chore: update osv-scalibr

cmd/osv-scanner/internal/testcmd/run.go

@@ -67,6 +67,7 @@
 
 	stdout = normalizeDirScanOrder(t, stdout)
 	stderr = normalizeDirScanOrder(t, stderr)
+	stderr = normalizeLoadDbErrOrder(stderr)
 
 	if len(tc.ReplaceRules) > 0 {
 		if len(stdout) == 0 || !json.Valid([]byte(stdout)) {
@@ -181,3 +182,30 @@
 
 	return strings.NewReplacer(replacerRules...).Replace(input)
 }
+
+// Sorts lines starting with "could not load db for" to allow for consistent test results
+func normalizeLoadDbErrOrder(input string) string {
+	lines := strings.Split(input, "\n")
+	var result []string
+	var block []string
+
+	for _, line := range lines {
+		if strings.HasPrefix(line, "could not load db for ") {
+			block = append(block, line)
+		} else {
+			if len(block) > 0 {
+				sort.Strings(block)
+				result = append(result, block...)
+				block = nil
+			}
+			result = append(result, line)
+		}
+	}
+	if len(block) > 0 {
+		sort.Strings(block)
+		result = append(result, block...)
+	}
+
+	return strings.Join(result, "\n")
+}
+

cmd/osv-scanner/scan/source/__snapshots__/command_test.snap

@@ -441,6 +441,7 @@ Scanned <rootdir>/testdata/locks-many-with-insecure/composer.lock file and found
 Scanned <rootdir>/testdata/locks-many-with-insecure/package-lock.json file and found 1 package
 Scanned <rootdir>/testdata/locks-many-with-insecure/yarn.lock file and found 1 package
 Scanned <rootdir>/testdata/maven-transitive/pom.xml file and found 1 package
+Warning: enricher transitivedependency/pomxml may be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts.
 Filtered 1 local/unscannable package/s from the scan.
 Package npm/has-flag/4.0.0 has been filtered out because: (no reason given)
 Package npm/wrappy/1.0.2 has been filtered out because: (no reason given)
@@ -5245,11 +5246,11 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi
 ---
 
 [TestCommand_LocalDatabases_AlwaysOffline/a_bunch_of_different_lockfiles_and_ecosystem - 2]
-could not load db for RubyGems ecosystem: unable to fetch OSV database: no offline version of the OSV database is available
 could not load db for Alpine ecosystem: unable to fetch OSV database: no offline version of the OSV database is available
 could not load db for Packagist ecosystem: unable to fetch OSV database: no offline version of the OSV database is available
-could not load db for npm ecosystem: unable to fetch OSV database: no offline version of the OSV database is available
 could not load db for PyPI ecosystem: unable to fetch OSV database: no offline version of the OSV database is available
+could not load db for RubyGems ecosystem: unable to fetch OSV database: no offline version of the OSV database is available
+could not load db for npm ecosystem: unable to fetch OSV database: no offline version of the OSV database is available
 
 ---
 
@@ -5277,11 +5278,11 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi
 ---
 
 [TestCommand_LocalDatabases_AlwaysOffline/a_bunch_of_different_lockfiles_and_ecosystem - 4]
-could not load db for RubyGems ecosystem: unable to fetch OSV database: no offline version of the OSV database is available
 could not load db for Alpine ecosystem: unable to fetch OSV database: no offline version of the OSV database is available
 could not load db for Packagist ecosystem: unable to fetch OSV database: no offline version of the OSV database is available
-could not load db for npm ecosystem: unable to fetch OSV database: no offline version of the OSV database is available
 could not load db for PyPI ecosystem: unable to fetch OSV database: no offline version of the OSV database is available
+could not load db for RubyGems ecosystem: unable to fetch OSV database: no offline version of the OSV database is available
+could not load db for npm ecosystem: unable to fetch OSV database: no offline version of the OSV database is available
 
 ---
 
@@ -5638,6 +5639,7 @@ No package sources found, --help for usage information.
 
 [TestCommand_Transitive/pom.xml_multiple_registries - 1]
 Scanned <rootdir>/testdata/maven-transitive/registry.xml file and found 2 packages
+Warning: enricher transitivedependency/pomxml may be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts.
 
 Total 2 packages affected by 8 known vulnerabilities (2 Critical, 1 High, 5 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
 8 vulnerabilities can be fixed.
@@ -5675,6 +5677,7 @@ No issues found
 
 [TestCommand_Transitive/pom.xml_non_utf8_encoding - 1]
 Scanned <rootdir>/testdata/maven-transitive/encoding.xml file and found 1 package
+Warning: enricher transitivedependency/pomxml may be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts.
 
 Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
 1 vulnerability can be fixed.
@@ -5707,6 +5710,7 @@ No issues found
 [TestCommand_Transitive/pom.xml_transitive_default - 1]
 Scanning dir ./testdata/maven-transitive/pom.xml
 Scanned <rootdir>/testdata/maven-transitive/pom.xml file and found 1 package
+Warning: enricher transitivedependency/pomxml may be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts.
 
 Total 1 package affected by 7 known vulnerabilities (2 Critical, 1 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
 7 vulnerabilities can be fixed.
@@ -5731,6 +5735,7 @@ Total 1 package affected by 7 known vulnerabilities (2 Critical, 1 High, 4 Mediu
 
 [TestCommand_Transitive/pom.xml_transitive_explicit_lockfile - 1]
 Scanned <rootdir>/testdata/maven-transitive/abc.xml file and found 1 package
+Warning: enricher transitivedependency/pomxml may be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts.
 
 Total 1 package affected by 7 known vulnerabilities (2 Critical, 1 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
 7 vulnerabilities can be fixed.
@@ -5755,6 +5760,7 @@ Total 1 package affected by 7 known vulnerabilities (2 Critical, 1 High, 4 Mediu
 
 [TestCommand_Transitive/pom.xml_transitive_native_source - 1]
 Scanned <rootdir>/testdata/maven-transitive/registry.xml file and found 2 packages
+Warning: enricher transitivedependency/pomxml may be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts.
 
 Total 2 packages affected by 8 known vulnerabilities (2 Critical, 1 High, 5 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
 8 vulnerabilities can be fixed.

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/go-git/go-git/v5 v5.18.0
 	github.com/gobwas/glob v0.2.3
 	github.com/google/go-cmp v0.7.0
-	github.com/google/osv-scalibr v0.4.6-0.20260318175007-ec4239d68fb9
+	github.com/google/osv-scalibr v0.4.6-0.20260421235914-2420ff40f95a
 	github.com/ianlancetaylor/demangle v0.0.0-20251118225945-96ee0021ea0f
 	github.com/jedib0t/go-pretty/v6 v6.7.8
 	github.com/modelcontextprotocol/go-sdk v1.4.1

go.sum

@@ -271,8 +271,8 @@ github.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932 h1:5/4TSDzpDnHQ8rKEE
 github.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932/go.mod h1:cC6EdPbj/17GFCPDK39NRarlMI+kt+O60S12cNB5J9Y=
 github.com/google/jsonschema-go v0.4.2 h1:tmrUohrwoLZZS/P3x7ex0WAVknEkBZM46iALbcqoRA8=
 github.com/google/jsonschema-go v0.4.2/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE=
-github.com/google/osv-scalibr v0.4.6-0.20260318175007-ec4239d68fb9 h1:bOqoTMcFFJf0yuXgH+EdPWzcgIIUzyCWxT/agq2u4lw=
-github.com/google/osv-scalibr v0.4.6-0.20260318175007-ec4239d68fb9/go.mod h1:0yLzHje112PqLC/q9GKwcmaKrKWotOvc49xc+SegKV0=
+github.com/google/osv-scalibr v0.4.6-0.20260421235914-2420ff40f95a h1:Bi6owRs6mUltiQu+TNYSKAH6SM1ple4ArQFznChqS70=
+github.com/google/osv-scalibr v0.4.6-0.20260421235914-2420ff40f95a/go.mod h1:0yLzHje112PqLC/q9GKwcmaKrKWotOvc49xc+SegKV0=
 github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 h1:EEHtgt9IwisQ2AZ4pIsMjahcegHh6rmhqxzIRQIyepY=
 github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=

internal/config/config_internal_test.go

@@ -381,7 +381,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) {
 			args: &extractor.Package{
 				Name:    "lib1",
 				Version: "1.0.0",
-				Metadata: osv.DepGroupMetadata{
+				Metadata: &osv.DepGroupMetadata{
 					DepGroupVals: []string{"dev"},
 				},
 			},
@@ -409,7 +409,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) {
 				Name:     "lib1",
 				Version:  "1.0.0",
 				PURLType: purl.TypeGolang,
-				Metadata: osv.DepGroupMetadata{
+				Metadata: &osv.DepGroupMetadata{
 					DepGroupVals: []string{"dev"},
 				},
 			},
@@ -437,7 +437,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) {
 				Name:     "lib2",
 				Version:  "1.0.0",
 				PURLType: "npm",
-				Metadata: osv.DepGroupMetadata{
+				Metadata: &osv.DepGroupMetadata{
 					DepGroupVals: []string{"dev"},
 				},
 			},
@@ -547,7 +547,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) {
 				Name:     "lib1",
 				Version:  "1.0.0",
 				PURLType: purl.TypeGolang,
-				Metadata: osv.DepGroupMetadata{
+				Metadata: &osv.DepGroupMetadata{
 					DepGroupVals: []string{"dev"},
 				},
 			},
@@ -575,7 +575,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) {
 				Name:     "lib2",
 				Version:  "1.0.0",
 				PURLType: "npm",
-				Metadata: osv.DepGroupMetadata{
+				Metadata: &osv.DepGroupMetadata{
 					DepGroupVals: []string{"optional"},
 				},
 			},
@@ -619,7 +619,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) {
 				Name:     "lib1",
 				Version:  "1.0.0",
 				PURLType: purl.TypeGolang,
-				Metadata: osv.DepGroupMetadata{
+				Metadata: &osv.DepGroupMetadata{
 					DepGroupVals: []string{"dev"},
 				},
 			},
@@ -647,7 +647,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) {
 				Name:     "lib1",
 				Version:  "1.0.1",
 				PURLType: purl.TypeGolang,
-				Metadata: osv.DepGroupMetadata{
+				Metadata: &osv.DepGroupMetadata{
 					DepGroupVals: []string{"dev"},
 				},
 			},
@@ -671,7 +671,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) {
 				Name:     "lib1",
 				Version:  "1.0.0",
 				PURLType: purl.TypeGolang,
-				Metadata: osv.DepGroupMetadata{
+				Metadata: &osv.DepGroupMetadata{
 					DepGroupVals: []string{"dev"},
 				},
 			},
@@ -699,7 +699,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) {
 				Name:     "lib2",
 				Version:  "1.0.0",
 				PURLType: "npm",
-				Metadata: osv.DepGroupMetadata{
+				Metadata: &osv.DepGroupMetadata{
 					DepGroupVals: []string{"dev"},
 				},
 			},
@@ -781,7 +781,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) {
 				Name:     "lib1",
 				Version:  "1.0.0",
 				PURLType: purl.TypeGolang,
-				Metadata: osv.DepGroupMetadata{
+				Metadata: &osv.DepGroupMetadata{
 					DepGroupVals: []string{"dev"},
 				},
 			},
@@ -813,7 +813,7 @@ func TestConfig_ShouldIgnorePackage(t *testing.T) {
 				Name:     "lib1",
 				Version:  "1.0.0",
 				PURLType: purl.TypeGolang,
-				Metadata: osv.DepGroupMetadata{
+				Metadata: &osv.DepGroupMetadata{
 					DepGroupVals: []string{"prod"},
 				},
 			},

internal/scalibrextract/language/osv/osvscannerjson/metadata.go

@@ -1,9 +1,43 @@
 package osvscannerjson
 
-import "github.com/google/osv-scanner/v2/pkg/models"
+import (
+	"github.com/google/osv-scalibr/binary/proto/metadata"
+	pb "github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson/proto"
+	"github.com/google/osv-scanner/v2/pkg/models"
+)
+
+//nolint:gochecknoinits // Using init to register the metadata is by design
+func init() {
+	metadata.Register(ToStruct, ToProto)
+}
 
 // Metadata holds the metadata for osvscanner.json
 type Metadata struct {
 	Ecosystem  string
 	SourceInfo models.SourceInfo
 }
+
+// ToProto converts the metadata struct to the OSVScannerJsonMetadata proto.
+func ToProto(m *Metadata) *pb.OSVScannerJsonMetadata {
+	return &pb.OSVScannerJsonMetadata{
+		Ecosystem: m.Ecosystem,
+		SourceInfo: &pb.SourceInfo{
+			Path: m.SourceInfo.Path,
+			Type: string(m.SourceInfo.Type),
+		},
+	}
+}
+
+// IsProtoable marks the struct as a metadata type.
+func (m *Metadata) IsProtoable() {}
+
+// ToStruct converts the OSVScannerJsonMetadata proto to the Metadata struct.
+func ToStruct(m *pb.OSVScannerJsonMetadata) *Metadata {
+	return &Metadata{
+		Ecosystem: m.GetEcosystem(),
+		SourceInfo: models.SourceInfo{
+			Path: m.GetSourceInfo().GetPath(),
+			Type: models.SourceType(m.GetSourceInfo().GetType()),
+		},
+	}
+}