Merge branch 'use-scalibr-container-scanning' into updated-local-client

google · Jan 8, 2025 · 6c1bffb · 6c1bffb
2 parents 072d233 + 464b773
commit 6c1bffb
Show file tree

Hide file tree

Showing 29 changed files with 629 additions and 3,387 deletions.
diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap
@@ -941,7 +941,7 @@ Pulling docker image ("alpine:non-existent-tag")...
 Docker command exited with code ("/usr/bin/docker pull -q alpine:non-existent-tag"): 1
 STDERR:
 > Error response from daemon: manifest for alpine:non-existent-tag not found: manifest unknown: manifest unknown
-failed to run docker command
+failed to pull container image: failed to run docker command
 
 ---
 
@@ -954,14 +954,14 @@ Pulling docker image ("this-image-definitely-does-not-exist-abcde")...
 Docker command exited with code ("/usr/bin/docker pull -q this-image-definitely-does-not-exist-abcde"): 1
 STDERR:
 > Error response from daemon: pull access denied for this-image-definitely-does-not-exist-abcde, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
-failed to run docker command
+failed to pull container image: failed to run docker command
 
 ---
 
 [TestRun_Docker/Real_Alpine_image - 1]
 Pulling docker image ("alpine:3.18.9")...
 Saving docker image ("alpine:3.18.9") to temporary file...
-Scanning image...
+Scanning image "alpine:3.18.9"
 No issues found
 
 ---
@@ -973,7 +973,7 @@ No issues found
 [TestRun_Docker/Real_empty_image - 1]
 Pulling docker image ("hello-world")...
 Saving docker image ("hello-world") to temporary file...
-Scanning image...
+Scanning image "hello-world"
 
 ---
 
@@ -985,7 +985,7 @@ No package sources found, --help for usage information.
 [TestRun_Docker/Real_empty_image_with_tag - 1]
 Pulling docker image ("hello-world:linux")...
 Saving docker image ("hello-world:linux") to temporary file...
-Scanning image...
+Scanning image "hello-world:linux"
 
 ---
 
@@ -2691,14 +2691,13 @@ Scanned <rootdir>/fixtures/maven-transitive/pom.xml file and found 3 packages
 ---
 
 [TestRun_OCIImage/Alpine_3.10_image_tar_with_3.18_version_file - 1]
-Scanning image ../../internal/image/fixtures/test-alpine.tar
+Scanning image "../../internal/image/fixtures/test-alpine.tar"
 Total 1 packages affected by 2 vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
 2 vulnerabilities have fixes available.
 
 Alpine:v3.18
 +----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-alpine. |
-| tar:/lib/apk/db/installed                                |
+| Source:os:lib/apk/db/installed                           |
 +---------+-------------------+---------------+------------+
 | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
 +---------+-------------------+---------------+------------+
@@ -2715,24 +2714,23 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 ---
 
 [TestRun_OCIImage/Invalid_path - 1]
-Scanning image ./fixtures/oci-image/no-file-here.tar
+Scanning image "./fixtures/oci-image/no-file-here.tar"
 
 ---
 
 [TestRun_OCIImage/Invalid_path - 2]
-failed to load image ./fixtures/oci-image/no-file-here.tar: open ./fixtures/oci-image/no-file-here.tar: no such file or directory
+failed to load image from tarball with path "./fixtures/oci-image/no-file-here.tar": open ./fixtures/oci-image/no-file-here.tar: no such file or directory
 
 ---
 
 [TestRun_OCIImage/scanning_node_modules_using_npm_with_no_packages - 1]
-Scanning image ../../internal/image/fixtures/test-node_modules-npm-empty.tar
+Scanning image "../../internal/image/fixtures/test-node_modules-npm-empty.tar"
 Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
 4 vulnerabilities have fixes available.
 
 Alpine:v3.19
 +----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-npm-empty.tar:/lib/apk/db/installed                |
+| Source:os:lib/apk/db/installed                           |
 +---------+-------------------+---------------+------------+
 | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
 +---------+-------------------+---------------+------------+
@@ -2749,14 +2747,13 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 ---
 
 [TestRun_OCIImage/scanning_node_modules_using_npm_with_some_packages - 1]
-Scanning image ../../internal/image/fixtures/test-node_modules-npm-full.tar
+Scanning image "../../internal/image/fixtures/test-node_modules-npm-full.tar"
 Total 3 packages affected by 6 vulnerabilities (2 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
 5 vulnerabilities have fixes available.
 
 npm
 +--------------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_module |
-| s-npm-full.tar:/prod/app/node_modules/.package-lock.json     |
+| Source:lockfile:prod/app/node_modules/.package-lock.json     |
 +----------+-------------------+------------------+------------+
 | PACKAGE  | INSTALLED VERSION | FIX AVAILABLE    | VULN COUNT |
 +----------+-------------------+------------------+------------+
@@ -2765,8 +2762,7 @@ npm
 +----------+-------------------+------------------+------------+
 Alpine:v3.19
 +----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-npm-full.tar:/lib/apk/db/installed                 |
+| Source:os:lib/apk/db/installed                           |
 +---------+-------------------+---------------+------------+
 | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
 +---------+-------------------+---------------+------------+
@@ -2783,14 +2779,13 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 ---
 
 [TestRun_OCIImage/scanning_node_modules_using_pnpm_with_no_packages - 1]
-Scanning image ../../internal/image/fixtures/test-node_modules-pnpm-empty.tar
+Scanning image "../../internal/image/fixtures/test-node_modules-pnpm-empty.tar"
 Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
 4 vulnerabilities have fixes available.
 
 Alpine:v3.19
 +----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-pnpm-empty.tar:/lib/apk/db/installed               |
+| Source:os:lib/apk/db/installed                           |
 +---------+-------------------+---------------+------------+
 | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
 +---------+-------------------+---------------+------------+
@@ -2807,14 +2802,13 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 ---
 
 [TestRun_OCIImage/scanning_node_modules_using_pnpm_with_some_packages - 1]
-Scanning image ../../internal/image/fixtures/test-node_modules-pnpm-full.tar
+Scanning image "../../internal/image/fixtures/test-node_modules-pnpm-full.tar"
 Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
 4 vulnerabilities have fixes available.
 
 Alpine:v3.19
 +----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-pnpm-full.tar:/lib/apk/db/installed                |
+| Source:os:lib/apk/db/installed                           |
 +---------+-------------------+---------------+------------+
 | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
 +---------+-------------------+---------------+------------+
@@ -2831,14 +2825,13 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 ---
 
 [TestRun_OCIImage/scanning_node_modules_using_yarn_with_no_packages - 1]
-Scanning image ../../internal/image/fixtures/test-node_modules-yarn-empty.tar
+Scanning image "../../internal/image/fixtures/test-node_modules-yarn-empty.tar"
 Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
 4 vulnerabilities have fixes available.
 
 Alpine:v3.19
 +----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-yarn-empty.tar:/lib/apk/db/installed               |
+| Source:os:lib/apk/db/installed                           |
 +---------+-------------------+---------------+------------+
 | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
 +---------+-------------------+---------------+------------+
@@ -2855,14 +2848,13 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 ---
 
 [TestRun_OCIImage/scanning_node_modules_using_yarn_with_some_packages - 1]
-Scanning image ../../internal/image/fixtures/test-node_modules-yarn-full.tar
+Scanning image "../../internal/image/fixtures/test-node_modules-yarn-full.tar"
 Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
 4 vulnerabilities have fixes available.
 
 Alpine:v3.19
 +----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-yarn-full.tar:/lib/apk/db/installed                |
+| Source:os:lib/apk/db/installed                           |
 +---------+-------------------+---------------+------------+
 | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
 +---------+-------------------+---------------+------------+
@@ -2878,6 +2870,64 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 
 ---
 
+[TestRun_OCIImage/scanning_project_packages_using_go_binaries - 1]
+Scanning image "../../internal/image/fixtures/test-package-tracing.tar"
+Total 6 packages affected by 24 vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 24 Unknown) from 1 ecosystems.
+24 vulnerabilities have fixes available.
+
+Go
++----------------------------------------------------------+
+| Source:lockfile:go/bin/more-vuln-overwrite-less-vuln     |
++---------+-------------------+---------------+------------+
+| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
++---------+-------------------+---------------+------------+
+| stdlib  | 1.22.4            | Fix Available |          4 |
++---------+-------------------+---------------+------------+
++----------------------------------------------------------+
+| Source:lockfile:go/bin/ptf-1.2.0                         |
++---------+-------------------+---------------+------------+
+| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
++---------+-------------------+---------------+------------+
+| stdlib  | 1.22.4            | Fix Available |          4 |
++---------+-------------------+---------------+------------+
++----------------------------------------------------------+
+| Source:lockfile:go/bin/ptf-1.3.0                         |
++---------+-------------------+---------------+------------+
+| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
++---------+-------------------+---------------+------------+
+| stdlib  | 1.22.4            | Fix Available |          4 |
++---------+-------------------+---------------+------------+
++----------------------------------------------------------+
+| Source:lockfile:go/bin/ptf-1.3.0-moved                   |
++---------+-------------------+---------------+------------+
+| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
++---------+-------------------+---------------+------------+
+| stdlib  | 1.22.4            | Fix Available |          4 |
++---------+-------------------+---------------+------------+
++----------------------------------------------------------+
+| Source:lockfile:go/bin/ptf-1.4.0                         |
++---------+-------------------+---------------+------------+
+| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
++---------+-------------------+---------------+------------+
+| stdlib  | 1.22.4            | Fix Available |          4 |
++---------+-------------------+---------------+------------+
++----------------------------------------------------------+
+| Source:lockfile:go/bin/ptf-vulnerable                    |
++---------+-------------------+---------------+------------+
+| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
++---------+-------------------+---------------+------------+
+| stdlib  | 1.22.4            | Fix Available |          4 |
++---------+-------------------+---------------+------------+
+
+For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
+You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.
+
+---
+
+[TestRun_OCIImage/scanning_project_packages_using_go_binaries - 2]
+
+---
+
 [TestRun_SubCommands/scan_with_a_flag - 1]
 Scanning dir ./fixtures/locks-one-with-nested
 Scanned <rootdir>/fixtures/locks-one-with-nested/nested/composer.lock file and found 1 package

diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go
@@ -762,11 +762,8 @@ func TestRun_Licenses(t *testing.T) {
 	}
 }
 
-// TODO(v2): Image scanning is not temporarily disabled
-
 func TestRun_Docker(t *testing.T) {
 	t.Parallel()
-	t.Skip("Skipping until image scanning is reenabled")
 
 	testutility.SkipIfNotAcceptanceTesting(t, "Takes a long time to pull down images")
 
@@ -812,7 +809,6 @@ func TestRun_Docker(t *testing.T) {
 
 func TestRun_OCIImage(t *testing.T) {
 	t.Parallel()
-	t.Skip("Skipping until image scanning is reenabled")
 
 	testutility.SkipIfNotAcceptanceTesting(t, "Not consistent on MacOS/Windows")
 
@@ -857,6 +853,11 @@ func TestRun_OCIImage(t *testing.T) {
 			args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-node_modules-pnpm-full.tar"},
 			exit: 1,
 		},
+		{
+			name: "scanning project packages using go binaries",
+			args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-package-tracing.tar"},
+			exit: 1,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/cmd/osv-scanner/scan/main.go b/cmd/osv-scanner/scan/main.go
@@ -14,6 +14,7 @@ import (
 	"time"
 
 	"github.com/google/osv-scanner/internal/spdx"
+	"github.com/google/osv-scanner/pkg/models"
 	"github.com/google/osv-scanner/pkg/osvscanner"
 	"github.com/google/osv-scanner/pkg/reporter"
 	"golang.org/x/term"
@@ -282,7 +283,7 @@ func action(context *cli.Context, stdout, stderr io.Writer) (reporter.Reporter,
 		scanLicensesAllowlist = []string{}
 	}
 
-	vulnResult, err := osvscanner.DoScan(osvscanner.ScannerActions{
+	scannerAction := osvscanner.ScannerActions{
 		LockfilePaths:      context.StringSlice("lockfile"),
 		SBOMPaths:          context.StringSlice("sbom"),
 		DockerImageName:    context.String("docker"),
@@ -311,7 +312,14 @@ func action(context *cli.Context, stdout, stderr io.Writer) (reporter.Reporter,
 				MavenRegistry:    context.String("experimental-maven-registry"),
 			},
 		},
-	}, r)
+	}
+
+	var vulnResult models.VulnerabilityResults
+	if context.String("docker") != "" || context.String("experimental-oci-image") != "" {
+		vulnResult, err = osvscanner.DoContainerScan(scannerAction, r)
+	} else {
+		vulnResult, err = osvscanner.DoScan(scannerAction, r)
+	}
 
 	if err != nil && !errors.Is(err, osvscanner.VulnerabilitiesFoundErr) {
 		return r, err