chore: Update v2 to main (#1374)

Using a separate branch to resolve the merge conflicts, but other than that this is a straightforward update of the v2 branch up to the latest main branch. --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Emmanuel Ferdman <[email protected]> Co-authored-by: Xueqin Cui <[email protected]> Co-authored-by: Michael Kedar <[email protected]> Co-authored-by: Gareth Jones <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Emmanuel Ferdman <[email protected]> Co-authored-by: Ignacio Vazquez <[email protected]>
google · Nov 5, 2024 · c9a0635 · c9a0635
1 parent b15b566
commit c9a0635
Show file tree

Hide file tree

Showing 21 changed files with 284 additions and 434 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,48 @@
+OSV-Scanner v2 is coming soon! The next release will start with version `v2.0.0-alpha1`.
+
+Here's a peek at some of the exciting upcoming features:
+
+- Standalone container image scanning support.
+  - Including support for Alpine and Debian images.
+- Refactored internals to use [`osv-scalibr`](https://github.com/google/osv-scalibr) library for better extraction capabilities.
+- HTML output format for clearer vulnerability results.
+- More control over output format and logging.
+- ...and more!
+
+Importantly, the CLI interface of osv-scanner will be maintained with minimal breaking changes.
+Most breaking changes will only be in the API. More details in the upcoming alpha release.
+
+---
+
+This is the final feature v1 release of osv-scanner, future releases for v1 will only contain bug fixes.
+
+# v1.9.1
+
+### Features:
+
+- [Feature #1295](https://github.com/google/osv-scanner/pull/1295) Support offline database in fix subcommand.
+- [Feature #1342](https://github.com/google/osv-scanner/pull/1342) Add `--experimental-offline-vulnerabilities` and `--experimental-no-resolve` flags.
+- [Feature #1045](https://github.com/google/osv-scanner/pull/1045) Support private registries for Maven.
+- [Feature #1226](https://github.com/google/osv-scanner/pull/1226) Support support `vulnerabilities.ignore` in package overrides.
+
+### Fixes:
+
+- [Bug #604](https://github.com/google/osv-scanner/pull/604) Use correct path separator in SARIF output when on Windows.
+- [Bug #330](https://github.com/google/osv-scanner/pull/330) Warn about and ignore duplicate entries in SBOMs.
+- [Bug #1325](https://github.com/google/osv-scanner/pull/1325) Set CharsetReader and Entity when reading pom.xml.
+- [Bug #1310](https://github.com/google/osv-scanner/pull/1310) Update spdx license ids.
+- [Bug #1288](https://github.com/google/osv-scanner/pull/1288) Sort sbom packages by PURL.
+- [Bug #1285](https://github.com/google/osv-scanner/pull/1285) Improve handling if `docker` exits with a non-zero code when trying to scan images
+
+### API Changes:
+
+- Deprecate auxillary public packages: As part of the V2 update described above, we have started deprecating some of the auxillary packages
+  which are not commonly used to give us more room to make better API designs. These include:
+  - `config`
+  - `depsdev`
+  - `grouper`
+  - `spdx`
+
 # v1.9.0
 
 ### Features:

diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap
@@ -80,7 +80,7 @@ Loaded filter from: <rootdir>/fixtures/locks-many/osv-scanner.toml
           "informationUri": "https://github.com/google/osv-scanner",
           "name": "osv-scanner",
           "rules": [],
-          "version": "1.9.0"
+          "version": "1.9.1"
         }
       },
       "results": []
@@ -234,7 +234,7 @@ Loaded Alpine local db from <tempdir>/osv-scanner/Alpine/all.zip
               }
             }
           ],
-          "version": "1.9.0"
+          "version": "1.9.1"
         }
       },
       "artifacts": [
@@ -850,7 +850,7 @@ No issues found
 ---
 
 [TestRun/version - 1]
-osv-scanner version: 1.9.0
+osv-scanner version: 1.9.1
 commit: n/a
 built at: n/a
 
@@ -1035,7 +1035,7 @@ Scanned <rootdir>/fixtures/locks-insecure/osv-scanner-flutter-deps.json file as
               }
             }
           ],
-          "version": "1.9.0"
+          "version": "1.9.1"
         }
       },
       "artifacts": [
@@ -1857,6 +1857,7 @@ Filtered 16 vulnerabilities from output
 | https://osv.dev/DLA-3449-1          |      | Debian    | openssl                        | 1.1.0l-1~deb9u5                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/DLA-3530-1          |      | Debian    | openssl                        | 1.1.0l-1~deb9u5                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/DLA-3942-1          |      | Debian    | openssl                        | 1.1.0l-1~deb9u5                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DLA-3942-2          |      | Debian    | openssl                        | 1.1.0l-1~deb9u5                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/DSA-4539-3          |      | Debian    | openssl                        | 1.1.0l-1~deb9u5                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/CVE-2017-12837      | 7.5  | Debian    | perl                           | 5.24.1-3+deb9u7                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/CVE-2017-12883      | 9.1  | Debian    | perl                           | 5.24.1-3+deb9u7                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
@@ -2036,6 +2037,7 @@ Filtered 16 vulnerabilities from output
 | https://osv.dev/DLA-3449-1          |      | Debian    | openssl                        | 1.1.0l-1~deb9u5                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/DLA-3530-1          |      | Debian    | openssl                        | 1.1.0l-1~deb9u5                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/DLA-3942-1          |      | Debian    | openssl                        | 1.1.0l-1~deb9u5                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DLA-3942-2          |      | Debian    | openssl                        | 1.1.0l-1~deb9u5                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/DSA-4539-3          |      | Debian    | openssl                        | 1.1.0l-1~deb9u5                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/CVE-2017-12837      | 7.5  | Debian    | perl                           | 5.24.1-3+deb9u7                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/CVE-2017-12883      | 9.1  | Debian    | perl                           | 5.24.1-3+deb9u7                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |

diff --git a/docs/github-action.md b/docs/github-action.md
@@ -55,7 +55,7 @@ permissions:
 
 jobs:
   scan-pr:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].0"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
 ```
 
 ### View results
@@ -98,7 +98,7 @@ permissions:
 
 jobs:
   scan-scheduled:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].0"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
 ```
 
 As written, the scanner will run on 12:30 pm UTC every Monday, and also on every push to the main branch. You can change the schedule by following the instructions [here](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule).
@@ -133,7 +133,7 @@ permissions:
 
 jobs:
   osv-scan:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].0"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
     with:
       # Only scan the top level go.mod file without recursively scanning directories since
       # this is pipeline is about releasing the go module and binary
@@ -163,7 +163,7 @@ Results may be viewed by clicking on the details of the failed release action fr
 
 The GitHub Actions have the following optional inputs:
 
-- `scan-args`: This value is passed to `osv-scanner` CLI after being split by each line. See the [usage](./usage) page for the available options. The `--format` and `--output` flags are already set by the reusable workflow and should not be overridden here.
+- `scan-args`: This value is passed to `osv-scanner` CLI after being split by each line. See the [usage](./usage.md) page for the available options. The `--format` and `--output` flags are already set by the reusable workflow and should not be overridden here.
   Default:
   ```bash
     --recursive # Recursively scan subdirectories
@@ -172,7 +172,7 @@ The GitHub Actions have the following optional inputs:
   ```
 - `results-file-name`: This is the name of the final SARIF file uploaded to Github.
   Default: `results.sarif`
-- `download-artifact`: Optional artifact to download for scanning. Can be used if you need to do some preprocessing to prepare the lockfiles for scanning. If the file names in the artifact are not standard lockfile names, make sure to add custom scan-args to specify the lockfile type and path (see [specify lockfiles](./usage#specify-lockfiles)).
+- `download-artifact`: Optional artifact to download for scanning. Can be used if you need to do some preprocessing to prepare the lockfiles for scanning. If the file names in the artifact are not standard lockfile names, make sure to add custom scan-args to specify the lockfile type and path (see [specify lockfiles](./usage.md#specify-lockfiles)).
 - `upload-sarif`: Whether to upload the results to Security > Code Scanning. Defaults to `true`.
 - `fail-on-vuln`: Whether to fail the workflow when a vulnerability is found. Defaults to `true`.
 
@@ -186,7 +186,7 @@ Examples
 ```yml
 jobs:
   scan-pr:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].0"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
     with:
       scan-args: |-
         --lockfile=./path/to/lockfile1
@@ -198,7 +198,7 @@ jobs:
 ```yml
 jobs:
   scan-pr:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].0"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
     with:
       scan-args: |-
         --recursive
@@ -225,7 +225,7 @@ jobs:
     name: Vulnerability scanning
     # makes sure the extraction step is completed before running the scanner
     needs: extract-deps
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].0"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
     with:
       # Download the artifact uploaded in extract-deps step
       download-artifact: converted-OSV-Scanner-deps

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -16,11 +16,7 @@ import (
 
 const osvScannerConfigName = "osv-scanner.toml"
 
-// Ignore stuttering as that would be a breaking change
-// TODO: V2 rename?
-//
-//nolint:revive
-type ConfigManager struct {
+type Manager struct {
 	// Override to replace all other configs
 	OverrideConfig *Config
 	// Config to use if no config file is found alongside manifests
@@ -112,17 +108,6 @@ func (c *Config) ShouldIgnorePackage(pkg models.PackageVulns) (bool, PackageOver
 	})
 }
 
-// Deprecated: Use ShouldIgnorePackage instead
-func (c *Config) ShouldIgnorePackageVersion(name, version, ecosystem string) (bool, PackageOverrideEntry) {
-	return c.ShouldIgnorePackage(models.PackageVulns{
-		Package: models.PackageInfo{
-			Name:      name,
-			Version:   version,
-			Ecosystem: ecosystem,
-		},
-	})
-}
-
 // ShouldIgnorePackageVulnerabilities determines if the given package should have its vulnerabilities ignored based on override entries in the config
 func (c *Config) ShouldIgnorePackageVulnerabilities(pkg models.PackageVulns) bool {
 	overrides, _ := c.filterPackageVersionEntries(pkg, func(e PackageOverrideEntry) bool {
@@ -139,17 +124,6 @@ func (c *Config) ShouldOverridePackageLicense(pkg models.PackageVulns) (bool, Pa
 	})
 }
 
-// Deprecated: Use ShouldOverridePackageLicense instead
-func (c *Config) ShouldOverridePackageVersionLicense(name, version, ecosystem string) (bool, PackageOverrideEntry) {
-	return c.ShouldOverridePackageLicense(models.PackageVulns{
-		Package: models.PackageInfo{
-			Name:      name,
-			Version:   version,
-			Ecosystem: ecosystem,
-		},
-	})
-}
-
 func shouldIgnoreTimestamp(ignoreUntil time.Time) bool {
 	if ignoreUntil.IsZero() {
 		// If IgnoreUntil is not set, should ignore.
@@ -162,7 +136,7 @@ func shouldIgnoreTimestamp(ignoreUntil time.Time) bool {
 
 // Sets the override config by reading the config file at configPath.
 // Will return an error if loading the config file fails
-func (c *ConfigManager) UseOverride(configPath string) error {
+func (c *Manager) UseOverride(configPath string) error {
 	config, configErr := tryLoadConfig(configPath)
 	if configErr != nil {
 		return configErr
@@ -173,7 +147,7 @@ func (c *ConfigManager) UseOverride(configPath string) error {
 }
 
 // Attempts to get the config
-func (c *ConfigManager) Get(r reporter.Reporter, targetPath string) Config {
+func (c *Manager) Get(r reporter.Reporter, targetPath string) Config {
 	if c.OverrideConfig != nil {
 		return *c.OverrideConfig
 	}