\n" + + "\x16OSVScannerJsonMetadata\x12\x1c\n" + + "\tecosystem\x18\x01 \x01(\tR\tecosystem\x12;\n" + + "\vsource_info\x18\x02 \x01(\v2\x1a.osvscannerjson.SourceInfoR\n" + + "sourceInfo\"4\n" + + "\n" + + "SourceInfo\x12\x12\n" + + "\x04path\x18\x01 \x01(\tR\x04path\x12\x12\n" + + "\x04type\x18\x02 \x01(\tR\x04typeB\\ZZgithub.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson/protob\x06proto3" + +var ( + file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_rawDescOnce sync.Once + file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_rawDescData []byte +) + +func file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_rawDescGZIP() []byte { + file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_rawDescOnce.Do(func() { + file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_rawDesc), len(file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_rawDesc))) + }) + return file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_rawDescData +} + +var file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_msgTypes = make([]protoimpl.MessageInfo, 2) +var file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_goTypes = []any{ + (*OSVScannerJsonMetadata)(nil), // 0: osvscannerjson.OSVScannerJsonMetadata + (*SourceInfo)(nil), // 1: osvscannerjson.SourceInfo +} +var file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_depIdxs = []int32{ + 1, // 0: osvscannerjson.OSVScannerJsonMetadata.source_info:type_name -> osvscannerjson.SourceInfo + 1, // [1:1] is the sub-list for method output_type + 1, // [1:1] is the sub-list for method input_type + 1, // [1:1] is the sub-list for extension type_name + 1, // [1:1] is the sub-list for extension extendee + 0, // [0:1] is the sub-list for field type_name +} + +func init() { file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_init() } +func file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_init() { + if File_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_rawDesc), len(file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_rawDesc)), + NumEnums: 0, + NumMessages: 2, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_goTypes, + DependencyIndexes: file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_depIdxs, + MessageInfos: file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_msgTypes, + }.Build() + File_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto = out.File + file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_goTypes = nil + file_internal_scalibrextract_language_osv_osvscannerjson_proto_metadata_proto_depIdxs = nil +} diff --git a/internal/scalibrextract/language/osv/osvscannerjson/proto/metadata.proto b/internal/scalibrextract/language/osv/osvscannerjson/proto/metadata.proto new file mode 100644 index 00000000000..b5dcb09f970 --- /dev/null +++ b/internal/scalibrextract/language/osv/osvscannerjson/proto/metadata.proto @@ -0,0 +1,15 @@ +syntax = "proto3"; + +package osvscannerjson; + +option go_package = "github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson/proto"; + +message OSVScannerJsonMetadata { + string ecosystem = 1; + SourceInfo source_info = 2; +} + +message SourceInfo { + string path = 1; + string type = 2; +} From 201a47473adff40d46267d08847ec00baf9625be Mon Sep 17 00:00:00 2001 From: Joey L Date: Thu, 23 Apr 2026 06:45:11 +0000 Subject: [PATCH 3/7] fix more metadata --- internal/config/config_internal_test.go | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/internal/config/config_internal_test.go b/internal/config/config_internal_test.go index 751d4aa3eb0..2ad676f03ff 100644 --- a/internal/config/config_internal_test.go +++ b/internal/config/config_internal_test.go @@ -381,7 +381,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) { args: &extractor.Package{ Name: "lib1", Version: "1.0.0", - Metadata: osv.DepGroupMetadata{ + Metadata: &osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, @@ -409,7 +409,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) { Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, - Metadata: osv.DepGroupMetadata{ + Metadata: &osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, @@ -437,7 +437,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) { Name: "lib2", Version: "1.0.0", PURLType: "npm", - Metadata: osv.DepGroupMetadata{ + Metadata: &osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, @@ -547,7 +547,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) { Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, - Metadata: osv.DepGroupMetadata{ + Metadata: &osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, @@ -575,7 +575,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) { Name: "lib2", Version: "1.0.0", PURLType: "npm", - Metadata: osv.DepGroupMetadata{ + Metadata: &osv.DepGroupMetadata{ DepGroupVals: []string{"optional"}, }, }, @@ -619,7 +619,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) { Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, - Metadata: osv.DepGroupMetadata{ + Metadata: &osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, @@ -647,7 +647,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) { Name: "lib1", Version: "1.0.1", PURLType: purl.TypeGolang, - Metadata: osv.DepGroupMetadata{ + Metadata: &osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, @@ -671,7 +671,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) { Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, - Metadata: osv.DepGroupMetadata{ + Metadata: &osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, @@ -699,7 +699,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) { Name: "lib2", Version: "1.0.0", PURLType: "npm", - Metadata: osv.DepGroupMetadata{ + Metadata: &osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, @@ -781,7 +781,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) { Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, - Metadata: osv.DepGroupMetadata{ + Metadata: &osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, @@ -813,7 +813,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) { Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, - Metadata: osv.DepGroupMetadata{ + Metadata: &osv.DepGroupMetadata{ DepGroupVals: []string{"prod"}, }, }, From 1a93c01dbfb5a1a382ca38d249b2e87814133477 Mon Sep 17 00:00:00 2001 From: Joey L Date: Thu, 23 Apr 2026 06:47:35 +0000 Subject: [PATCH 4/7] fix baseimage config as well --- internal/scalibrplugin/presets.go | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/internal/scalibrplugin/presets.go b/internal/scalibrplugin/presets.go index f37eb192d12..26fbbbd6049 100644 --- a/internal/scalibrplugin/presets.go +++ b/internal/scalibrplugin/presets.go @@ -50,7 +50,6 @@ import ( "github.com/google/osv-scalibr/extractor/filesystem/os/homebrew" "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx" "github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx" - "github.com/google/osv-scanner/v2/internal/depsdev" "github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/javascript/nodemodules" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson" @@ -180,16 +179,8 @@ var annotatorPresets = map[string]annotatorlist.InitMap{ } func baseImageEnricher(_ *cpb.PluginConfig) (enricher.Enricher, error) { - // The grpc client **does not** make any requests. It starts in an IDLE state until - // the first function call is made. This means we can safely initialize the client even in offline mode, - // and the enricher plugin will be filtered out in offline mode. - insightsClient, err := depsdev.NewInsightsAlphaClient(depsdev.DepsdevAPI, "osv-scanner_scan/"+version.OSVVersion) - if err != nil { - return nil, fmt.Errorf("unable to connect to insights server: %w", err) - } - - baseImageEnricher, err := baseimage.New(&baseimage.Config{ - Client: baseimage.NewClientGRPC(insightsClient), + baseImageEnricher, err := baseimage.New(&cpb.PluginConfig{ + UserAgent: "osv-scanner_scan/" + version.OSVVersion, }) if err != nil { From 63f211165c903e3d07110b36b9e18ff450ff6174 Mon Sep 17 00:00:00 2001 From: Joey L Date: Fri, 24 Apr 2026 01:06:12 +0000 Subject: [PATCH 5/7] go mod tidy --- go.sum | 8 -------- 1 file changed, 8 deletions(-) diff --git a/go.sum b/go.sum index 437ed37d361..0844465b9be 100644 --- a/go.sum +++ b/go.sum @@ -271,14 +271,6 @@ github.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932 h1:5/4TSDzpDnHQ8rKEE github.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932/go.mod h1:cC6EdPbj/17GFCPDK39NRarlMI+kt+O60S12cNB5J9Y= github.com/google/jsonschema-go v0.4.2 h1:tmrUohrwoLZZS/P3x7ex0WAVknEkBZM46iALbcqoRA8= github.com/google/jsonschema-go v0.4.2/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE= -github.com/google/osv-scalibr v0.4.6-0.20260318175007-ec4239d68fb9 h1:bOqoTMcFFJf0yuXgH+EdPWzcgIIUzyCWxT/agq2u4lw= -github.com/google/osv-scalibr v0.4.6-0.20260318175007-ec4239d68fb9/go.mod h1:0yLzHje112PqLC/q9GKwcmaKrKWotOvc49xc+SegKV0= -github.com/google/osv-scalibr v0.4.6-0.20260323230016-5c269244c4f4 h1:yUvllk4CcpMfP9eaV8gcs6LIa7lWlzZaQEYxN7TSwRE= -github.com/google/osv-scalibr v0.4.6-0.20260323230016-5c269244c4f4/go.mod h1:0yLzHje112PqLC/q9GKwcmaKrKWotOvc49xc+SegKV0= -github.com/google/osv-scalibr v0.4.6-0.20260324023151-bcaae8454948 h1:A8qzYrCmLoWSiXlluaPeXjm7ssteSd9tJo5YsHm50Rs= -github.com/google/osv-scalibr v0.4.6-0.20260324023151-bcaae8454948/go.mod h1:0yLzHje112PqLC/q9GKwcmaKrKWotOvc49xc+SegKV0= -github.com/google/osv-scalibr v0.4.6-0.20260415191203-0f0777e173df h1:/bbH6BbBKG+60kmksW6/R9KOJYakH5CLaJNRs+nb+ZA= -github.com/google/osv-scalibr v0.4.6-0.20260415191203-0f0777e173df/go.mod h1:0yLzHje112PqLC/q9GKwcmaKrKWotOvc49xc+SegKV0= github.com/google/osv-scalibr v0.4.6-0.20260421235914-2420ff40f95a h1:Bi6owRs6mUltiQu+TNYSKAH6SM1ple4ArQFznChqS70= github.com/google/osv-scalibr v0.4.6-0.20260421235914-2420ff40f95a/go.mod h1:0yLzHje112PqLC/q9GKwcmaKrKWotOvc49xc+SegKV0= github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 h1:EEHtgt9IwisQ2AZ4pIsMjahcegHh6rmhqxzIRQIyepY= From 5ce4d43ae840007b73bf74937f5f5d2ab29591fb Mon Sep 17 00:00:00 2001 From: Joey L Date: Fri, 24 Apr 2026 02:36:02 +0000 Subject: [PATCH 6/7] snap snap --- cmd/osv-scanner/scan/source/__snapshots__/command_test.snap | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index c6fe16bf9ff..d48e2ddbf72 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -441,6 +441,7 @@ Scanned /testdata/locks-many-with-insecure/composer.lock file and found Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Scanned /testdata/locks-many-with-insecure/yarn.lock file and found 1 package Scanned /testdata/maven-transitive/pom.xml file and found 1 package +Warning: enricher transitivedependency/pomxml may be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts. Filtered 1 local/unscannable package/s from the scan. Package npm/has-flag/4.0.0 has been filtered out because: (no reason given) Package npm/wrappy/1.0.2 has been filtered out because: (no reason given) @@ -5638,6 +5639,7 @@ No package sources found, --help for usage information. [TestCommand_Transitive/pom.xml_multiple_registries - 1] Scanned /testdata/maven-transitive/registry.xml file and found 2 packages +Warning: enricher transitivedependency/pomxml may be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts. Total 2 packages affected by 8 known vulnerabilities (2 Critical, 1 High, 5 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 8 vulnerabilities can be fixed. @@ -5675,6 +5677,7 @@ No issues found [TestCommand_Transitive/pom.xml_non_utf8_encoding - 1] Scanned /testdata/maven-transitive/encoding.xml file and found 1 package +Warning: enricher transitivedependency/pomxml may be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts. Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. @@ -5707,6 +5710,7 @@ No issues found [TestCommand_Transitive/pom.xml_transitive_default - 1] Scanning dir ./testdata/maven-transitive/pom.xml Scanned /testdata/maven-transitive/pom.xml file and found 1 package +Warning: enricher transitivedependency/pomxml may be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts. Total 1 package affected by 7 known vulnerabilities (2 Critical, 1 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 7 vulnerabilities can be fixed. @@ -5731,6 +5735,7 @@ Total 1 package affected by 7 known vulnerabilities (2 Critical, 1 High, 4 Mediu [TestCommand_Transitive/pom.xml_transitive_explicit_lockfile - 1] Scanned /testdata/maven-transitive/abc.xml file and found 1 package +Warning: enricher transitivedependency/pomxml may be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts. Total 1 package affected by 7 known vulnerabilities (2 Critical, 1 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 7 vulnerabilities can be fixed. @@ -5755,6 +5760,7 @@ Total 1 package affected by 7 known vulnerabilities (2 Critical, 1 High, 4 Mediu [TestCommand_Transitive/pom.xml_transitive_native_source - 1] Scanned /testdata/maven-transitive/registry.xml file and found 2 packages +Warning: enricher transitivedependency/pomxml may be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts. Total 2 packages affected by 8 known vulnerabilities (2 Critical, 1 High, 5 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 8 vulnerabilities can be fixed. From 988feed818257ba4c8b6e2ce99ba762709a736fd Mon Sep 17 00:00:00 2001 From: Joey L Date: Fri, 24 Apr 2026 05:46:28 +0000 Subject: [PATCH 7/7] Add sort to test now that transitive dependency got rid of it --- cmd/osv-scanner/internal/testcmd/run.go | 28 +++++++++++++++++++ .../source/__snapshots__/command_test.snap | 8 +++--- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/cmd/osv-scanner/internal/testcmd/run.go b/cmd/osv-scanner/internal/testcmd/run.go index 0ce2e9134a0..6bf699ed103 100644 --- a/cmd/osv-scanner/internal/testcmd/run.go +++ b/cmd/osv-scanner/internal/testcmd/run.go @@ -67,6 +67,7 @@ func RunAndNormalize(t *testing.T, tc Case) (string, string) { stdout = normalizeDirScanOrder(t, stdout) stderr = normalizeDirScanOrder(t, stderr) + stderr = normalizeLoadDbErrOrder(stderr) if len(tc.ReplaceRules) > 0 { if len(stdout) == 0 || !json.Valid([]byte(stdout)) { @@ -181,3 +182,30 @@ func normalizeUUID(t *testing.T, input string) string { return strings.NewReplacer(replacerRules...).Replace(input) } + +// Sorts lines starting with "could not load db for" to allow for consistent test results +func normalizeLoadDbErrOrder(input string) string { + lines := strings.Split(input, "\n") + var result []string + var block []string + + for _, line := range lines { + if strings.HasPrefix(line, "could not load db for ") { + block = append(block, line) + } else { + if len(block) > 0 { + sort.Strings(block) + result = append(result, block...) + block = nil + } + result = append(result, line) + } + } + if len(block) > 0 { + sort.Strings(block) + result = append(result, block...) + } + + return strings.Join(result, "\n") +} + diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index d48e2ddbf72..a7eed4e8369 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -5246,11 +5246,11 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi --- [TestCommand_LocalDatabases_AlwaysOffline/a_bunch_of_different_lockfiles_and_ecosystem - 2] -could not load db for RubyGems ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Alpine ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Packagist ecosystem: unable to fetch OSV database: no offline version of the OSV database is available -could not load db for npm ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for PyPI ecosystem: unable to fetch OSV database: no offline version of the OSV database is available +could not load db for RubyGems ecosystem: unable to fetch OSV database: no offline version of the OSV database is available +could not load db for npm ecosystem: unable to fetch OSV database: no offline version of the OSV database is available --- @@ -5278,11 +5278,11 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi --- [TestCommand_LocalDatabases_AlwaysOffline/a_bunch_of_different_lockfiles_and_ecosystem - 4] -could not load db for RubyGems ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Alpine ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Packagist ecosystem: unable to fetch OSV database: no offline version of the OSV database is available -could not load db for npm ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for PyPI ecosystem: unable to fetch OSV database: no offline version of the OSV database is available +could not load db for RubyGems ecosystem: unable to fetch OSV database: no offline version of the OSV database is available +could not load db for npm ecosystem: unable to fetch OSV database: no offline version of the OSV database is available ---