Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Update v2 to main #1374

Merged
merged 22 commits into from
Nov 5, 2024
Merged
Show file tree
Hide file tree
Changes from 20 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
24aca23
docs: update documentation about Maven registry support (#1340)
cuixq Oct 24, 2024
0c43a0e
feat: add `--experimental-offline-vulnerabilities` and `--experimenta…
michaelkedar Oct 24, 2024
5e0e196
chore: Also trigger workflow when merging into v2 (#1343)
another-rex Oct 25, 2024
ce6950e
test: update snapshot (#1354)
G-Rath Oct 29, 2024
ff81dcd
chore: remove unused fixture file (#1353)
G-Rath Oct 30, 2024
1f69d4a
chore(deps-dev): bump rexml from 3.3.8 to 3.3.9 in /docs in the bundl…
dependabot[bot] Oct 30, 2024
8af6458
docs: update usage references (#1351)
emmanuel-ferdman Oct 30, 2024
b13f37e
chore: v1.9.1 Changelog (#1358)
another-rex Oct 30, 2024
bef97ac
fix: parsing crash on malformed pnpm lockfile (#1327)
ivmeta Oct 31, 2024
fce42e1
refactor(semantic): sort ecosystems by name (#1363)
G-Rath Oct 31, 2024
be307de
fix(semantic): support parsing versions without a numeric component (…
G-Rath Oct 31, 2024
00cdb36
refactor(semantic): remove unneeded logic in parsing semver-like vers…
G-Rath Oct 31, 2024
cc702c8
refactor(semantic): simplify comparing of RubyGem version components …
G-Rath Oct 31, 2024
ffd2eb2
refactor(semantic): remove unneeded condition in PyPI version compara…
G-Rath Oct 31, 2024
998461f
refactor(semantic): simplify comparing of "pre" letters in PyPI versi…
G-Rath Oct 31, 2024
94c12b5
test: update snapshots (#1368)
G-Rath Oct 31, 2024
11600e7
chore: remove deprecated internal functions (#1369)
G-Rath Nov 1, 2024
c20dd9f
refactor: rename internal struct to avoid stuttering (#1370)
G-Rath Nov 1, 2024
f9ac170
test(semantic): include ecosystems not supported by `lockfile` (#1364)
G-Rath Nov 4, 2024
8c1beae
Merge remote-tracking branch 'upstream/main' into update-v2-to-main
another-rex Nov 4, 2024
8509b99
chore: update snapshots (#1375)
another-rex Nov 5, 2024
0cc32c7
Merge remote-tracking branch 'upstream/main' into update-v2-to-main
another-rex Nov 5, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,48 @@
OSV-Scanner v2 is coming soon! The next release will start with version `v2.0.0-alpha1`.

Here's a peek at some of the exciting upcoming features:

- Standalone container image scanning support.
- Including support for Alpine and Debian images.
- Refactored internals to use [`osv-scalibr`](https://github.com/google/osv-scalibr) library for better extraction capabilities.
- HTML output format for clearer vulnerability results.
- More control over output format and logging.
- ...and more!

Importantly, the CLI interface of osv-scanner will be maintained with minimal breaking changes.
Most breaking changes will only be in the API. More details in the upcoming alpha release.

---

This is the final feature v1 release of osv-scanner, future releases for v1 will only contain bug fixes.

# v1.9.1

### Features:

- [Feature #1295](https://github.com/google/osv-scanner/pull/1295) Support offline database in fix subcommand.
- [Feature #1342](https://github.com/google/osv-scanner/pull/1342) Add `--experimental-offline-vulnerabilities` and `--experimental-no-resolve` flags.
- [Feature #1045](https://github.com/google/osv-scanner/pull/1045) Support private registries for Maven.
- [Feature #1226](https://github.com/google/osv-scanner/pull/1226) Support support `vulnerabilities.ignore` in package overrides.

### Fixes:

- [Bug #604](https://github.com/google/osv-scanner/pull/604) Use correct path separator in SARIF output when on Windows.
- [Bug #330](https://github.com/google/osv-scanner/pull/330) Warn about and ignore duplicate entries in SBOMs.
- [Bug #1325](https://github.com/google/osv-scanner/pull/1325) Set CharsetReader and Entity when reading pom.xml.
- [Bug #1310](https://github.com/google/osv-scanner/pull/1310) Update spdx license ids.
- [Bug #1288](https://github.com/google/osv-scanner/pull/1288) Sort sbom packages by PURL.
- [Bug #1285](https://github.com/google/osv-scanner/pull/1285) Improve handling if `docker` exits with a non-zero code when trying to scan images

### API Changes:

- Deprecate auxillary public packages: As part of the V2 update described above, we have started deprecating some of the auxillary packages
which are not commonly used to give us more room to make better API designs. These include:
- `config`
- `depsdev`
- `grouper`
- `spdx`

# v1.9.0

### Features:
Expand Down
8 changes: 4 additions & 4 deletions cmd/osv-scanner/__snapshots__/main_test.snap
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ Loaded filter from: <rootdir>/fixtures/locks-many/osv-scanner.toml
"informationUri": "https://github.com/google/osv-scanner",
"name": "osv-scanner",
"rules": [],
"version": "1.9.0"
"version": "1.9.1"
}
},
"results": []
Expand Down Expand Up @@ -234,7 +234,7 @@ Loaded Alpine local db from <tempdir>/osv-scanner/Alpine/all.zip
}
}
],
"version": "1.9.0"
"version": "1.9.1"
}
},
"artifacts": [
Expand Down Expand Up @@ -850,7 +850,7 @@ No issues found
---

[TestRun/version - 1]
osv-scanner version: 1.9.0
osv-scanner version: 1.9.1
commit: n/a
built at: n/a

Expand Down Expand Up @@ -1035,7 +1035,7 @@ Scanned <rootdir>/fixtures/locks-insecure/osv-scanner-flutter-deps.json file as
}
}
],
"version": "1.9.0"
"version": "1.9.1"
}
},
"artifacts": [
Expand Down
16 changes: 8 additions & 8 deletions docs/github-action.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ permissions:

jobs:
scan-pr:
uses: "google/osv-scanner-action/.github/workflows/[email protected].0"
uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
```

### View results
Expand Down Expand Up @@ -98,7 +98,7 @@ permissions:

jobs:
scan-scheduled:
uses: "google/osv-scanner-action/.github/workflows/[email protected].0"
uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
```

As written, the scanner will run on 12:30 pm UTC every Monday, and also on every push to the main branch. You can change the schedule by following the instructions [here](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule).
Expand Down Expand Up @@ -133,7 +133,7 @@ permissions:

jobs:
osv-scan:
uses: "google/osv-scanner-action/.github/workflows/[email protected].0"
uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
with:
# Only scan the top level go.mod file without recursively scanning directories since
# this is pipeline is about releasing the go module and binary
Expand Down Expand Up @@ -163,7 +163,7 @@ Results may be viewed by clicking on the details of the failed release action fr

The GitHub Actions have the following optional inputs:

- `scan-args`: This value is passed to `osv-scanner` CLI after being split by each line. See the [usage](./usage) page for the available options. The `--format` and `--output` flags are already set by the reusable workflow and should not be overridden here.
- `scan-args`: This value is passed to `osv-scanner` CLI after being split by each line. See the [usage](./usage.md) page for the available options. The `--format` and `--output` flags are already set by the reusable workflow and should not be overridden here.
Default:
```bash
--recursive # Recursively scan subdirectories
Expand All @@ -172,7 +172,7 @@ The GitHub Actions have the following optional inputs:
```
- `results-file-name`: This is the name of the final SARIF file uploaded to Github.
Default: `results.sarif`
- `download-artifact`: Optional artifact to download for scanning. Can be used if you need to do some preprocessing to prepare the lockfiles for scanning. If the file names in the artifact are not standard lockfile names, make sure to add custom scan-args to specify the lockfile type and path (see [specify lockfiles](./usage#specify-lockfiles)).
- `download-artifact`: Optional artifact to download for scanning. Can be used if you need to do some preprocessing to prepare the lockfiles for scanning. If the file names in the artifact are not standard lockfile names, make sure to add custom scan-args to specify the lockfile type and path (see [specify lockfiles](./usage.md#specify-lockfiles)).
- `upload-sarif`: Whether to upload the results to Security > Code Scanning. Defaults to `true`.
- `fail-on-vuln`: Whether to fail the workflow when a vulnerability is found. Defaults to `true`.

Expand All @@ -186,7 +186,7 @@ Examples
```yml
jobs:
scan-pr:
uses: "google/osv-scanner-action/.github/workflows/[email protected].0"
uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
with:
scan-args: |-
--lockfile=./path/to/lockfile1
Expand All @@ -198,7 +198,7 @@ jobs:
```yml
jobs:
scan-pr:
uses: "google/osv-scanner-action/.github/workflows/[email protected].0"
uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
with:
scan-args: |-
--recursive
Expand All @@ -225,7 +225,7 @@ jobs:
name: Vulnerability scanning
# makes sure the extraction step is completed before running the scanner
needs: extract-deps
uses: "google/osv-scanner-action/.github/workflows/[email protected].0"
uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
with:
# Download the artifact uploaded in extract-deps step
download-artifact: converted-OSV-Scanner-deps
Expand Down
32 changes: 3 additions & 29 deletions internal/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,7 @@ import (

const osvScannerConfigName = "osv-scanner.toml"

// Ignore stuttering as that would be a breaking change
// TODO: V2 rename?
//
//nolint:revive
type ConfigManager struct {
type Manager struct {
// Override to replace all other configs
OverrideConfig *Config
// Config to use if no config file is found alongside manifests
Expand Down Expand Up @@ -112,17 +108,6 @@ func (c *Config) ShouldIgnorePackage(pkg models.PackageVulns) (bool, PackageOver
})
}

// Deprecated: Use ShouldIgnorePackage instead
func (c *Config) ShouldIgnorePackageVersion(name, version, ecosystem string) (bool, PackageOverrideEntry) {
return c.ShouldIgnorePackage(models.PackageVulns{
Package: models.PackageInfo{
Name: name,
Version: version,
Ecosystem: ecosystem,
},
})
}

// ShouldIgnorePackageVulnerabilities determines if the given package should have its vulnerabilities ignored based on override entries in the config
func (c *Config) ShouldIgnorePackageVulnerabilities(pkg models.PackageVulns) bool {
overrides, _ := c.filterPackageVersionEntries(pkg, func(e PackageOverrideEntry) bool {
Expand All @@ -139,17 +124,6 @@ func (c *Config) ShouldOverridePackageLicense(pkg models.PackageVulns) (bool, Pa
})
}

// Deprecated: Use ShouldOverridePackageLicense instead
func (c *Config) ShouldOverridePackageVersionLicense(name, version, ecosystem string) (bool, PackageOverrideEntry) {
return c.ShouldOverridePackageLicense(models.PackageVulns{
Package: models.PackageInfo{
Name: name,
Version: version,
Ecosystem: ecosystem,
},
})
}

func shouldIgnoreTimestamp(ignoreUntil time.Time) bool {
if ignoreUntil.IsZero() {
// If IgnoreUntil is not set, should ignore.
Expand All @@ -162,7 +136,7 @@ func shouldIgnoreTimestamp(ignoreUntil time.Time) bool {

// Sets the override config by reading the config file at configPath.
// Will return an error if loading the config file fails
func (c *ConfigManager) UseOverride(configPath string) error {
func (c *Manager) UseOverride(configPath string) error {
config, configErr := tryLoadConfig(configPath)
if configErr != nil {
return configErr
Expand All @@ -173,7 +147,7 @@ func (c *ConfigManager) UseOverride(configPath string) error {
}

// Attempts to get the config
func (c *ConfigManager) Get(r reporter.Reporter, targetPath string) Config {
func (c *Manager) Get(r reporter.Reporter, targetPath string) Config {
if c.OverrideConfig != nil {
return *c.OverrideConfig
}
Expand Down
Loading
Loading