chore: Merge V2 back into main (#1434)

Now that the last release is out, the main branch should be the v2 branch, and we can continue developing on main. One caveat, scorecard github action has not updated yet to support the new ignore file format. --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Emmanuel Ferdman <[email protected]> Co-authored-by: Gareth Jones <[email protected]> Co-authored-by: Xueqin Cui <[email protected]> Co-authored-by: Michael Kedar <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Emmanuel Ferdman <[email protected]> Co-authored-by: Ignacio Vazquez <[email protected]> Co-authored-by: Holly Gong <[email protected]>
google · Dec 10, 2024 · dc9a332 · dc9a332
1 parent 152731f
commit dc9a332
Show file tree

Hide file tree

Showing 83 changed files with 3,141 additions and 3,602 deletions.
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -16,10 +16,10 @@ name: Checks
 
 on:
   push:
-    branches: [main, v2]
+    branches: [main, v1]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [main, v2]
+    branches: [main, v1]
 
 concurrency:
   # Pushing new changes to a branch will cancel any in-progress CI runs

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -13,10 +13,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [main, v2]
+    branches: [main, v1]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [main, v2]
+    branches: [main, v1]
 
 # Restrict jobs in this workflow to have no permissions by default; permissions
 # should be granted per job as needed using a dedicated `permissions` block

diff --git a/.github/workflows/osv-scanner-unified-action.yml b/.github/workflows/osv-scanner-unified-action.yml
@@ -16,11 +16,11 @@ name: OSV-Scanner Scheduled Scan
 
 on:
   pull_request:
-    branches: ["main", "v2"]
+    branches: ["main", "v1"]
   schedule:
     - cron: "12 12 * * 1"
   push:
-    branches: ["main", "v2"]
+    branches: ["main", "v1"]
 
 # Restrict jobs in this workflow to have no permissions by default; permissions
 # should be granted per job as needed using a dedicated `permissions` block

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -12,7 +12,7 @@ on:
   schedule:
     - cron: "32 22 * * 6"
   push:
-    branches: ["main", "v2"]
+    branches: ["main"]
 
 # Restrict jobs in this workflow to have no permissions by default; permissions
 # should be granted per job as needed using a dedicated `permissions` block

diff --git a/.prettierignore b/.prettierignore
@@ -1,4 +1,5 @@
 **/fixtures/**
+**/testdata/**
 **/fixtures-go/**
 /docs/vendor/**
 /internal/output/html/*template.html
diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap
@@ -349,9 +349,9 @@ overriding license for package Packagist/league/flysystem/1.0.8 with 0BSD
 | LICENSE VIOLATION | ECOSYSTEM | PACKAGE                                        | VERSION | SOURCE                                                |
 +-------------------+-----------+------------------------------------------------+---------+-------------------------------------------------------+
 | 0BSD              | Packagist | league/flysystem                               | 1.0.8   | fixtures/locks-insecure/composer.lock                 |
-| UNKNOWN           |           | https://github.com/flutter/buildroot.git       |         | fixtures/locks-insecure/osv-scanner-flutter-deps.json |
-| UNKNOWN           |           | https://github.com/brendan-duncan/archive.git  |         | fixtures/locks-insecure/osv-scanner-flutter-deps.json |
 | UNKNOWN           |           | https://chromium.googlesource.com/chromium/src |         | fixtures/locks-insecure/osv-scanner-flutter-deps.json |
+| UNKNOWN           |           | https://github.com/brendan-duncan/archive.git  |         | fixtures/locks-insecure/osv-scanner-flutter-deps.json |
+| UNKNOWN           |           | https://github.com/flutter/buildroot.git       |         | fixtures/locks-insecure/osv-scanner-flutter-deps.json |
 | UNKNOWN           | RubyGems  | ast                                            | 2.4.2   | fixtures/locks-many/Gemfile.lock                      |
 | 0BSD              | Packagist | sentry/sdk                                     | 2.0.4   | fixtures/locks-many/composer.lock                     |
 +-------------------+-----------+------------------------------------------------+---------+-------------------------------------------------------+
@@ -926,6 +926,68 @@ Scanned <rootdir>/fixtures/call-analysis-go-project/go.mod file and found 4 pack
 
 ---
 
+[TestRun_Docker/Fake_alpine_image - 1]
+Pulling docker image ("alpine:non-existent-tag")...
+
+---
+
+[TestRun_Docker/Fake_alpine_image - 2]
+Docker command exited with code ("/usr/bin/docker pull -q alpine:non-existent-tag"): 1
+STDERR:
+> Error response from daemon: manifest for alpine:non-existent-tag not found: manifest unknown: manifest unknown
+failed to run docker command
+
+---
+
+[TestRun_Docker/Fake_image_entirely - 1]
+Pulling docker image ("this-image-definitely-does-not-exist-abcde")...
+
+---
+
+[TestRun_Docker/Fake_image_entirely - 2]
+Docker command exited with code ("/usr/bin/docker pull -q this-image-definitely-does-not-exist-abcde"): 1
+STDERR:
+> Error response from daemon: pull access denied for this-image-definitely-does-not-exist-abcde, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
+failed to run docker command
+
+---
+
+[TestRun_Docker/Real_Alpine_image - 1]
+Pulling docker image ("alpine:3.18.9")...
+Saving docker image ("alpine:3.18.9") to temporary file...
+Scanning image...
+No issues found
+
+---
+
+[TestRun_Docker/Real_Alpine_image - 2]
+
+---
+
+[TestRun_Docker/Real_empty_image - 1]
+Pulling docker image ("hello-world")...
+Saving docker image ("hello-world") to temporary file...
+Scanning image...
+
+---
+
+[TestRun_Docker/Real_empty_image - 2]
+No package sources found, --help for usage information.
+
+---
+
+[TestRun_Docker/Real_empty_image_with_tag - 1]
+Pulling docker image ("hello-world:linux")...
+Saving docker image ("hello-world:linux") to temporary file...
+Scanning image...
+
+---
+
+[TestRun_Docker/Real_empty_image_with_tag - 2]
+No package sources found, --help for usage information.
+
+---
+
 [TestRun_GithubActions/scanning_osv-scanner_custom_format - 1]
 Scanned <rootdir>/fixtures/locks-insecure/osv-scanner-flutter-deps.json file as a osv-scanner and found 3 packages
 +--------------------------------+------+-----------+----------------------------+----------------------------+-------------------------------------------------------+
@@ -2393,7 +2455,7 @@ No issues found
 ---
 
 [TestRun_LockfileWithExplicitParseAs/empty_works_as_an_escape_(no_fixture_because_it's_not_valid_on_Windows) - 2]
-open <rootdir>/path/to/my:file: no such file or directory
+stat <rootdir>/path/to/my:file: no such file or directory
 
 ---
 
@@ -2402,7 +2464,7 @@ open <rootdir>/path/to/my:file: no such file or directory
 ---
 
 [TestRun_LockfileWithExplicitParseAs/empty_works_as_an_escape_(no_fixture_because_it's_not_valid_on_Windows)#01 - 2]
-open <rootdir>/path/to/my:project/package-lock.json: no such file or directory
+stat <rootdir>/path/to/my:project/package-lock.json: no such file or directory
 
 ---
 
@@ -2411,7 +2473,7 @@ open <rootdir>/path/to/my:project/package-lock.json: no such file or directory
 ---
 
 [TestRun_LockfileWithExplicitParseAs/files_that_error_on_parsing_stop_parsable_files_from_being_checked - 2]
-(extracting as Cargo.lock) could not extract from <rootdir>/fixtures/locks-insecure/my-package-lock.json: toml: line 1: expected '.' or '=', but got '{' instead
+(extracting as rust/Cargolock) could not extract from <rootdir>/fixtures/locks-insecure/my-package-lock.json: toml: line 1: expected '.' or '=', but got '{' instead
 
 ---
 
@@ -2469,7 +2531,7 @@ No issues found
 ---
 
 [TestRun_LockfileWithExplicitParseAs/parse-as_takes_priority,_even_if_it's_wrong - 2]
-(extracting as package-lock.json) could not extract from <rootdir>/fixtures/locks-many/yarn.lock: invalid character '#' looking for beginning of value
+(extracting as javascript/packagelockjson) could not extract from "<rootdir>/fixtures/locks-many/yarn.lock": invalid character '#' looking for beginning of value
 
 ---
 
@@ -2522,7 +2584,7 @@ No issues found
 
 ---
 
-[TestRun_MavenTransitive/resolve_transitive_dependencies_with_native_datda_source - 1]
+[TestRun_MavenTransitive/resolve_transitive_dependencies_with_native_data_source - 1]
 Scanned <rootdir>/fixtures/maven-transitive/registry.xml file as a pom.xml and found 59 packages
 +-------------------------------------+------+-----------+-----------------------------------------------+---------+----------------------------------------+
 | OSV URL                             | CVSS | ECOSYSTEM | PACKAGE                                       | VERSION | SOURCE                                 |
@@ -2536,7 +2598,7 @@ Scanned <rootdir>/fixtures/maven-transitive/registry.xml file as a pom.xml and f
 
 ---
 
-[TestRun_MavenTransitive/resolve_transitive_dependencies_with_native_datda_source - 2]
+[TestRun_MavenTransitive/resolve_transitive_dependencies_with_native_data_source - 2]
 
 ---
 
@@ -2673,7 +2735,7 @@ Total 3 packages affected by 6 vulnerabilities (2 Critical, 0 High, 4 Medium, 0
 npm
 +--------------------------------------------------------------+
 | Source:docker:../../internal/image/fixtures/test-node_module |
-| s-npm-full.tar:/usr/app/node_modules/.package-lock.json      |
+| s-npm-full.tar:/prod/app/node_modules/.package-lock.json     |
 +----------+-------------------+------------------+------------+
 | PACKAGE  | INSTALLED VERSION | FIX AVAILABLE    | VULN COUNT |
 +----------+-------------------+------------------+------------+

diff --git a/cmd/osv-scanner/fixtures/locks-requirements/my-requirements.txt b/cmd/osv-scanner/fixtures/locks-requirements/my-requirements.txt
@@ -1 +1 @@
-flask
+flask==1.0.0
diff --git a/cmd/osv-scanner/fixtures/locks-requirements/requirements-dev.txt b/cmd/osv-scanner/fixtures/locks-requirements/requirements-dev.txt
@@ -1 +1 @@
-black
+black==1.0.0
diff --git a/cmd/osv-scanner/fixtures/locks-requirements/requirements.txt b/cmd/osv-scanner/fixtures/locks-requirements/requirements.txt
@@ -1,3 +1,3 @@
-flask
-flask-cors
+flask==1.0.0
+flask-cors==1.0.0
 pandas==0.23.4
diff --git a/cmd/osv-scanner/fixtures/locks-requirements/the_requirements_for_test.txt b/cmd/osv-scanner/fixtures/locks-requirements/the_requirements_for_test.txt
@@ -1 +1 @@
-pytest
+pytest==1.0.0
diff --git a/cmd/osv-scanner/fixtures/sbom-insecure/osv-scanner.toml b/cmd/osv-scanner/fixtures/sbom-insecure/osv-scanner.toml
@@ -1,64 +1,3 @@
-[[IgnoredVulns]]
-id = "GO-2022-0274"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GO-2022-0493"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GHSA-vpvm-3wq2-2wvm"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GHSA-m8cg-xc2p-r3fc"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GHSA-g2j6-57v7-gm8c"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GHSA-f3fp-gc8g-vw66"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "DLA-3008-1"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "DLA-3012-1"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "DLA-3022-1"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "DLA-3051-1"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "CVE-2022-37434"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "CVE-2018-25032"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GHSA-xr7r-f8xq-vfvv"
-# ignoreUntil = n/a
+[[PackageOverrides]]
+ignore = true
 reason = "This is an intentionally vulnerable test sbom"
diff --git a/cmd/osv-scanner/main.go b/cmd/osv-scanner/main.go
@@ -47,6 +47,18 @@ func run(args []string, stdout, stderr io.Writer) int {
 		},
 	}
 
+	// If ExitErrHandler is not set, cli will use the default cli.HandleExitCoder.
+	// This is not ideal as cli.HandleExitCoder checks if the error implements cli.ExitCode interface.
+	//
+	// 99% of the time, this is fine, as we do not implement cli.ExitCode in our errors, so errors pass through
+	// that handler untouched.
+	// However, because of Go's duck typing, any error that happens to have a ExitCode() function
+	// (e.g. *exec.ExitError) will be assumed to implement cli.ExitCode interface and cause the program to exit
+	// early without proper error handling.
+	//
+	// This removes the handler entirely so that behavior will not unexpectedly happen.
+	app.ExitErrHandler = func(_ *cli.Context, _ error) {}
+
 	args = insertDefaultCommand(args, app.Commands, app.DefaultCommand, stdout, stderr)
 
 	if err := app.Run(args); err != nil {

diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"runtime"
 	"strings"
 	"testing"
 
@@ -523,7 +524,12 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 
-			testCli(t, tt)
+			stdout, stderr := runCli(t, tt)
+
+			testutility.NewSnapshot().MatchText(t, stdout)
+			testutility.NewSnapshot().WithWindowsReplacements(map[string]string{
+				"CreateFile": "stat",
+			}).MatchText(t, stderr)
 		})
 	}
 }
@@ -744,6 +750,51 @@ func TestRun_Licenses(t *testing.T) {
 	}
 }
 
+func TestRun_Docker(t *testing.T) {
+	t.Parallel()
+
+	testutility.SkipIfNotAcceptanceTesting(t, "Takes a long time to pull down images")
+
+	tests := []cliTestCase{
+		{
+			name: "Fake alpine image",
+			args: []string{"", "--docker", "alpine:non-existent-tag"},
+			exit: 127,
+		},
+		{
+			name: "Fake image entirely",
+			args: []string{"", "--docker", "this-image-definitely-does-not-exist-abcde"},
+			exit: 127,
+		},
+		// TODO: How to prevent these snapshots from changing constantly
+		{
+			name: "Real empty image",
+			args: []string{"", "--docker", "hello-world"},
+			exit: 128, // No packages found
+		},
+		{
+			name: "Real empty image with tag",
+			args: []string{"", "--docker", "hello-world:linux"},
+			exit: 128, // No package found
+		},
+		{
+			name: "Real Alpine image",
+			args: []string{"", "--docker", "alpine:3.18.9"},
+			exit: 0,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Only test on linux, and mac/windows CI/CD does not come with docker preinstalled
+			if runtime.GOOS == "linux" {
+				testCli(t, tt)
+			}
+		})
+	}
+}
+
 func TestRun_OCIImage(t *testing.T) {
 	t.Parallel()
 
@@ -938,6 +989,11 @@ func TestRun_MavenTransitive(t *testing.T) {
 			args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "-L", "pom.xml:./fixtures/maven-transitive/registry.xml"},
 			exit: 1,
 		},
+		{
+			name: "resolve transitive dependencies with native data source",
+			args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "--experimental-resolution-data-source=native", "-L", "pom.xml:./fixtures/maven-transitive/registry.xml"},
+			exit: 1,
+		},
 	}
 
 	for _, tt := range tests {