refactor: Update to new scalibr version (#1450)

Update to new scalibr version 1.5.0+ , this fixes some of the breaking
changes made since the current scalibr 1.3.0+ we are using.

go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/go-git/go-git/v5 v5.12.0
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-containerregistry v0.20.2
-	github.com/google/osv-scalibr v0.1.4-0.20241031120023-761ca671aacb
+	github.com/google/osv-scalibr v0.1.6-0.20241210165202-6da18027fec0
 	github.com/ianlancetaylor/demangle v0.0.0-20240912202439-0a2b6291aafd
 	github.com/jedib0t/go-pretty/v6 v6.6.0
 	github.com/muesli/reflow v0.3.0
@@ -64,6 +64,7 @@ require (
 	github.com/gkampitakis/ciinfo v0.3.0 // indirect
 	github.com/gkampitakis/go-diff v1.3.2 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect

go.sum

@@ -105,6 +105,8 @@ github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMj
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
 github.com/go-git/go-git/v5 v5.12.0 h1:7Md+ndsjrzZxbddRDZjF14qK+NN56sy6wkqaVrjZtys=
 github.com/go-git/go-git/v5 v5.12.0/go.mod h1:FTM9VKtnI2m65hNI/TenDDDnUf2Q9FHnXYjuz9i5OEY=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
+github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -115,8 +117,8 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo=
 github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8=
-github.com/google/osv-scalibr v0.1.4-0.20241031120023-761ca671aacb h1:A7IvUJk8r3wMuuAMWxwbkE3WBp+oF/v7CcEt3nCy+lI=
-github.com/google/osv-scalibr v0.1.4-0.20241031120023-761ca671aacb/go.mod h1:MbEYB+PKqEGjwMdpcoO5DWpi0+57jYgYcw2jlRy8O9Q=
+github.com/google/osv-scalibr v0.1.6-0.20241210165202-6da18027fec0 h1:6B2j21HOF1Vdei7wyEnq8EwEA7ktRoNXc8og44YX22o=
+github.com/google/osv-scalibr v0.1.6-0.20241210165202-6da18027fec0/go.mod h1:fvnB14pFjAupxDoCLUgdMg2rHu6v86BgKGQHzgTFrTg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=

internal/image/extractor.go

@@ -12,6 +12,7 @@ import (
 	"github.com/google/osv-scalibr/extractor/filesystem/language/golang/gobinary"
 	"github.com/google/osv-scalibr/extractor/filesystem/os/apk"
 	"github.com/google/osv-scalibr/extractor/filesystem/os/dpkg"
+	"github.com/google/osv-scalibr/extractor/filesystem/simplefileapi"
 	"github.com/google/osv-scanner/internal/scalibrextract"
 	"github.com/google/osv-scanner/internal/scalibrextract/language/javascript/nodemodules"
 	"github.com/google/osv-scanner/pkg/lockfile"
@@ -35,7 +36,7 @@ func findArtifactExtractor(path string, fileInfo fs.FileInfo) []filesystem.Extra
 	// Use ShouldExtract to collect and return a slice of artifactExtractors
 	var extractors []filesystem.Extractor
 	for _, extractor := range artifactExtractors {
-		if extractor.FileRequired(path, fileInfo) {
+		if extractor.FileRequired(simplefileapi.New(path, fileInfo)) {
 			extractors = append(extractors, extractor)
 		}
 	}

internal/scalibrextract/extract.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/google/osv-scalibr/extractor"
 	"github.com/google/osv-scalibr/extractor/filesystem"
+	"github.com/google/osv-scalibr/extractor/filesystem/simplefileapi"
 
 	scalibrfs "github.com/google/osv-scalibr/fs"
 )
@@ -59,7 +60,7 @@ func ExtractWithExtractors(ctx context.Context, localPath string, extractors []f
 	result := []*extractor.Inventory{}
 	extractorFound := false
 	for _, ext := range extractors {
-		if !ext.FileRequired(localPath, info) {
+		if !ext.FileRequired(simplefileapi.New(localPath, info)) {
 			continue
 		}
 		extractorFound = true

internal/scalibrextract/language/java/pomxmlnet/extractor.go

@@ -4,7 +4,6 @@ package pomxmlnet
 import (
 	"context"
 	"fmt"
-	"io/fs"
 	"path/filepath"
 
 	"golang.org/x/exp/maps"
@@ -44,8 +43,8 @@ func (e Extractor) Requirements() *plugin.Capabilities {
 }
 
 // FileRequired never returns true, as this is for the osv-scanner json output.
-func (e Extractor) FileRequired(path string, _ fs.FileInfo) bool {
-	return filepath.Base(path) == "pom.xml"
+func (e Extractor) FileRequired(fapi filesystem.FileAPI) bool {
+	return filepath.Base(fapi.Path()) == "pom.xml"
 }
 
 // Extract extracts packages from yarn.lock files passed through the scan input.
@@ -177,9 +176,6 @@ func (e Extractor) ToPURL(i *extractor.Inventory) *purl.PackageURL {
 	}
 }
 
-// ToCPEs is not applicable as this extractor does not infer CPEs from the Inventory.
-func (e Extractor) ToCPEs(_ *extractor.Inventory) []string { return []string{} }
-
 // Ecosystem returns the OSV ecosystem ('npm') of the software extracted by this extractor.
 func (e Extractor) Ecosystem(_ *extractor.Inventory) string {
 	return "Maven"

internal/scalibrextract/language/java/pomxmlnet/extractor_test.go

@@ -8,6 +8,7 @@ import (
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/google/osv-scalibr/extractor"
 	"github.com/google/osv-scalibr/extractor/filesystem/osv"
+	"github.com/google/osv-scalibr/extractor/filesystem/simplefileapi"
 	"github.com/google/osv-scalibr/testing/extracttest"
 	"github.com/google/osv-scanner/internal/resolution/clienttest"
 	"github.com/google/osv-scanner/internal/resolution/datasource"
@@ -51,7 +52,7 @@ func TestMavenResolverExtractor_FileRequired(t *testing.T) {
 		t.Run(tt.path, func(t *testing.T) {
 			t.Parallel()
 			e := pomxmlnet.Extractor{}
-			got := e.FileRequired(tt.path, nil)
+			got := e.FileRequired(simplefileapi.New(tt.path, nil))
 			if got != tt.want {
 				t.Errorf("Extract() got = %v, want %v", got, tt.want)
 			}

internal/scalibrextract/language/javascript/nodemodules/extractor.go

@@ -2,7 +2,6 @@ package nodemodules
 
 import (
 	"context"
-	"io/fs"
 	"path/filepath"
 
 	"github.com/google/osv-scalibr/extractor"
@@ -30,8 +29,8 @@ func (e Extractor) Requirements() *plugin.Capabilities {
 }
 
 // FileRequired returns true for .package-lock.json files under node_modules
-func (e Extractor) FileRequired(path string, _ fs.FileInfo) bool {
-	return filepath.Base(filepath.Dir(path)) == "node_modules" && filepath.Base(path) == ".package-lock.json"
+func (e Extractor) FileRequired(fapi filesystem.FileAPI) bool {
+	return filepath.Base(filepath.Dir(fapi.Path())) == "node_modules" && filepath.Base(fapi.Path()) == ".package-lock.json"
 }
 
 // Extract extracts packages from yarn.lock files passed through the scan input.
@@ -44,11 +43,6 @@ func (e Extractor) ToPURL(i *extractor.Inventory) *purl.PackageURL {
 	return e.actualExtractor.ToPURL(i)
 }
 
-// ToCPEs is not applicable as this extractor does not infer CPEs from the Inventory.
-func (e Extractor) ToCPEs(i *extractor.Inventory) []string {
-	return e.actualExtractor.ToCPEs(i)
-}
-
 // Ecosystem returns the OSV ecosystem ('npm') of the software extracted by this extractor.
 func (e Extractor) Ecosystem(i *extractor.Inventory) string {
 	return e.actualExtractor.Ecosystem(i)

internal/scalibrextract/language/osv/osvscannerjson/extractor.go

@@ -5,7 +5,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io/fs"
 
 	"github.com/google/osv-scalibr/extractor"
 	"github.com/google/osv-scalibr/extractor/filesystem"
@@ -29,7 +28,7 @@ func (e Extractor) Requirements() *plugin.Capabilities {
 }
 
 // FileRequired never returns true, as this is for the osv-scanner json output.
-func (e Extractor) FileRequired(_ string, _ fs.FileInfo) bool {
+func (e Extractor) FileRequired(_ filesystem.FileAPI) bool {
 	return false
 }
 

internal/scalibrextract/vcs/gitrepo/extractor.go

@@ -2,7 +2,6 @@ package gitrepo
 
 import (
 	"context"
-	"io/fs"
 	"path"
 	"path/filepath"
 
@@ -67,8 +66,18 @@ func (e Extractor) Requirements() *plugin.Capabilities {
 }
 
 // FileRequired returns true for .package-lock.json files under node_modules
-func (e Extractor) FileRequired(path string, fi fs.FileInfo) bool {
-	return fi.IsDir() && filepath.Base(path) == ".git"
+func (e Extractor) FileRequired(fapi filesystem.FileAPI) bool {
+	if filepath.Base(fapi.Path()) != ".git" {
+		return false
+	}
+
+	// Stat costs performance, so perform it after the name check
+	stat, err := fapi.Stat()
+	if err != nil {
+		return false
+	}
+
+	return stat.IsDir()
 }
 
 // Extract extracts packages from yarn.lock files passed through the scan input.
@@ -107,11 +116,6 @@ func (e Extractor) ToPURL(_ *extractor.Inventory) *purl.PackageURL {
 	return nil
 }
 
-// ToCPEs is not applicable as this extractor does not infer CPEs from the Inventory.
-func (e Extractor) ToCPEs(_ *extractor.Inventory) []string {
-	return nil
-}
-
 // Ecosystem returns the OSV ecosystem ('npm') of the software extracted by this extractor.
 func (e Extractor) Ecosystem(_ *extractor.Inventory) string {
 	return ""