diff --git a/.gitignore b/.gitignore index 6de65fa0a12..f0d231db000 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,7 @@ .idea/ /dist/ /osv-scanner +/temp /coverage.out /coverage.html *.tar diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index ab8a129dda1..e19d169088d 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -2967,6 +2967,453 @@ No issues found --- +[TestRun_OCIImage/Alpine_3.10_image_tar_with_3.18_version_file - 1] +Scanning local image tarball "../../internal/image/fixtures/test-alpine.tar" + +Container Scanning Result (Alpine Linux v3.18): +Total 2 packages affected by 40 vulnerabilities (2 Critical, 17 High, 14 Medium, 0 Low, 7 Unknown) from 1 ecosystems. +40 vulnerabilities have fixes available. + +Alpine:v3.18 ++---------------------------------------------------------------------------------------------+ +| Source:os:lib/apk/db/installed | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| openssl | 1.1.1k-r0 | Fix Available | 38 | # 3 Layer | -- | +| zlib | 1.2.11-r1 | Fix Available | 2 | # 3 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestRun_OCIImage/Alpine_3.10_image_tar_with_3.18_version_file - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. + +--- + +[TestRun_OCIImage/Invalid_path - 1] +Scanning local image tarball "./fixtures/oci-image/no-file-here.tar" + +--- + +[TestRun_OCIImage/Invalid_path - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. +failed to load image from tarball with path "./fixtures/oci-image/no-file-here.tar": open ./fixtures/oci-image/no-file-here.tar: no such file or directory + +--- + +[TestRun_OCIImage/Scanning_java_image_with_some_packages - 1] +Scanning local image tarball "../../internal/image/fixtures/test-java-full.tar" + +Container Scanning Result (Alpine Linux v3.21): +Total 9 packages affected by 12 vulnerabilities (1 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 1 ecosystems. +12 vulnerabilities have fixes available. + +Maven ++-------------------------------------------------------------------------------------------------------------------------------+ +| Source:artifact:app/target.jar | ++-------------------------------------------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++-------------------------------------------+-------------------+---------------+------------+------------------+---------------+ +| com.google.protobuf:protobuf-java | 3.21.12 | Fix Available | 1 | # 4 Layer | -- | +| com.nimbusds:nimbus-jose-jwt | 9.31 | Fix Available | 1 | # 4 Layer | -- | +| dnsjava:dnsjava | 3.4.0 | Fix Available | 1 | # 4 Layer | -- | +| io.netty:netty-codec-http | 4.1.100.Final | Fix Available | 1 | # 4 Layer | -- | +| io.netty:netty-common | 4.1.100.Final | Fix Available | 1 | # 4 Layer | -- | +| org.apache.avro:avro | 1.9.2 | Fix Available | 2 | # 4 Layer | -- | +| org.apache.commons:commons-compress | 1.21 | Fix Available | 2 | # 4 Layer | -- | +| org.apache.commons:commons-configuration2 | 2.8.0 | Fix Available | 2 | # 4 Layer | -- | +| org.eclipse.jetty:jetty-http | 9.4.53.v20231009 | Fix Available | 1 | # 4 Layer | -- | ++-------------------------------------------+-------------------+---------------+------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestRun_OCIImage/Scanning_java_image_with_some_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. + +--- + +[TestRun_OCIImage/Scanning_python_image_with_no_packages - 1] +Scanning local image tarball "../../internal/image/fixtures/test-python-empty.tar" + +Container Scanning Result (Debian GNU/Linux 10 (buster)): +Total 12 packages affected by 17 vulnerabilities (0 Critical, 2 High, 1 Medium, 0 Low, 14 Unknown) from 2 ecosystems. +17 vulnerabilities have fixes available. + +PyPI ++---------------------------------------------------------------------------------------------+ +| Source:artifact:usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| pip | 23.0.1 | Fix Available | 1 | # 13 Layer | python | ++---------+-------------------+---------------+------------+------------------+---------------+ ++------------------------------------------------------------------------------------------------+ +| Source:artifact:usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA | ++------------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++------------+-------------------+---------------+------------+------------------+---------------+ +| setuptools | 58.1.0 | Fix Available | 2 | # 13 Layer | python | ++------------+-------------------+---------------+------------+------------------+---------------+ +Debian:10 ++-----------------------------------------------------------------------------------------------------------------+ +| Source:os:var/lib/dpkg/status | ++------------------------+------------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++------------------------+------------------------+---------------+------------+------------------+---------------+ +| debian-archive-keyring | 2019.1+deb10u1 | Fix Available | 1 | # 0 Layer | python | +| expat | 2.2.6-2+deb10u6 | Fix Available | 1 | # 7 Layer | python | +| glibc | 2.28-10+deb10u2 | Fix Available | 2 | # 0 Layer | python | +| gnutls28 | 3.6.7-4+deb10u10 | Fix Available | 2 | # 0 Layer | python | +| ncurses | 6.1+20181013-2+deb10u3 | Fix Available | 2 | # 0 Layer | python | +| openssl | 1.1.1n-0+deb10u5 | Fix Available | 1 | # 4 Layer | python | +| systemd | 241-7~deb10u9 | Fix Available | 1 | # 0 Layer | python | +| tar | 1.30+dfsg-6 | Fix Available | 1 | # 0 Layer | python | +| tzdata | 2021a-0+deb10u11 | Fix Available | 2 | # 0 Layer | python | +| util-linux | 2.33.1-0.1 | Fix Available | 1 | # 0 Layer | python | ++------------------------+------------------------+---------------+------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestRun_OCIImage/Scanning_python_image_with_no_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. + +--- + +[TestRun_OCIImage/Scanning_python_image_with_some_packages - 1] +Scanning local image tarball "../../internal/image/fixtures/test-python-full.tar" + +Container Scanning Result (Debian GNU/Linux 10 (buster)): +Total 17 packages affected by 31 vulnerabilities (0 Critical, 8 High, 8 Medium, 0 Low, 15 Unknown) from 2 ecosystems. +31 vulnerabilities have fixes available. + +PyPI ++---------------------------------------------------------------------------------------------+ +| Source:artifact:usr/local/lib/python3.9/site-packages/Django-1.11.29.dist-info/METADATA | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| django | 1.11.29 | Fix Available | 3 | # 17 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:usr/local/lib/python3.9/site-packages/Flask-0.12.2.dist-info/METADATA | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| flask | 0.12.2 | Fix Available | 3 | # 17 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:usr/local/lib/python3.9/site-packages/idna-2.7.dist-info/METADATA | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| idna | 2.7 | Fix Available | 1 | # 17 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| pip | 23.0.1 | Fix Available | 1 | # 13 Layer | python | ++---------+-------------------+---------------+------------+------------------+---------------+ ++----------------------------------------------------------------------------------------------+ +| Source:artifact:usr/local/lib/python3.9/site-packages/requests-2.20.0.dist-info/METADATA | ++----------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++----------+-------------------+---------------+------------+------------------+---------------+ +| requests | 2.20.0 | Fix Available | 2 | # 17 Layer | -- | ++----------+-------------------+---------------+------------+------------------+---------------+ ++------------------------------------------------------------------------------------------------+ +| Source:artifact:usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA | ++------------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++------------+-------------------+---------------+------------+------------------+---------------+ +| setuptools | 58.1.0 | Fix Available | 2 | # 13 Layer | python | ++------------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:usr/local/lib/python3.9/site-packages/urllib3-1.24.3.dist-info/METADATA | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| urllib3 | 1.24.3 | Fix Available | 5 | # 17 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ +Debian:10 ++-----------------------------------------------------------------------------------------------------------------+ +| Source:os:var/lib/dpkg/status | ++------------------------+------------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++------------------------+------------------------+---------------+------------+------------------+---------------+ +| debian-archive-keyring | 2019.1+deb10u1 | Fix Available | 1 | # 0 Layer | python | +| expat | 2.2.6-2+deb10u6 | Fix Available | 1 | # 7 Layer | python | +| glibc | 2.28-10+deb10u2 | Fix Available | 2 | # 0 Layer | python | +| gnutls28 | 3.6.7-4+deb10u10 | Fix Available | 2 | # 0 Layer | python | +| ncurses | 6.1+20181013-2+deb10u3 | Fix Available | 2 | # 0 Layer | python | +| openssl | 1.1.1n-0+deb10u5 | Fix Available | 1 | # 4 Layer | python | +| systemd | 241-7~deb10u9 | Fix Available | 1 | # 0 Layer | python | +| tar | 1.30+dfsg-6 | Fix Available | 1 | # 0 Layer | python | +| tzdata | 2021a-0+deb10u11 | Fix Available | 2 | # 0 Layer | python | +| util-linux | 2.33.1-0.1 | Fix Available | 1 | # 0 Layer | python | ++------------------------+------------------------+---------------+------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestRun_OCIImage/Scanning_python_image_with_some_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. + +--- + +[TestRun_OCIImage/scanning_image_with_go_binary - 1] +Scanning local image tarball "../../internal/image/fixtures/test-package-tracing.tar" + +Container Scanning Result (Alpine Linux v3.20): +Total 7 packages affected by 39 vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 39 Unknown) from 2 ecosystems. +39 vulnerabilities have fixes available. + +Go ++---------------------------------------------------------------------------------------------+ +| Source:artifact:go/bin/more-vuln-overwrite-less-vuln | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.22.4 | Fix Available | 6 | # 9 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:go/bin/ptf-1.2.0 | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.22.4 | Fix Available | 6 | # 2 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:go/bin/ptf-1.3.0 | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.22.4 | Fix Available | 6 | # 4 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:go/bin/ptf-1.3.0-moved | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.22.4 | Fix Available | 6 | # 3 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:go/bin/ptf-1.4.0 | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.22.4 | Fix Available | 6 | # 2 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:go/bin/ptf-vulnerable | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.22.4 | Fix Available | 6 | # 7 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ +Alpine:v3.20 ++---------------------------------------------------------------------------------------------+ +| Source:os:lib/apk/db/installed | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| openssl | 3.3.1-r0 | Fix Available | 3 | # 0 Layer | alpine | ++---------+-------------------+---------------+------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestRun_OCIImage/scanning_image_with_go_binary - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. + +--- + +[TestRun_OCIImage/scanning_node_modules_using_npm_with_no_packages - 1] +Scanning local image tarball "../../internal/image/fixtures/test-node_modules-npm-empty.tar" + +Container Scanning Result (Alpine Linux v3.19): +Total 2 packages affected by 10 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 6 Unknown) from 1 ecosystems. +10 vulnerabilities have fixes available. + +Alpine:v3.19 ++---------------------------------------------------------------------------------------------+ +| Source:os:lib/apk/db/installed | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| busybox | 1.36.1-r15 | Fix Available | 4 | # 0 Layer | alpine | +| openssl | 3.1.4-r5 | Fix Available | 6 | # 0 Layer | alpine | ++---------+-------------------+---------------+------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestRun_OCIImage/scanning_node_modules_using_npm_with_no_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. + +--- + +[TestRun_OCIImage/scanning_node_modules_using_npm_with_some_packages - 1] +Scanning local image tarball "../../internal/image/fixtures/test-node_modules-npm-full.tar" + +Container Scanning Result (Alpine Linux v3.19): +Total 4 packages affected by 13 vulnerabilities (2 Critical, 0 High, 5 Medium, 0 Low, 6 Unknown) from 2 ecosystems. +12 vulnerabilities have fixes available. + +npm ++-------------------------------------------------------------------------------------------------+ +| Source:artifact:prod/app/node_modules/.package-lock.json | ++----------+-------------------+------------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++----------+-------------------+------------------+------------+------------------+---------------+ +| cryo | 0.0.6 | No fix available | 1 | # 14 Layer | -- | +| minimist | 0.0.8 | Fix Available | 2 | # 13 Layer | -- | ++----------+-------------------+------------------+------------+------------------+---------------+ +Alpine:v3.19 ++---------------------------------------------------------------------------------------------+ +| Source:os:lib/apk/db/installed | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| busybox | 1.36.1-r15 | Fix Available | 4 | # 0 Layer | alpine | +| openssl | 3.1.4-r5 | Fix Available | 6 | # 0 Layer | alpine | ++---------+-------------------+---------------+------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestRun_OCIImage/scanning_node_modules_using_npm_with_some_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. + +--- + +[TestRun_OCIImage/scanning_node_modules_using_pnpm_with_no_packages - 1] +Scanning local image tarball "../../internal/image/fixtures/test-node_modules-pnpm-empty.tar" + +Container Scanning Result (Alpine Linux v3.19): +Total 2 packages affected by 10 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 6 Unknown) from 1 ecosystems. +10 vulnerabilities have fixes available. + +Alpine:v3.19 ++---------------------------------------------------------------------------------------------+ +| Source:os:lib/apk/db/installed | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| busybox | 1.36.1-r15 | Fix Available | 4 | # 0 Layer | alpine | +| openssl | 3.1.4-r5 | Fix Available | 6 | # 0 Layer | alpine | ++---------+-------------------+---------------+------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestRun_OCIImage/scanning_node_modules_using_pnpm_with_no_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. + +--- + +[TestRun_OCIImage/scanning_node_modules_using_pnpm_with_some_packages - 1] +Scanning local image tarball "../../internal/image/fixtures/test-node_modules-pnpm-full.tar" + +Container Scanning Result (Alpine Linux v3.19): +Total 2 packages affected by 10 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 6 Unknown) from 1 ecosystems. +10 vulnerabilities have fixes available. + +Alpine:v3.19 ++---------------------------------------------------------------------------------------------+ +| Source:os:lib/apk/db/installed | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| busybox | 1.36.1-r15 | Fix Available | 4 | # 0 Layer | alpine | +| openssl | 3.1.4-r5 | Fix Available | 6 | # 0 Layer | alpine | ++---------+-------------------+---------------+------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestRun_OCIImage/scanning_node_modules_using_pnpm_with_some_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. + +--- + +[TestRun_OCIImage/scanning_node_modules_using_yarn_with_no_packages - 1] +Scanning local image tarball "../../internal/image/fixtures/test-node_modules-yarn-empty.tar" + +Container Scanning Result (Alpine Linux v3.19): +Total 2 packages affected by 10 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 6 Unknown) from 1 ecosystems. +10 vulnerabilities have fixes available. + +Alpine:v3.19 ++---------------------------------------------------------------------------------------------+ +| Source:os:lib/apk/db/installed | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| busybox | 1.36.1-r15 | Fix Available | 4 | # 0 Layer | alpine | +| openssl | 3.1.4-r5 | Fix Available | 6 | # 0 Layer | alpine | ++---------+-------------------+---------------+------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestRun_OCIImage/scanning_node_modules_using_yarn_with_no_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. + +--- + +[TestRun_OCIImage/scanning_node_modules_using_yarn_with_some_packages - 1] +Scanning local image tarball "../../internal/image/fixtures/test-node_modules-yarn-full.tar" + +Container Scanning Result (Alpine Linux v3.19): +Total 2 packages affected by 10 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 6 Unknown) from 1 ecosystems. +10 vulnerabilities have fixes available. + +Alpine:v3.19 ++---------------------------------------------------------------------------------------------+ +| Source:os:lib/apk/db/installed | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| busybox | 1.36.1-r15 | Fix Available | 4 | # 0 Layer | alpine | +| openssl | 3.1.4-r5 | Fix Available | 6 | # 0 Layer | alpine | ++---------+-------------------+---------------+------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestRun_OCIImage/scanning_node_modules_using_yarn_with_some_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. + +--- + [TestRun_SubCommands/scan_with_a_flag - 1] Scanning dir ./fixtures/locks-one-with-nested Scanned /fixtures/locks-one-with-nested/nested/composer.lock file and found 1 package diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go index cba62c28d8a..97fae88c74c 100644 --- a/cmd/osv-scanner/main_test.go +++ b/cmd/osv-scanner/main_test.go @@ -3,6 +3,7 @@ package main import ( "bytes" + "errors" "os" "path/filepath" "reflect" @@ -817,6 +818,91 @@ func TestRun_Docker(t *testing.T) { } } +func TestRun_OCIImage(t *testing.T) { + t.Parallel() + + testutility.SkipIfNotAcceptanceTesting(t, "Not consistent on MacOS/Windows") + + tests := []cliTestCase{ + { + name: "Invalid path", + args: []string{"", "scan", "image", "--archive", "./fixtures/oci-image/no-file-here.tar"}, + exit: 127, + }, + { + name: "Alpine 3.10 image tar with 3.18 version file", + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-alpine.tar"}, + exit: 1, + }, + { + name: "Scanning python image with some packages", + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-python-full.tar"}, + exit: 1, + }, + { + name: "Scanning python image with no packages", + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-python-empty.tar"}, + exit: 1, + }, + { + name: "Scanning java image with some packages", + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-java-full.tar"}, + exit: 1, + }, + { + name: "scanning node_modules using npm with no packages", + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-node_modules-npm-empty.tar"}, + exit: 1, + }, + { + name: "scanning node_modules using npm with some packages", + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-node_modules-npm-full.tar"}, + exit: 1, + }, + { + name: "scanning node_modules using yarn with no packages", + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-node_modules-yarn-empty.tar"}, + exit: 1, + }, + { + name: "scanning node_modules using yarn with some packages", + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-node_modules-yarn-full.tar"}, + exit: 1, + }, + { + name: "scanning node_modules using pnpm with no packages", + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-node_modules-pnpm-empty.tar"}, + exit: 1, + }, + { + name: "scanning node_modules using pnpm with some packages", + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-node_modules-pnpm-full.tar"}, + exit: 1, + }, + { + name: "scanning image with go binary", + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-package-tracing.tar"}, + exit: 1, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + // point out that we need the images to be built and saved separately + for _, arg := range tt.args { + if strings.HasPrefix(arg, "../../internal/image/fixtures/") && strings.HasSuffix(arg, ".tar") { + if _, err := os.Stat(arg); errors.Is(err, os.ErrNotExist) { + t.Fatalf("%s does not exist - have you run scripts/build_test_images.sh?", arg) + } + } + } + + testCli(t, tt) + }) + } +} + // Tests all subcommands here. func TestRun_SubCommands(t *testing.T) { t.Parallel() diff --git a/go.mod b/go.mod index 809b1f499ea..cddbd16378a 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/go-git/go-billy/v5 v5.6.2 github.com/go-git/go-git/v5 v5.13.1 github.com/google/go-cmp v0.6.0 - github.com/google/osv-scalibr v0.1.6-0.20250123155336-85f39dea4c05 + github.com/google/osv-scalibr v0.1.6-0.20250128013153-34aef7c77adf github.com/ianlancetaylor/demangle v0.0.0-20240912202439-0a2b6291aafd github.com/jedib0t/go-pretty/v6 v6.6.5 github.com/muesli/reflow v0.3.0 @@ -104,6 +104,7 @@ require ( github.com/mattn/go-runewidth v0.0.16 // indirect github.com/mattn/go-sqlite3 v1.14.22 // indirect github.com/microcosm-cc/bluemonday v1.0.27 // indirect + github.com/microsoft/go-rustaudit v0.0.0-20240820110456-0e2abec02f8b // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/moby/locker v1.0.1 // indirect github.com/moby/sys/mountinfo v0.6.2 // indirect diff --git a/go.sum b/go.sum index 1d9d56315d6..d01d3267529 100644 --- a/go.sum +++ b/go.sum @@ -184,6 +184,8 @@ github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/osv-scalibr v0.1.6-0.20250123155336-85f39dea4c05 h1:47dObbqXVFPmg39yLeRWfKZYw2xR6O2BJVLmgC6Zygw= github.com/google/osv-scalibr v0.1.6-0.20250123155336-85f39dea4c05/go.mod h1:nikSO3CqGGRQY05sGgzsgf4+84p5xCmPWOiaSomkuAU= +github.com/google/osv-scalibr v0.1.6-0.20250128013153-34aef7c77adf h1:s6PZEjcMocRehGjuHIFN7Chy8VlMw4XheLgLaWRx21U= +github.com/google/osv-scalibr v0.1.6-0.20250128013153-34aef7c77adf/go.mod h1:jKAptk1dYWBO91ODkI5XYKDDvZEbLKQH9DSXcTtUDSw= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -233,6 +235,8 @@ github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk= github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA= +github.com/microsoft/go-rustaudit v0.0.0-20240820110456-0e2abec02f8b h1:84JbAJpjZ8p1ttV6dpIqfe8IehWMf0i8DPSgmE9aZuA= +github.com/microsoft/go-rustaudit v0.0.0-20240820110456-0e2abec02f8b/go.mod h1:vYT9HE7WCvL64iVeZylKmCsWKfE+JZ8105iuh2Trk8g= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= diff --git a/internal/image/fixtures/java-fixture/app/pom.xml b/internal/image/fixtures/java-fixture/app/pom.xml new file mode 100644 index 00000000000..7e503545490 --- /dev/null +++ b/internal/image/fixtures/java-fixture/app/pom.xml @@ -0,0 +1,57 @@ + + + + 4.0.0 + + com.mycompany.app + my-app + 1.0-SNAPSHOT + + my-app + https://osv.dev + + + + org.apache.hadoop + hadoop-client + 3.4.0 + + + org.apache.commons + commons-compress + 1.21 + + + + + + maven-assembly-plugin + + + + com.mycompany.app.App + + + + jar-with-dependencies + + + + + make-assembly + package + + single + + + + + + + + + 1.8 + 1.8 + + diff --git a/internal/image/fixtures/java-fixture/app/src/main/java/com/mycompany/app/App.java b/internal/image/fixtures/java-fixture/app/src/main/java/com/mycompany/app/App.java new file mode 100644 index 00000000000..77cf3e055bb --- /dev/null +++ b/internal/image/fixtures/java-fixture/app/src/main/java/com/mycompany/app/App.java @@ -0,0 +1,13 @@ +package com.mycompany.app; + +/** + * Hello world! + * + */ +public class App +{ + public static void main( String[] args ) + { + System.out.println( "Hello World!" ); + } +} diff --git a/internal/image/fixtures/python-fixture/main.py b/internal/image/fixtures/python-fixture/main.py new file mode 100644 index 00000000000..6d9b8bd303c --- /dev/null +++ b/internal/image/fixtures/python-fixture/main.py @@ -0,0 +1,5 @@ +def main(): + return 'Hello, World!' + +if __name__ == '__main__': + main() diff --git a/internal/image/fixtures/python-fixture/requirements.txt b/internal/image/fixtures/python-fixture/requirements.txt new file mode 100644 index 00000000000..98412c01aa2 --- /dev/null +++ b/internal/image/fixtures/python-fixture/requirements.txt @@ -0,0 +1,3 @@ +flask==0.12.2 # Vulnerable to CVE-2019-1010083 +django==1.11.29 # Vulnerable to CVE-2021-35042 +requests==2.20.0 # Vulnerable to CVE-2018-18074 diff --git a/internal/image/fixtures/test-java-full.Dockerfile b/internal/image/fixtures/test-java-full.Dockerfile new file mode 100644 index 00000000000..264fa7606c0 --- /dev/null +++ b/internal/image/fixtures/test-java-full.Dockerfile @@ -0,0 +1,25 @@ +# Use the official OpenJDK image as the base image +# TODO: This has been deprecated and we might want to switch to another image +FROM openjdk:25-jdk-slim@sha256:34f10f3a1a5b638184ebd1c5c1b4aa4c49616ae3e5c1e845f0ac18c5332b5c6f + +RUN apt update && apt install -y maven + +# Set the working directory inside the container +WORKDIR /app + +# Copy the project files into the container +COPY ./java-fixture/app . + +# Download dependencies with maven +RUN mvn clean package + +FROM alpine:3.21@sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099 + +RUN apk update && apk add openjdk21-jre + +WORKDIR /app + +COPY --from=0 /app/target/my-app-1.0-SNAPSHOT-jar-with-dependencies.jar target.jar + +# Set the entry point to run the JAR file +ENTRYPOINT ["java", "-jar", "target.jar"] diff --git a/internal/image/fixtures/test-python-empty.Dockerfile b/internal/image/fixtures/test-python-empty.Dockerfile new file mode 100644 index 00000000000..0a893ebd746 --- /dev/null +++ b/internal/image/fixtures/test-python-empty.Dockerfile @@ -0,0 +1,11 @@ +# Use the official Debian image as the base +FROM python:3.9-slim-buster@sha256:320a7a4250aba4249f458872adecf92eea88dc6abd2d76dc5c0f01cac9b53990 + +# Set the working directory in the container +WORKDIR /app + +# Copy the rest of the application code into the container +COPY python-fixture/main.py main.py + +# Specify the command to run when the container starts +CMD ["python", "main.py"] diff --git a/internal/image/fixtures/test-python-full.Dockerfile b/internal/image/fixtures/test-python-full.Dockerfile new file mode 100644 index 00000000000..309fd4e7da1 --- /dev/null +++ b/internal/image/fixtures/test-python-full.Dockerfile @@ -0,0 +1,17 @@ +# Use the official Debian image as the base +FROM python:3.9-slim-buster@sha256:320a7a4250aba4249f458872adecf92eea88dc6abd2d76dc5c0f01cac9b53990 + +# Set the working directory in the container +WORKDIR /app + +# Copy the requirements file into the container +COPY ./python-fixture/requirements.txt . + +# Install the Python dependencies +RUN pip install --no-cache-dir -r requirements.txt + +# Copy the rest of the application code into the container +COPY python-fixture/main.py main.py + +# Specify the command to run when the container starts +CMD ["python", "main.py"] diff --git a/internal/imodels/imodels.go b/internal/imodels/imodels.go index 9ddb046fc7b..f4d45eda1c8 100644 --- a/internal/imodels/imodels.go +++ b/internal/imodels/imodels.go @@ -2,14 +2,20 @@ package imodels import ( "log" + "strings" "github.com/google/osv-scalibr/extractor" + "github.com/google/osv-scalibr/extractor/filesystem/language/golang/gobinary" + "github.com/google/osv-scalibr/extractor/filesystem/language/java/archive" + "github.com/google/osv-scalibr/extractor/filesystem/language/python/wheelegg" "github.com/google/osv-scalibr/extractor/filesystem/os/apk" "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" "github.com/google/osv-scalibr/extractor/filesystem/os/rpm" "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx" "github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx" + "github.com/google/osv-scanner/internal/cachedregexp" "github.com/google/osv-scanner/internal/imodels/ecosystem" + "github.com/google/osv-scanner/internal/scalibrextract/language/javascript/nodemodules" "github.com/google/osv-scanner/internal/scalibrextract/vcs/gitrepo" "github.com/google/osv-scanner/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" @@ -32,6 +38,13 @@ var osExtractors = map[string]struct{}{ rpm.Extractor{}.Name(): {}, } +var artifactExtractors = map[string]struct{}{ + nodemodules.Extractor{}.Name(): {}, + gobinary.Extractor{}.Name(): {}, + archive.Extractor{}.Name(): {}, + wheelegg.Extractor{}.Name(): {}, +} + // PackageInfo provides getter functions for commonly used fields of inventory // and applies transformations when required for use in osv-scanner type PackageInfo struct { @@ -47,10 +60,29 @@ func (pkg *PackageInfo) Name() string { return pkg.purlCache.Name } + // --- Make specific patches to names as necessary --- + // Patch Go package to stdlib if pkg.Ecosystem().Ecosystem == osvschema.EcosystemGo && pkg.Inventory.Name == "go" { return "stdlib" } + // TODO: Move the normalization to another where matching logic happens. + // Patch python package names to be normalized + if pkg.Ecosystem().Ecosystem == osvschema.EcosystemPyPI { + // per https://peps.python.org/pep-0503/#normalized-names + return strings.ToLower(cachedregexp.MustCompile(`[-_.]+`).ReplaceAllLiteralString(pkg.Inventory.Name, "-")) + } + + // Patch Maven archive extractor package names + if metadata, ok := pkg.Inventory.Metadata.(*archive.Metadata); ok { + // Debian uses source name on osv.dev + // (fallback to using the normal name if source name is empty) + if metadata.ArtifactID != "" && metadata.GroupID != "" { + return metadata.GroupID + ":" + metadata.ArtifactID + } + } + + // --- OS metadata --- if metadata, ok := pkg.Inventory.Metadata.(*dpkg.Metadata); ok { // Debian uses source name on osv.dev // (fallback to using the normal name if source name is empty) @@ -124,6 +156,8 @@ func (pkg *PackageInfo) SourceType() SourceType { return SourceTypeSBOM } else if _, ok := gitExtractors[extractorName]; ok { return SourceTypeGit + } else if _, ok := artifactExtractors[extractorName]; ok { + return SourceTypeArtifact } return SourceTypeProjectPackage @@ -187,6 +221,7 @@ const ( SourceTypeUnknown SourceType = iota SourceTypeOSPackage SourceTypeProjectPackage + SourceTypeArtifact SourceTypeSBOM SourceTypeGit ) diff --git a/pkg/osvscanner/filter.go b/pkg/osvscanner/filter.go index 3c36b0b72a0..4dd98562e46 100644 --- a/pkg/osvscanner/filter.go +++ b/pkg/osvscanner/filter.go @@ -8,6 +8,7 @@ import ( "github.com/google/osv-scanner/internal/imodels/results" "github.com/google/osv-scanner/pkg/models" "github.com/google/osv-scanner/pkg/reporter" + "github.com/ossf/osv-schema/bindings/go/osvschema" ) // filterUnscannablePackages removes packages that don't have enough information to be scanned @@ -21,6 +22,7 @@ func filterUnscannablePackages(r reporter.Reporter, scanResults *results.ScanRes // If none of the cases match, skip this package since it's not scannable case !p.Ecosystem().IsEmpty() && p.Name() != "" && p.Version() != "": case p.Commit() != "": + case p.Ecosystem().Ecosystem == osvschema.EcosystemMaven && p.Name() == "unknown": default: continue } diff --git a/pkg/osvscanner/internal/scanners/extractorbuilder.go b/pkg/osvscanner/internal/scanners/extractorbuilder.go index 3bfdb526cb2..9d2e4cce787 100644 --- a/pkg/osvscanner/internal/scanners/extractorbuilder.go +++ b/pkg/osvscanner/internal/scanners/extractorbuilder.go @@ -11,6 +11,7 @@ import ( "github.com/google/osv-scalibr/extractor/filesystem/language/golang/gomod" "github.com/google/osv-scalibr/extractor/filesystem/language/haskell/cabal" "github.com/google/osv-scalibr/extractor/filesystem/language/haskell/stacklock" + "github.com/google/osv-scalibr/extractor/filesystem/language/java/archive" "github.com/google/osv-scalibr/extractor/filesystem/language/java/gradlelockfile" "github.com/google/osv-scalibr/extractor/filesystem/language/java/gradleverificationmetadataxml" "github.com/google/osv-scalibr/extractor/filesystem/language/java/pomxml" @@ -23,6 +24,7 @@ import ( "github.com/google/osv-scalibr/extractor/filesystem/language/python/poetrylock" "github.com/google/osv-scalibr/extractor/filesystem/language/python/requirements" "github.com/google/osv-scalibr/extractor/filesystem/language/python/uvlock" + "github.com/google/osv-scalibr/extractor/filesystem/language/python/wheelegg" "github.com/google/osv-scalibr/extractor/filesystem/language/r/renvlock" "github.com/google/osv-scalibr/extractor/filesystem/language/ruby/gemfilelock" "github.com/google/osv-scalibr/extractor/filesystem/language/rust/cargolock" @@ -134,9 +136,20 @@ func BuildWalkerExtractors( // All clients can be nil, and if nil the extractors requiring those clients will not be returned. func BuildArtifactExtractors() []filesystem.Extractor { extractorsToUse := []filesystem.Extractor{ + // --- Project artifacts --- + // Python + wheelegg.New(wheelegg.DefaultConfig()), + // Java + archive.New(archive.DefaultConfig()), + // Go + gobinary.New(gobinary.DefaultConfig()), + // Javascript nodemodules.Extractor{}, + + // --- OS packages --- + // Alpine apk.New(apk.DefaultConfig()), - gobinary.New(gobinary.DefaultConfig()), + // Debian // TODO: Add tests for debian containers dpkg.New(dpkg.DefaultConfig()), } diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 1f03c83aa63..7b07038cf7e 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -360,10 +360,13 @@ func DoContainerScan(actions ScannerActions, r reporter.Reporter) (models.Vulner } } - // TODO: This is a heuristic, assume that packages under usr/ is an OS package + // TODO: This is a set of heuristics, + // - Assume that packages under usr/ might be a OS package depending on ecosystem + // - Assume python packages under dist-packages is a OS package // Replace this with an actual implementation in OSV-Scalibr (potentially via full filesystem accountability). for _, psr := range scanResult.PackageScanResults { - if strings.HasPrefix(psr.PackageInfo.Location(), "usr/") { + if (strings.HasPrefix(psr.PackageInfo.Location(), "usr/") && psr.PackageInfo.Ecosystem().Ecosystem == osvschema.EcosystemGo) || + strings.Contains(psr.PackageInfo.Location(), "dist-packages/") && psr.PackageInfo.Ecosystem().Ecosystem == osvschema.EcosystemPyPI { psr.PackageInfo.Annotations = append(psr.PackageInfo.Annotations, extractor.InsideOSPackage) } } diff --git a/pkg/osvscanner/vulnerability_result.go b/pkg/osvscanner/vulnerability_result.go index 25abd0c8f87..2e7fc716bd4 100644 --- a/pkg/osvscanner/vulnerability_result.go +++ b/pkg/osvscanner/vulnerability_result.go @@ -123,6 +123,8 @@ func buildVulnerabilityResults( switch p.SourceType() { case imodels.SourceTypeOSPackage: sourceType = "os" + case imodels.SourceTypeArtifact: + sourceType = "artifact" case imodels.SourceTypeProjectPackage: sourceType = "lockfile" case imodels.SourceTypeSBOM: