From a6b3199205a5c0c449412361aee9fdb69f5c03e4 Mon Sep 17 00:00:00 2001 From: Rex P Date: Tue, 21 Jan 2025 15:37:13 +1100 Subject: [PATCH 01/11] Enable some more artifact extractors --- .gitignore | 1 + .../internal/scanners/extractorbuilder.go | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 6de65fa0a12..f0d231db000 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,7 @@ .idea/ /dist/ /osv-scanner +/temp /coverage.out /coverage.html *.tar diff --git a/pkg/osvscanner/internal/scanners/extractorbuilder.go b/pkg/osvscanner/internal/scanners/extractorbuilder.go index 6cbde1f16fc..27960f93c65 100644 --- a/pkg/osvscanner/internal/scanners/extractorbuilder.go +++ b/pkg/osvscanner/internal/scanners/extractorbuilder.go @@ -8,6 +8,7 @@ import ( "github.com/google/osv-scalibr/extractor/filesystem/language/erlang/mixlock" "github.com/google/osv-scalibr/extractor/filesystem/language/golang/gobinary" "github.com/google/osv-scalibr/extractor/filesystem/language/golang/gomod" + "github.com/google/osv-scalibr/extractor/filesystem/language/java/archive" "github.com/google/osv-scalibr/extractor/filesystem/language/java/gradlelockfile" "github.com/google/osv-scalibr/extractor/filesystem/language/java/gradleverificationmetadataxml" "github.com/google/osv-scalibr/extractor/filesystem/language/java/pomxml" @@ -19,6 +20,7 @@ import ( "github.com/google/osv-scalibr/extractor/filesystem/language/python/pipfilelock" "github.com/google/osv-scalibr/extractor/filesystem/language/python/poetrylock" "github.com/google/osv-scalibr/extractor/filesystem/language/python/requirements" + "github.com/google/osv-scalibr/extractor/filesystem/language/python/wheelegg" "github.com/google/osv-scalibr/extractor/filesystem/language/r/renvlock" "github.com/google/osv-scalibr/extractor/filesystem/language/ruby/gemfilelock" "github.com/google/osv-scalibr/extractor/filesystem/language/rust/cargolock" @@ -122,9 +124,20 @@ func BuildWalkerExtractors( // All clients can be nil, and if nil the extractors requiring those clients will not be returned. func BuildArtifactExtractors() []filesystem.Extractor { extractorsToUse := []filesystem.Extractor{ + // --- Project artifacts --- + // Python + wheelegg.New(wheelegg.DefaultConfig()), + // Java + archive.New(archive.DefaultConfig()), + // Go + gobinary.New(gobinary.DefaultConfig()), + // Javascript nodemodules.Extractor{}, + + // --- OS packages --- + // Alpine apk.New(apk.DefaultConfig()), - gobinary.New(gobinary.DefaultConfig()), + // Debian // TODO: Add tests for debian containers dpkg.New(dpkg.DefaultConfig()), } From ffd23372ee301a27e7a06fd2f28b6bb4bc23b11f Mon Sep 17 00:00:00 2001 From: Rex P Date: Wed, 22 Jan 2025 11:25:00 +1100 Subject: [PATCH 02/11] Add some fixtures for python tests and java archive tests --- cmd/osv-scanner/__snapshots__/main_test.snap | 89 +++++++++++++++++++ cmd/osv-scanner/main_test.go | 10 +++ .../fixtures/java-fixture/SimpleProducer.java | 29 ++++++ internal/image/fixtures/java-fixture/pom.xml | 14 +++ .../image/fixtures/python-fixture/main.py | 5 ++ .../fixtures/python-fixture/requirements.txt | 3 + internal/image/fixtures/test-java.Dockerfile | 23 +++++ .../image/fixtures/test-python.Dockerfile | 17 ++++ internal/imodels/imodels.go | 11 +++ pkg/osvscanner/osvscanner.go | 7 +- 10 files changed, 206 insertions(+), 2 deletions(-) create mode 100644 internal/image/fixtures/java-fixture/SimpleProducer.java create mode 100644 internal/image/fixtures/java-fixture/pom.xml create mode 100644 internal/image/fixtures/python-fixture/main.py create mode 100644 internal/image/fixtures/python-fixture/requirements.txt create mode 100644 internal/image/fixtures/test-java.Dockerfile create mode 100644 internal/image/fixtures/test-python.Dockerfile diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index 853d489e89a..117b16ebe79 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -2741,6 +2741,95 @@ failed to load image from tarball with path "./fixtures/oci-image/no-file-here.t --- +[TestRun_OCIImage/Scanning_python_with_some_packages - 1] +Scanning local image tarball "../../internal/image/fixtures/test-python.tar" +Total 17 packages affected by 31 vulnerabilities (0 Critical, 8 High, 8 Medium, 0 Low, 15 Unknown) from 2 ecosystems. +31 vulnerabilities have fixes available. + +PyPI ++----------------------------------------------------------+ +| Source:lockfile:usr/local/lib/python3.9/site-packages/Dj | +| ango-1.11.29.dist-info/METADATA | ++---------+-------------------+---------------+------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | ++---------+-------------------+---------------+------------+ +| django | 1.11.29 | Fix Available | 3 | ++---------+-------------------+---------------+------------+ ++----------------------------------------------------------+ +| Source:lockfile:usr/local/lib/python3.9/site-packages/Fl | +| ask-0.12.2.dist-info/METADATA | ++---------+-------------------+---------------+------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | ++---------+-------------------+---------------+------------+ +| flask | 0.12.2 | Fix Available | 3 | ++---------+-------------------+---------------+------------+ ++----------------------------------------------------------+ +| Source:lockfile:usr/local/lib/python3.9/site-packages/id | +| na-2.7.dist-info/METADATA | ++---------+-------------------+---------------+------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | ++---------+-------------------+---------------+------------+ +| idna | 2.7 | Fix Available | 1 | ++---------+-------------------+---------------+------------+ ++----------------------------------------------------------+ +| Source:lockfile:usr/local/lib/python3.9/site-packages/pi | +| p-23.0.1.dist-info/METADATA | ++---------+-------------------+---------------+------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | ++---------+-------------------+---------------+------------+ +| pip | 23.0.1 | Fix Available | 1 | ++---------+-------------------+---------------+------------+ ++-----------------------------------------------------------+ +| Source:lockfile:usr/local/lib/python3.9/site-packages/req | +| uests-2.20.0.dist-info/METADATA | ++----------+-------------------+---------------+------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | ++----------+-------------------+---------------+------------+ +| requests | 2.20.0 | Fix Available | 2 | ++----------+-------------------+---------------+------------+ ++-------------------------------------------------------------+ +| Source:lockfile:usr/local/lib/python3.9/site-packages/setup | +| tools-58.1.0.dist-info/METADATA | ++------------+-------------------+---------------+------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | ++------------+-------------------+---------------+------------+ +| setuptools | 58.1.0 | Fix Available | 2 | ++------------+-------------------+---------------+------------+ ++----------------------------------------------------------+ +| Source:lockfile:usr/local/lib/python3.9/site-packages/ur | +| llib3-1.24.3.dist-info/METADATA | ++---------+-------------------+---------------+------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | ++---------+-------------------+---------------+------------+ +| urllib3 | 1.24.3 | Fix Available | 5 | ++---------+-------------------+---------------+------------+ +Debian:10 ++------------------------------------------------------------------------------+ +| Source:os:var/lib/dpkg/status | ++------------------------+------------------------+---------------+------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | ++------------------------+------------------------+---------------+------------+ +| debian-archive-keyring | 2019.1+deb10u1 | Fix Available | 1 | +| expat | 2.2.6-2+deb10u6 | Fix Available | 1 | +| glibc | 2.28-10+deb10u2 | Fix Available | 2 | +| gnutls28 | 3.6.7-4+deb10u10 | Fix Available | 2 | +| ncurses | 6.1+20181013-2+deb10u3 | Fix Available | 2 | +| openssl | 1.1.1n-0+deb10u5 | Fix Available | 1 | +| systemd | 241-7~deb10u9 | Fix Available | 1 | +| tar | 1.30+dfsg-6 | Fix Available | 1 | +| tzdata | 2021a-0+deb10u11 | Fix Available | 2 | +| util-linux | 2.33.1-0.1 | Fix Available | 1 | ++------------------------+------------------------+---------------+------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. +You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. + +--- + +[TestRun_OCIImage/Scanning_python_with_some_packages - 2] + +--- + [TestRun_OCIImage/scanning_image_with_go_binary - 1] Scanning local image tarball "../../internal/image/fixtures/test-package-tracing.tar" Total 7 packages affected by 27 vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 27 Unknown) from 2 ecosystems. diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go index 62bba6b7448..331b763250a 100644 --- a/cmd/osv-scanner/main_test.go +++ b/cmd/osv-scanner/main_test.go @@ -834,6 +834,16 @@ func TestRun_OCIImage(t *testing.T) { args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-alpine.tar"}, exit: 1, }, + { + name: "Scanning python with no packages", + args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-alpine.tar"}, + exit: 1, + }, + { + name: "Scanning python with some packages", + args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-python.tar"}, + exit: 1, + }, { name: "scanning node_modules using npm with no packages", args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-node_modules-npm-empty.tar"}, diff --git a/internal/image/fixtures/java-fixture/SimpleProducer.java b/internal/image/fixtures/java-fixture/SimpleProducer.java new file mode 100644 index 00000000000..0251ba627a7 --- /dev/null +++ b/internal/image/fixtures/java-fixture/SimpleProducer.java @@ -0,0 +1,29 @@ +import org.apache.kafka.clients.producer.KafkaProducer; +import org.apache.kafka.clients.producer.ProducerConfig; +import org.apache.kafka.clients.producer.ProducerRecord; +import org.apache.kafka.common.serialization.StringSerializer; + +import java.util.Properties; + +public class SimpleProducer { + + public static void main(String args) { + // Set Kafka properties + Properties props = new Properties(); + props.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, "localhost:9092"); // Replace with your Kafka broker address + props.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG, StringSerializer.class.getName()); + props.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG, StringSerializer.class.getName()); + + // Create a Kafka producer + KafkaProducer producer = new KafkaProducer<>(props); + + // Send messages + for (int i = 0; i < 10; i++) { + ProducerRecord record = new ProducerRecord<>("my-topic", "Message " + i); // Replace "my-topic" with your topic name + producer.send(record); + } + + // Close the producer + producer.close(); + } +} diff --git a/internal/image/fixtures/java-fixture/pom.xml b/internal/image/fixtures/java-fixture/pom.xml new file mode 100644 index 00000000000..e866b505920 --- /dev/null +++ b/internal/image/fixtures/java-fixture/pom.xml @@ -0,0 +1,14 @@ + + 4.0.0 + com.example + my-java-app + 1.0-SNAPSHOT + + + + org.apache.kafka + kafka-clients + 3.6.0 + + + diff --git a/internal/image/fixtures/python-fixture/main.py b/internal/image/fixtures/python-fixture/main.py new file mode 100644 index 00000000000..6d9b8bd303c --- /dev/null +++ b/internal/image/fixtures/python-fixture/main.py @@ -0,0 +1,5 @@ +def main(): + return 'Hello, World!' + +if __name__ == '__main__': + main() diff --git a/internal/image/fixtures/python-fixture/requirements.txt b/internal/image/fixtures/python-fixture/requirements.txt new file mode 100644 index 00000000000..98412c01aa2 --- /dev/null +++ b/internal/image/fixtures/python-fixture/requirements.txt @@ -0,0 +1,3 @@ +flask==0.12.2 # Vulnerable to CVE-2019-1010083 +django==1.11.29 # Vulnerable to CVE-2021-35042 +requests==2.20.0 # Vulnerable to CVE-2018-18074 diff --git a/internal/image/fixtures/test-java.Dockerfile b/internal/image/fixtures/test-java.Dockerfile new file mode 100644 index 00000000000..bc116c17ff6 --- /dev/null +++ b/internal/image/fixtures/test-java.Dockerfile @@ -0,0 +1,23 @@ +# Use the official OpenJDK image as the base image +FROM openjdk:25-jdk-slim + +RUN apt update && apt install -y maven + +# Set the working directory inside the container +WORKDIR /app + +# Copy the project files into the container +COPY ./java-fixture . + +# Download dependencies and build the project using Maven +# RUN mvn clean package + +RUN mvn dependency:get \ + -Dartifact=org.apache.kafka:kafka-clients:3.6.0 \ + -Ddest=./kafka-clients-3.6.0.jar + +RUN javac -cp kafka-clients-3.6.0.jar SimpleProducer.java +RUN jar -cvf simple-producer.jar SimpleProducer.class + +# Set the entry point to run the JAR file +ENTRYPOINT ["java", "-jar", "simple-producer.jar"] diff --git a/internal/image/fixtures/test-python.Dockerfile b/internal/image/fixtures/test-python.Dockerfile new file mode 100644 index 00000000000..5cdccfcf3b5 --- /dev/null +++ b/internal/image/fixtures/test-python.Dockerfile @@ -0,0 +1,17 @@ +# Use the official Debian image as the base +FROM python:3.9-slim-buster + +# Set the working directory in the container +WORKDIR /app + +# Copy the requirements file into the container +COPY ./python-fixture/requirements.txt . + +# Install the Python dependencies +RUN pip install --no-cache-dir -r requirements.txt + +# Copy the rest of the application code into the container +COPY python-fixture/main.py main.py + +# Specify the command to run when the container starts +CMD ["python", "main.py"] diff --git a/internal/imodels/imodels.go b/internal/imodels/imodels.go index 9ddb046fc7b..37bac924ac3 100644 --- a/internal/imodels/imodels.go +++ b/internal/imodels/imodels.go @@ -2,6 +2,7 @@ package imodels import ( "log" + "strings" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/extractor/filesystem/os/apk" @@ -9,6 +10,7 @@ import ( "github.com/google/osv-scalibr/extractor/filesystem/os/rpm" "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx" "github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx" + "github.com/google/osv-scanner/internal/cachedregexp" "github.com/google/osv-scanner/internal/imodels/ecosystem" "github.com/google/osv-scanner/internal/scalibrextract/vcs/gitrepo" "github.com/google/osv-scanner/pkg/models" @@ -47,10 +49,19 @@ func (pkg *PackageInfo) Name() string { return pkg.purlCache.Name } + // --- Make specific patches to names as necessary --- + // Patch Go package to stdlib if pkg.Ecosystem().Ecosystem == osvschema.EcosystemGo && pkg.Inventory.Name == "go" { return "stdlib" } + // Patch python package names to be normalized + if pkg.Ecosystem().Ecosystem == osvschema.EcosystemPyPI { + // per https://peps.python.org/pep-0503/#normalized-names + return strings.ToLower(cachedregexp.MustCompile(`[-_.]+`).ReplaceAllLiteralString(pkg.Inventory.Name, "-")) + } + + // --- OS metadata --- if metadata, ok := pkg.Inventory.Metadata.(*dpkg.Metadata); ok { // Debian uses source name on osv.dev // (fallback to using the normal name if source name is empty) diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index ae0de98298c..ad0771bd153 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -372,10 +372,13 @@ func DoContainerScan(actions ScannerActions, r reporter.Reporter) (models.Vulner } } - // TODO: This is a heuristic, assume that packages under usr/ is an OS package + // TODO: This is a set of heuristics, + // - Assume that packages under usr/ might be a OS package depending on ecosystem + // - Assume python packages under dist-packages is a OS package // Replace this with an actual implementation in OSV-Scalibr (potentially via full filesystem accountability). for _, psr := range scanResult.PackageScanResults { - if strings.HasPrefix(psr.PackageInfo.Location(), "usr/") { + if (strings.HasPrefix(psr.PackageInfo.Location(), "usr/") && psr.PackageInfo.Ecosystem().Ecosystem == osvschema.EcosystemGo) || + strings.Contains(psr.PackageInfo.Location(), "dist-packages/") && psr.PackageInfo.Ecosystem().Ecosystem == osvschema.EcosystemPyPI { psr.PackageInfo.Annotations = append(psr.PackageInfo.Annotations, extractor.InsideOSPackage) } } From fd01e9eebe72beff9642df3c5ad61ead89c5c214 Mon Sep 17 00:00:00 2001 From: Rex P Date: Thu, 23 Jan 2025 12:43:56 +1100 Subject: [PATCH 03/11] Add proper fixtures and tests --- cmd/osv-scanner/main_test.go | 18 ++++++++++++++---- go.mod | 2 +- go.sum | 2 ++ .../fixtures/java-fixture/HelloWorld.java | 5 +++++ .../image/fixtures/test-java-empty.Dockerfile | 16 ++++++++++++++++ ...va.Dockerfile => test-java-full.Dockerfile} | 6 ++---- .../fixtures/test-python-empty.Dockerfile | 11 +++++++++++ ....Dockerfile => test-python-full.Dockerfile} | 2 +- 8 files changed, 52 insertions(+), 10 deletions(-) create mode 100644 internal/image/fixtures/java-fixture/HelloWorld.java create mode 100644 internal/image/fixtures/test-java-empty.Dockerfile rename internal/image/fixtures/{test-java.Dockerfile => test-java-full.Dockerfile} (80%) create mode 100644 internal/image/fixtures/test-python-empty.Dockerfile rename internal/image/fixtures/{test-python.Dockerfile => test-python-full.Dockerfile} (82%) diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go index 331b763250a..7d4c9cff022 100644 --- a/cmd/osv-scanner/main_test.go +++ b/cmd/osv-scanner/main_test.go @@ -835,13 +835,23 @@ func TestRun_OCIImage(t *testing.T) { exit: 1, }, { - name: "Scanning python with no packages", - args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-alpine.tar"}, + name: "Scanning python image with some packages", + args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-python-full.tar"}, + exit: 1, + }, + { + name: "Scanning python image with no packages", + args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-python-empty.tar"}, + exit: 1, + }, + { + name: "Scanning java image with some packages", + args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-java-full.tar"}, exit: 1, }, { - name: "Scanning python with some packages", - args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-python.tar"}, + name: "Scanning java image with no packages", + args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-java-empty.tar"}, exit: 1, }, { diff --git a/go.mod b/go.mod index 654a62e6014..ac1a821e2e5 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/go-git/go-billy/v5 v5.6.2 github.com/go-git/go-git/v5 v5.13.1 github.com/google/go-cmp v0.6.0 - github.com/google/osv-scalibr v0.1.6-0.20250120233754-46a5374f26ee + github.com/google/osv-scalibr v0.1.6-0.20250122020348-56d881c24a76 github.com/ianlancetaylor/demangle v0.0.0-20240912202439-0a2b6291aafd github.com/jedib0t/go-pretty/v6 v6.6.5 github.com/muesli/reflow v0.3.0 diff --git a/go.sum b/go.sum index 73d39591f5a..a7e0deabdd8 100644 --- a/go.sum +++ b/go.sum @@ -184,6 +184,8 @@ github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/osv-scalibr v0.1.6-0.20250120233754-46a5374f26ee h1:DLmJQTqn0F3vANcvMixe+DElmDHZZy7Hgn6RK+ItVWE= github.com/google/osv-scalibr v0.1.6-0.20250120233754-46a5374f26ee/go.mod h1:nikSO3CqGGRQY05sGgzsgf4+84p5xCmPWOiaSomkuAU= +github.com/google/osv-scalibr v0.1.6-0.20250122020348-56d881c24a76 h1:HkwibPIFKs9+w9soXUnAnXuJ0CeQ/8h3DMl/wKQIbcU= +github.com/google/osv-scalibr v0.1.6-0.20250122020348-56d881c24a76/go.mod h1:nikSO3CqGGRQY05sGgzsgf4+84p5xCmPWOiaSomkuAU= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= diff --git a/internal/image/fixtures/java-fixture/HelloWorld.java b/internal/image/fixtures/java-fixture/HelloWorld.java new file mode 100644 index 00000000000..05d1de5d5db --- /dev/null +++ b/internal/image/fixtures/java-fixture/HelloWorld.java @@ -0,0 +1,5 @@ +public class HelloWorld { + public static void main(String[] args) { + System.out.println("Hello, World"); + } +} diff --git a/internal/image/fixtures/test-java-empty.Dockerfile b/internal/image/fixtures/test-java-empty.Dockerfile new file mode 100644 index 00000000000..213f67b964a --- /dev/null +++ b/internal/image/fixtures/test-java-empty.Dockerfile @@ -0,0 +1,16 @@ +# Use the official OpenJDK image as the base image +FROM openjdk:25-jdk-slim@sha256:34f10f3a1a5b638184ebd1c5c1b4aa4c49616ae3e5c1e845f0ac18c5332b5c6f + +RUN apt update && apt install -y maven + +# Set the working directory inside the container +WORKDIR /app + +# Copy the project files into the container +COPY ./java-fixture . + +RUN javac HelloWorld.java +RUN jar -cvf hello-world.jar HelloWorld.class + +# Set the entry point to run the JAR file +ENTRYPOINT ["java", "-jar", "hello-world.jar"] diff --git a/internal/image/fixtures/test-java.Dockerfile b/internal/image/fixtures/test-java-full.Dockerfile similarity index 80% rename from internal/image/fixtures/test-java.Dockerfile rename to internal/image/fixtures/test-java-full.Dockerfile index bc116c17ff6..6ae336c1e8d 100644 --- a/internal/image/fixtures/test-java.Dockerfile +++ b/internal/image/fixtures/test-java-full.Dockerfile @@ -1,5 +1,5 @@ # Use the official OpenJDK image as the base image -FROM openjdk:25-jdk-slim +FROM openjdk:25-jdk-slim@sha256:34f10f3a1a5b638184ebd1c5c1b4aa4c49616ae3e5c1e845f0ac18c5332b5c6f RUN apt update && apt install -y maven @@ -9,9 +9,7 @@ WORKDIR /app # Copy the project files into the container COPY ./java-fixture . -# Download dependencies and build the project using Maven -# RUN mvn clean package - +# Download dependencies with maven RUN mvn dependency:get \ -Dartifact=org.apache.kafka:kafka-clients:3.6.0 \ -Ddest=./kafka-clients-3.6.0.jar diff --git a/internal/image/fixtures/test-python-empty.Dockerfile b/internal/image/fixtures/test-python-empty.Dockerfile new file mode 100644 index 00000000000..0a893ebd746 --- /dev/null +++ b/internal/image/fixtures/test-python-empty.Dockerfile @@ -0,0 +1,11 @@ +# Use the official Debian image as the base +FROM python:3.9-slim-buster@sha256:320a7a4250aba4249f458872adecf92eea88dc6abd2d76dc5c0f01cac9b53990 + +# Set the working directory in the container +WORKDIR /app + +# Copy the rest of the application code into the container +COPY python-fixture/main.py main.py + +# Specify the command to run when the container starts +CMD ["python", "main.py"] diff --git a/internal/image/fixtures/test-python.Dockerfile b/internal/image/fixtures/test-python-full.Dockerfile similarity index 82% rename from internal/image/fixtures/test-python.Dockerfile rename to internal/image/fixtures/test-python-full.Dockerfile index 5cdccfcf3b5..309fd4e7da1 100644 --- a/internal/image/fixtures/test-python.Dockerfile +++ b/internal/image/fixtures/test-python-full.Dockerfile @@ -1,5 +1,5 @@ # Use the official Debian image as the base -FROM python:3.9-slim-buster +FROM python:3.9-slim-buster@sha256:320a7a4250aba4249f458872adecf92eea88dc6abd2d76dc5c0f01cac9b53990 # Set the working directory in the container WORKDIR /app From 936951f5816f4ce8bc640e1fcb5ef5156370d00d Mon Sep 17 00:00:00 2001 From: Rex P Date: Thu, 23 Jan 2025 15:24:45 +1100 Subject: [PATCH 04/11] Add java test images --- cmd/osv-scanner/__snapshots__/main_test.snap | 272 +++++++++++++----- cmd/osv-scanner/main_test.go | 5 - .../fixtures/java-fixture/HelloWorld.java | 5 - .../fixtures/java-fixture/SimpleProducer.java | 29 -- .../image/fixtures/java-fixture/app/pom.xml | 57 ++++ .../src/main/java/com/mycompany/app/App.java | 13 + internal/image/fixtures/java-fixture/pom.xml | 14 - .../image/fixtures/test-java-empty.Dockerfile | 16 -- .../image/fixtures/test-java-full.Dockerfile | 18 +- internal/imodels/imodels.go | 10 + pkg/osvscanner/filter.go | 2 + pkg/osvscanner/osvscanner.go | 8 + 12 files changed, 298 insertions(+), 151 deletions(-) delete mode 100644 internal/image/fixtures/java-fixture/HelloWorld.java delete mode 100644 internal/image/fixtures/java-fixture/SimpleProducer.java create mode 100644 internal/image/fixtures/java-fixture/app/pom.xml create mode 100644 internal/image/fixtures/java-fixture/app/src/main/java/com/mycompany/app/App.java delete mode 100644 internal/image/fixtures/java-fixture/pom.xml delete mode 100644 internal/image/fixtures/test-java-empty.Dockerfile diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index 233b22df146..a089ab18e2c 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -2743,92 +2743,214 @@ failed to load image from tarball with path "./fixtures/oci-image/no-file-here.t --- -[TestRun_OCIImage/Scanning_python_with_some_packages - 1] -Scanning local image tarball "../../internal/image/fixtures/test-python.tar" +[TestRun_OCIImage/Scanning_java_image_with_some_packages - 1] +Scanning local image tarball "../../internal/image/fixtures/test-java-full.tar" +Container Scanning Result (Alpine Linux v3.21): +Total 9 packages affected by 12 vulnerabilities (1 Critical, 5 High, 6 Medium, 0 Low, 0 Unknown) from 1 ecosystems. +12 vulnerabilities have fixes available. + +Maven ++-----------------------------------------------------------------------------------------------------------------------+ +| Source:lockfile:app/target.jar/META-INF/maven/com.google.protobuf/protobuf-java/pom.properties | ++-----------------------------------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++-----------------------------------+-------------------+---------------+------------+------------------+---------------+ +| com.google.protobuf:protobuf-java | 3.21.12 | Fix Available | 1 | # 5 Layer | -- | ++-----------------------------------+-------------------+---------------+------------+------------------+---------------+ ++------------------------------------------------------------------------------------------------------------------+ +| Source:lockfile:app/target.jar/META-INF/maven/com.nimbusds/nimbus-jose-jwt/pom.properties | ++------------------------------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++------------------------------+-------------------+---------------+------------+------------------+---------------+ +| com.nimbusds:nimbus-jose-jwt | 9.31 | Fix Available | 1 | # 5 Layer | -- | ++------------------------------+-------------------+---------------+------------+------------------+---------------+ ++-----------------------------------------------------------------------------------------------------+ +| Source:lockfile:app/target.jar/META-INF/maven/dnsjava/dnsjava/pom.properties | ++-----------------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++-----------------+-------------------+---------------+------------+------------------+---------------+ +| dnsjava:dnsjava | 3.4.0 | Fix Available | 1 | # 5 Layer | -- | ++-----------------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------------------------+ +| Source:lockfile:app/target.jar/META-INF/maven/io.netty/netty-codec-http/pom.properties | ++---------------------------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------------------------+-------------------+---------------+------------+------------------+---------------+ +| io.netty:netty-codec-http | 4.1.100.Final | Fix Available | 1 | # 5 Layer | -- | ++---------------------------+-------------------+---------------+------------+------------------+---------------+ ++-----------------------------------------------------------------------------------------------------------+ +| Source:lockfile:app/target.jar/META-INF/maven/io.netty/netty-common/pom.properties | ++-----------------------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++-----------------------+-------------------+---------------+------------+------------------+---------------+ +| io.netty:netty-common | 4.1.100.Final | Fix Available | 1 | # 5 Layer | -- | ++-----------------------+-------------------+---------------+------------+------------------+---------------+ ++----------------------------------------------------------------------------------------------------------+ +| Source:lockfile:app/target.jar/META-INF/maven/org.apache.avro/avro/pom.properties | ++----------------------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++----------------------+-------------------+---------------+------------+------------------+---------------+ +| org.apache.avro:avro | 1.9.2 | Fix Available | 2 | # 5 Layer | -- | ++----------------------+-------------------+---------------+------------+------------------+---------------+ ++-------------------------------------------------------------------------------------------------------------------------+ +| Source:lockfile:app/target.jar/META-INF/maven/org.apache.commons/commons-compress/pom.properties | ++-------------------------------------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++-------------------------------------+-------------------+---------------+------------+------------------+---------------+ +| org.apache.commons:commons-compress | 1.21 | Fix Available | 2 | # 5 Layer | -- | ++-------------------------------------+-------------------+---------------+------------+------------------+---------------+ ++-------------------------------------------------------------------------------------------------------------------------------+ +| Source:lockfile:app/target.jar/META-INF/maven/org.apache.commons/commons-configuration2/pom.properties | ++-------------------------------------------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++-------------------------------------------+-------------------+---------------+------------+------------------+---------------+ +| org.apache.commons:commons-configuration2 | 2.8.0 | Fix Available | 2 | # 5 Layer | -- | ++-------------------------------------------+-------------------+---------------+------------+------------------+---------------+ ++------------------------------------------------------------------------------------------------------------------+ +| Source:lockfile:app/target.jar/META-INF/maven/org.eclipse.jetty/jetty-http/pom.properties | ++------------------------------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++------------------------------+-------------------+---------------+------------+------------------+---------------+ +| org.eclipse.jetty:jetty-http | 9.4.53.v20231009 | Fix Available | 1 | # 5 Layer | -- | ++------------------------------+-------------------+---------------+------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. +You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. + +--- + +[TestRun_OCIImage/Scanning_java_image_with_some_packages - 2] + +--- + +[TestRun_OCIImage/Scanning_python_image_with_no_packages - 1] +Scanning local image tarball "../../internal/image/fixtures/test-python-empty.tar" +Container Scanning Result (Debian GNU/Linux 10 (buster)): +Total 12 packages affected by 17 vulnerabilities (0 Critical, 2 High, 1 Medium, 0 Low, 14 Unknown) from 2 ecosystems. +17 vulnerabilities have fixes available. + +PyPI ++---------------------------------------------------------------------------------------------+ +| Source:lockfile:usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| pip | 23.0.1 | Fix Available | 1 | # 13 Layer | python | ++---------+-------------------+---------------+------------+------------------+---------------+ ++------------------------------------------------------------------------------------------------+ +| Source:lockfile:usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA | ++------------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++------------+-------------------+---------------+------------+------------------+---------------+ +| setuptools | 58.1.0 | Fix Available | 2 | # 13 Layer | python | ++------------+-------------------+---------------+------------+------------------+---------------+ +Debian:10 ++-----------------------------------------------------------------------------------------------------------------+ +| Source:os:var/lib/dpkg/status | ++------------------------+------------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++------------------------+------------------------+---------------+------------+------------------+---------------+ +| debian-archive-keyring | 2019.1+deb10u1 | Fix Available | 1 | # 0 Layer | python | +| expat | 2.2.6-2+deb10u6 | Fix Available | 1 | # 7 Layer | python | +| glibc | 2.28-10+deb10u2 | Fix Available | 2 | # 0 Layer | python | +| gnutls28 | 3.6.7-4+deb10u10 | Fix Available | 2 | # 0 Layer | python | +| ncurses | 6.1+20181013-2+deb10u3 | Fix Available | 2 | # 0 Layer | python | +| openssl | 1.1.1n-0+deb10u5 | Fix Available | 1 | # 4 Layer | python | +| systemd | 241-7~deb10u9 | Fix Available | 1 | # 0 Layer | python | +| tar | 1.30+dfsg-6 | Fix Available | 1 | # 0 Layer | python | +| tzdata | 2021a-0+deb10u11 | Fix Available | 2 | # 0 Layer | python | +| util-linux | 2.33.1-0.1 | Fix Available | 1 | # 0 Layer | python | ++------------------------+------------------------+---------------+------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. +You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. + +--- + +[TestRun_OCIImage/Scanning_python_image_with_no_packages - 2] + +--- + +[TestRun_OCIImage/Scanning_python_image_with_some_packages - 1] +Scanning local image tarball "../../internal/image/fixtures/test-python-full.tar" +Container Scanning Result (Debian GNU/Linux 10 (buster)): Total 17 packages affected by 31 vulnerabilities (0 Critical, 8 High, 8 Medium, 0 Low, 15 Unknown) from 2 ecosystems. 31 vulnerabilities have fixes available. PyPI -+----------------------------------------------------------+ -| Source:lockfile:usr/local/lib/python3.9/site-packages/Dj | -| ango-1.11.29.dist-info/METADATA | -+---------+-------------------+---------------+------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | -+---------+-------------------+---------------+------------+ -| django | 1.11.29 | Fix Available | 3 | -+---------+-------------------+---------------+------------+ -+----------------------------------------------------------+ -| Source:lockfile:usr/local/lib/python3.9/site-packages/Fl | -| ask-0.12.2.dist-info/METADATA | -+---------+-------------------+---------------+------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | -+---------+-------------------+---------------+------------+ -| flask | 0.12.2 | Fix Available | 3 | -+---------+-------------------+---------------+------------+ -+----------------------------------------------------------+ -| Source:lockfile:usr/local/lib/python3.9/site-packages/id | -| na-2.7.dist-info/METADATA | -+---------+-------------------+---------------+------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | -+---------+-------------------+---------------+------------+ -| idna | 2.7 | Fix Available | 1 | -+---------+-------------------+---------------+------------+ -+----------------------------------------------------------+ -| Source:lockfile:usr/local/lib/python3.9/site-packages/pi | -| p-23.0.1.dist-info/METADATA | -+---------+-------------------+---------------+------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | -+---------+-------------------+---------------+------------+ -| pip | 23.0.1 | Fix Available | 1 | -+---------+-------------------+---------------+------------+ -+-----------------------------------------------------------+ -| Source:lockfile:usr/local/lib/python3.9/site-packages/req | -| uests-2.20.0.dist-info/METADATA | -+----------+-------------------+---------------+------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | -+----------+-------------------+---------------+------------+ -| requests | 2.20.0 | Fix Available | 2 | -+----------+-------------------+---------------+------------+ -+-------------------------------------------------------------+ -| Source:lockfile:usr/local/lib/python3.9/site-packages/setup | -| tools-58.1.0.dist-info/METADATA | -+------------+-------------------+---------------+------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | -+------------+-------------------+---------------+------------+ -| setuptools | 58.1.0 | Fix Available | 2 | -+------------+-------------------+---------------+------------+ -+----------------------------------------------------------+ -| Source:lockfile:usr/local/lib/python3.9/site-packages/ur | -| llib3-1.24.3.dist-info/METADATA | -+---------+-------------------+---------------+------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | -+---------+-------------------+---------------+------------+ -| urllib3 | 1.24.3 | Fix Available | 5 | -+---------+-------------------+---------------+------------+ ++---------------------------------------------------------------------------------------------+ +| Source:lockfile:usr/local/lib/python3.9/site-packages/Django-1.11.29.dist-info/METADATA | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| django | 1.11.29 | Fix Available | 3 | # 17 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:lockfile:usr/local/lib/python3.9/site-packages/Flask-0.12.2.dist-info/METADATA | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| flask | 0.12.2 | Fix Available | 3 | # 17 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:lockfile:usr/local/lib/python3.9/site-packages/idna-2.7.dist-info/METADATA | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| idna | 2.7 | Fix Available | 1 | # 17 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:lockfile:usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| pip | 23.0.1 | Fix Available | 1 | # 13 Layer | python | ++---------+-------------------+---------------+------------+------------------+---------------+ ++----------------------------------------------------------------------------------------------+ +| Source:lockfile:usr/local/lib/python3.9/site-packages/requests-2.20.0.dist-info/METADATA | ++----------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++----------+-------------------+---------------+------------+------------------+---------------+ +| requests | 2.20.0 | Fix Available | 2 | # 17 Layer | -- | ++----------+-------------------+---------------+------------+------------------+---------------+ ++------------------------------------------------------------------------------------------------+ +| Source:lockfile:usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA | ++------------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++------------+-------------------+---------------+------------+------------------+---------------+ +| setuptools | 58.1.0 | Fix Available | 2 | # 13 Layer | python | ++------------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:lockfile:usr/local/lib/python3.9/site-packages/urllib3-1.24.3.dist-info/METADATA | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| urllib3 | 1.24.3 | Fix Available | 5 | # 17 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ Debian:10 -+------------------------------------------------------------------------------+ -| Source:os:var/lib/dpkg/status | -+------------------------+------------------------+---------------+------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | -+------------------------+------------------------+---------------+------------+ -| debian-archive-keyring | 2019.1+deb10u1 | Fix Available | 1 | -| expat | 2.2.6-2+deb10u6 | Fix Available | 1 | -| glibc | 2.28-10+deb10u2 | Fix Available | 2 | -| gnutls28 | 3.6.7-4+deb10u10 | Fix Available | 2 | -| ncurses | 6.1+20181013-2+deb10u3 | Fix Available | 2 | -| openssl | 1.1.1n-0+deb10u5 | Fix Available | 1 | -| systemd | 241-7~deb10u9 | Fix Available | 1 | -| tar | 1.30+dfsg-6 | Fix Available | 1 | -| tzdata | 2021a-0+deb10u11 | Fix Available | 2 | -| util-linux | 2.33.1-0.1 | Fix Available | 1 | -+------------------------+------------------------+---------------+------------+ ++-----------------------------------------------------------------------------------------------------------------+ +| Source:os:var/lib/dpkg/status | ++------------------------+------------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++------------------------+------------------------+---------------+------------+------------------+---------------+ +| debian-archive-keyring | 2019.1+deb10u1 | Fix Available | 1 | # 0 Layer | python | +| expat | 2.2.6-2+deb10u6 | Fix Available | 1 | # 7 Layer | python | +| glibc | 2.28-10+deb10u2 | Fix Available | 2 | # 0 Layer | python | +| gnutls28 | 3.6.7-4+deb10u10 | Fix Available | 2 | # 0 Layer | python | +| ncurses | 6.1+20181013-2+deb10u3 | Fix Available | 2 | # 0 Layer | python | +| openssl | 1.1.1n-0+deb10u5 | Fix Available | 1 | # 4 Layer | python | +| systemd | 241-7~deb10u9 | Fix Available | 1 | # 0 Layer | python | +| tar | 1.30+dfsg-6 | Fix Available | 1 | # 0 Layer | python | +| tzdata | 2021a-0+deb10u11 | Fix Available | 2 | # 0 Layer | python | +| util-linux | 2.33.1-0.1 | Fix Available | 1 | # 0 Layer | python | ++------------------------+------------------------+---------------+------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. --- -[TestRun_OCIImage/Scanning_python_with_some_packages - 2] +[TestRun_OCIImage/Scanning_python_image_with_some_packages - 2] --- diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go index 7d4c9cff022..b6dad543577 100644 --- a/cmd/osv-scanner/main_test.go +++ b/cmd/osv-scanner/main_test.go @@ -849,11 +849,6 @@ func TestRun_OCIImage(t *testing.T) { args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-java-full.tar"}, exit: 1, }, - { - name: "Scanning java image with no packages", - args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-java-empty.tar"}, - exit: 1, - }, { name: "scanning node_modules using npm with no packages", args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-node_modules-npm-empty.tar"}, diff --git a/internal/image/fixtures/java-fixture/HelloWorld.java b/internal/image/fixtures/java-fixture/HelloWorld.java deleted file mode 100644 index 05d1de5d5db..00000000000 --- a/internal/image/fixtures/java-fixture/HelloWorld.java +++ /dev/null @@ -1,5 +0,0 @@ -public class HelloWorld { - public static void main(String[] args) { - System.out.println("Hello, World"); - } -} diff --git a/internal/image/fixtures/java-fixture/SimpleProducer.java b/internal/image/fixtures/java-fixture/SimpleProducer.java deleted file mode 100644 index 0251ba627a7..00000000000 --- a/internal/image/fixtures/java-fixture/SimpleProducer.java +++ /dev/null @@ -1,29 +0,0 @@ -import org.apache.kafka.clients.producer.KafkaProducer; -import org.apache.kafka.clients.producer.ProducerConfig; -import org.apache.kafka.clients.producer.ProducerRecord; -import org.apache.kafka.common.serialization.StringSerializer; - -import java.util.Properties; - -public class SimpleProducer { - - public static void main(String args) { - // Set Kafka properties - Properties props = new Properties(); - props.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, "localhost:9092"); // Replace with your Kafka broker address - props.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG, StringSerializer.class.getName()); - props.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG, StringSerializer.class.getName()); - - // Create a Kafka producer - KafkaProducer producer = new KafkaProducer<>(props); - - // Send messages - for (int i = 0; i < 10; i++) { - ProducerRecord record = new ProducerRecord<>("my-topic", "Message " + i); // Replace "my-topic" with your topic name - producer.send(record); - } - - // Close the producer - producer.close(); - } -} diff --git a/internal/image/fixtures/java-fixture/app/pom.xml b/internal/image/fixtures/java-fixture/app/pom.xml new file mode 100644 index 00000000000..7e503545490 --- /dev/null +++ b/internal/image/fixtures/java-fixture/app/pom.xml @@ -0,0 +1,57 @@ + + + + 4.0.0 + + com.mycompany.app + my-app + 1.0-SNAPSHOT + + my-app + https://osv.dev + + + + org.apache.hadoop + hadoop-client + 3.4.0 + + + org.apache.commons + commons-compress + 1.21 + + + + + + maven-assembly-plugin + + + + com.mycompany.app.App + + + + jar-with-dependencies + + + + + make-assembly + package + + single + + + + + + + + + 1.8 + 1.8 + + diff --git a/internal/image/fixtures/java-fixture/app/src/main/java/com/mycompany/app/App.java b/internal/image/fixtures/java-fixture/app/src/main/java/com/mycompany/app/App.java new file mode 100644 index 00000000000..77cf3e055bb --- /dev/null +++ b/internal/image/fixtures/java-fixture/app/src/main/java/com/mycompany/app/App.java @@ -0,0 +1,13 @@ +package com.mycompany.app; + +/** + * Hello world! + * + */ +public class App +{ + public static void main( String[] args ) + { + System.out.println( "Hello World!" ); + } +} diff --git a/internal/image/fixtures/java-fixture/pom.xml b/internal/image/fixtures/java-fixture/pom.xml deleted file mode 100644 index e866b505920..00000000000 --- a/internal/image/fixtures/java-fixture/pom.xml +++ /dev/null @@ -1,14 +0,0 @@ - - 4.0.0 - com.example - my-java-app - 1.0-SNAPSHOT - - - - org.apache.kafka - kafka-clients - 3.6.0 - - - diff --git a/internal/image/fixtures/test-java-empty.Dockerfile b/internal/image/fixtures/test-java-empty.Dockerfile deleted file mode 100644 index 213f67b964a..00000000000 --- a/internal/image/fixtures/test-java-empty.Dockerfile +++ /dev/null @@ -1,16 +0,0 @@ -# Use the official OpenJDK image as the base image -FROM openjdk:25-jdk-slim@sha256:34f10f3a1a5b638184ebd1c5c1b4aa4c49616ae3e5c1e845f0ac18c5332b5c6f - -RUN apt update && apt install -y maven - -# Set the working directory inside the container -WORKDIR /app - -# Copy the project files into the container -COPY ./java-fixture . - -RUN javac HelloWorld.java -RUN jar -cvf hello-world.jar HelloWorld.class - -# Set the entry point to run the JAR file -ENTRYPOINT ["java", "-jar", "hello-world.jar"] diff --git a/internal/image/fixtures/test-java-full.Dockerfile b/internal/image/fixtures/test-java-full.Dockerfile index 6ae336c1e8d..264fa7606c0 100644 --- a/internal/image/fixtures/test-java-full.Dockerfile +++ b/internal/image/fixtures/test-java-full.Dockerfile @@ -1,4 +1,5 @@ # Use the official OpenJDK image as the base image +# TODO: This has been deprecated and we might want to switch to another image FROM openjdk:25-jdk-slim@sha256:34f10f3a1a5b638184ebd1c5c1b4aa4c49616ae3e5c1e845f0ac18c5332b5c6f RUN apt update && apt install -y maven @@ -7,15 +8,18 @@ RUN apt update && apt install -y maven WORKDIR /app # Copy the project files into the container -COPY ./java-fixture . +COPY ./java-fixture/app . # Download dependencies with maven -RUN mvn dependency:get \ - -Dartifact=org.apache.kafka:kafka-clients:3.6.0 \ - -Ddest=./kafka-clients-3.6.0.jar +RUN mvn clean package -RUN javac -cp kafka-clients-3.6.0.jar SimpleProducer.java -RUN jar -cvf simple-producer.jar SimpleProducer.class +FROM alpine:3.21@sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099 + +RUN apk update && apk add openjdk21-jre + +WORKDIR /app + +COPY --from=0 /app/target/my-app-1.0-SNAPSHOT-jar-with-dependencies.jar target.jar # Set the entry point to run the JAR file -ENTRYPOINT ["java", "-jar", "simple-producer.jar"] +ENTRYPOINT ["java", "-jar", "target.jar"] diff --git a/internal/imodels/imodels.go b/internal/imodels/imodels.go index 37bac924ac3..ca5d4538964 100644 --- a/internal/imodels/imodels.go +++ b/internal/imodels/imodels.go @@ -5,6 +5,7 @@ import ( "strings" "github.com/google/osv-scalibr/extractor" + "github.com/google/osv-scalibr/extractor/filesystem/language/java/archive" "github.com/google/osv-scalibr/extractor/filesystem/os/apk" "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" "github.com/google/osv-scalibr/extractor/filesystem/os/rpm" @@ -61,6 +62,15 @@ func (pkg *PackageInfo) Name() string { return strings.ToLower(cachedregexp.MustCompile(`[-_.]+`).ReplaceAllLiteralString(pkg.Inventory.Name, "-")) } + // Patch Maven archive extractor package names + if metadata, ok := pkg.Inventory.Metadata.(*archive.Metadata); ok { + // Debian uses source name on osv.dev + // (fallback to using the normal name if source name is empty) + if metadata.ArtifactID != "" && metadata.GroupID != "" { + return metadata.GroupID + ":" + metadata.ArtifactID + } + } + // --- OS metadata --- if metadata, ok := pkg.Inventory.Metadata.(*dpkg.Metadata); ok { // Debian uses source name on osv.dev diff --git a/pkg/osvscanner/filter.go b/pkg/osvscanner/filter.go index ad4856975cf..64adf426404 100644 --- a/pkg/osvscanner/filter.go +++ b/pkg/osvscanner/filter.go @@ -8,6 +8,7 @@ import ( "github.com/google/osv-scanner/internal/imodels/results" "github.com/google/osv-scanner/pkg/models" "github.com/google/osv-scanner/pkg/reporter" + "github.com/ossf/osv-schema/bindings/go/osvschema" ) // filterUnscannablePackages removes packages that don't have enough information to be scanned @@ -21,6 +22,7 @@ func filterUnscannablePackages(r reporter.Reporter, scanResults *results.ScanRes // If none of the cases match, skip this package since it's not scannable case !p.Ecosystem().IsEmpty() && p.Name() != "" && p.Version() != "": case p.Commit() != "": + case p.Ecosystem().Ecosystem == osvschema.EcosystemMaven && p.Name() == "unknown": default: continue } diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index ad0771bd153..21878c02116 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "log" "net/http" "os" "strings" @@ -345,6 +346,13 @@ func DoContainerScan(actions ScannerActions, r reporter.Reporter) (models.Vulner for i, inv := range scalibrSR.Inventories { scanResult.PackageScanResults[i].PackageInfo = imodels.FromInventory(inv) scanResult.PackageScanResults[i].LayerDetails = inv.LayerDetails + + if scanResult.PackageScanResults[i].PackageInfo.Ecosystem().Ecosystem == osvschema.EcosystemMaven { + if inv.Name == "kafka-clients" { + log.Printf("%v", scanResult.PackageScanResults[i].PackageInfo.Name()) + + } + } } // --- Fill Image Metadata --- From d23ceaa4170376615d3f717bce06ff503d453c42 Mon Sep 17 00:00:00 2001 From: Rex P Date: Fri, 24 Jan 2025 16:12:46 +1100 Subject: [PATCH 05/11] Add artifact as source type --- internal/imodels/imodels.go | 13 +++++++++++++ pkg/osvscanner/vulnerability_result.go | 2 ++ 2 files changed, 15 insertions(+) diff --git a/internal/imodels/imodels.go b/internal/imodels/imodels.go index ca5d4538964..db29185c23a 100644 --- a/internal/imodels/imodels.go +++ b/internal/imodels/imodels.go @@ -5,7 +5,9 @@ import ( "strings" "github.com/google/osv-scalibr/extractor" + "github.com/google/osv-scalibr/extractor/filesystem/language/golang/gobinary" "github.com/google/osv-scalibr/extractor/filesystem/language/java/archive" + "github.com/google/osv-scalibr/extractor/filesystem/language/python/wheelegg" "github.com/google/osv-scalibr/extractor/filesystem/os/apk" "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" "github.com/google/osv-scalibr/extractor/filesystem/os/rpm" @@ -13,6 +15,7 @@ import ( "github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx" "github.com/google/osv-scanner/internal/cachedregexp" "github.com/google/osv-scanner/internal/imodels/ecosystem" + "github.com/google/osv-scanner/internal/scalibrextract/language/javascript/nodemodules" "github.com/google/osv-scanner/internal/scalibrextract/vcs/gitrepo" "github.com/google/osv-scanner/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" @@ -35,6 +38,13 @@ var osExtractors = map[string]struct{}{ rpm.Extractor{}.Name(): {}, } +var artifactExtractors = map[string]struct{}{ + nodemodules.Extractor{}.Name(): {}, + gobinary.Extractor{}.Name(): {}, + archive.Extractor{}.Name(): {}, + wheelegg.Extractor{}.Name(): {}, +} + // PackageInfo provides getter functions for commonly used fields of inventory // and applies transformations when required for use in osv-scanner type PackageInfo struct { @@ -145,6 +155,8 @@ func (pkg *PackageInfo) SourceType() SourceType { return SourceTypeSBOM } else if _, ok := gitExtractors[extractorName]; ok { return SourceTypeGit + } else if _, ok := artifactExtractors[extractorName]; ok { + return SourceTypeArtifact } return SourceTypeProjectPackage @@ -208,6 +220,7 @@ const ( SourceTypeUnknown SourceType = iota SourceTypeOSPackage SourceTypeProjectPackage + SourceTypeArtifact SourceTypeSBOM SourceTypeGit ) diff --git a/pkg/osvscanner/vulnerability_result.go b/pkg/osvscanner/vulnerability_result.go index 25abd0c8f87..2e7fc716bd4 100644 --- a/pkg/osvscanner/vulnerability_result.go +++ b/pkg/osvscanner/vulnerability_result.go @@ -123,6 +123,8 @@ func buildVulnerabilityResults( switch p.SourceType() { case imodels.SourceTypeOSPackage: sourceType = "os" + case imodels.SourceTypeArtifact: + sourceType = "artifact" case imodels.SourceTypeProjectPackage: sourceType = "lockfile" case imodels.SourceTypeSBOM: From ddfee68075fce2c9a4b07a6521b2eb2097c39fa1 Mon Sep 17 00:00:00 2001 From: Rex P Date: Fri, 24 Jan 2025 16:21:35 +1100 Subject: [PATCH 06/11] Reenable container image tests --- cmd/osv-scanner/__snapshots__/main_test.snap | 121 +++++++++++-------- cmd/osv-scanner/main_test.go | 25 ++-- 2 files changed, 85 insertions(+), 61 deletions(-) diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index 8da25c66f80..1a480236717 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -2910,6 +2910,7 @@ Scanned /fixtures/maven-transitive/pom.xml file and found 3 packages [TestRun_OCIImage/Alpine_3.10_image_tar_with_3.18_version_file - 1] Scanning local image tarball "../../internal/image/fixtures/test-alpine.tar" + Container Scanning Result (Alpine Linux v3.18): Total 2 packages affected by 40 vulnerabilities (2 Critical, 17 High, 14 Medium, 0 Low, 7 Unknown) from 1 ecosystems. 40 vulnerabilities have fixes available. @@ -2920,16 +2921,17 @@ Alpine:v3.18 +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ -| openssl | 1.1.1k-r0 | Fix Available | 38 | # 3 Layer | -- | -| zlib | 1.2.11-r1 | Fix Available | 2 | # 3 Layer | -- | +| openssl | 1.1.1k-r0 | Fix Available | 38 | # 2 Layer | -- | +| zlib | 1.2.11-r1 | Fix Available | 2 | # 2 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ -For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. -You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestRun_OCIImage/Alpine_3.10_image_tar_with_3.18_version_file - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. --- @@ -2939,106 +2941,110 @@ Scanning local image tarball "./fixtures/oci-image/no-file-here.tar" --- [TestRun_OCIImage/Invalid_path - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. failed to load image from tarball with path "./fixtures/oci-image/no-file-here.tar": open ./fixtures/oci-image/no-file-here.tar: no such file or directory --- [TestRun_OCIImage/Scanning_java_image_with_some_packages - 1] Scanning local image tarball "../../internal/image/fixtures/test-java-full.tar" + Container Scanning Result (Alpine Linux v3.21): Total 9 packages affected by 12 vulnerabilities (1 Critical, 5 High, 6 Medium, 0 Low, 0 Unknown) from 1 ecosystems. 12 vulnerabilities have fixes available. Maven +-----------------------------------------------------------------------------------------------------------------------+ -| Source:lockfile:app/target.jar/META-INF/maven/com.google.protobuf/protobuf-java/pom.properties | +| Source:artifact:app/target.jar/META-INF/maven/com.google.protobuf/protobuf-java/pom.properties | +-----------------------------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +-----------------------------------+-------------------+---------------+------------+------------------+---------------+ | com.google.protobuf:protobuf-java | 3.21.12 | Fix Available | 1 | # 5 Layer | -- | +-----------------------------------+-------------------+---------------+------------+------------------+---------------+ +------------------------------------------------------------------------------------------------------------------+ -| Source:lockfile:app/target.jar/META-INF/maven/com.nimbusds/nimbus-jose-jwt/pom.properties | +| Source:artifact:app/target.jar/META-INF/maven/com.nimbusds/nimbus-jose-jwt/pom.properties | +------------------------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +------------------------------+-------------------+---------------+------------+------------------+---------------+ | com.nimbusds:nimbus-jose-jwt | 9.31 | Fix Available | 1 | # 5 Layer | -- | +------------------------------+-------------------+---------------+------------+------------------+---------------+ +-----------------------------------------------------------------------------------------------------+ -| Source:lockfile:app/target.jar/META-INF/maven/dnsjava/dnsjava/pom.properties | +| Source:artifact:app/target.jar/META-INF/maven/dnsjava/dnsjava/pom.properties | +-----------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +-----------------+-------------------+---------------+------------+------------------+---------------+ | dnsjava:dnsjava | 3.4.0 | Fix Available | 1 | # 5 Layer | -- | +-----------------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------------------------+ -| Source:lockfile:app/target.jar/META-INF/maven/io.netty/netty-codec-http/pom.properties | +| Source:artifact:app/target.jar/META-INF/maven/io.netty/netty-codec-http/pom.properties | +---------------------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------------------------+-------------------+---------------+------------+------------------+---------------+ | io.netty:netty-codec-http | 4.1.100.Final | Fix Available | 1 | # 5 Layer | -- | +---------------------------+-------------------+---------------+------------+------------------+---------------+ +-----------------------------------------------------------------------------------------------------------+ -| Source:lockfile:app/target.jar/META-INF/maven/io.netty/netty-common/pom.properties | +| Source:artifact:app/target.jar/META-INF/maven/io.netty/netty-common/pom.properties | +-----------------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +-----------------------+-------------------+---------------+------------+------------------+---------------+ | io.netty:netty-common | 4.1.100.Final | Fix Available | 1 | # 5 Layer | -- | +-----------------------+-------------------+---------------+------------+------------------+---------------+ +----------------------------------------------------------------------------------------------------------+ -| Source:lockfile:app/target.jar/META-INF/maven/org.apache.avro/avro/pom.properties | +| Source:artifact:app/target.jar/META-INF/maven/org.apache.avro/avro/pom.properties | +----------------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +----------------------+-------------------+---------------+------------+------------------+---------------+ | org.apache.avro:avro | 1.9.2 | Fix Available | 2 | # 5 Layer | -- | +----------------------+-------------------+---------------+------------+------------------+---------------+ +-------------------------------------------------------------------------------------------------------------------------+ -| Source:lockfile:app/target.jar/META-INF/maven/org.apache.commons/commons-compress/pom.properties | +| Source:artifact:app/target.jar/META-INF/maven/org.apache.commons/commons-compress/pom.properties | +-------------------------------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +-------------------------------------+-------------------+---------------+------------+------------------+---------------+ | org.apache.commons:commons-compress | 1.21 | Fix Available | 2 | # 5 Layer | -- | +-------------------------------------+-------------------+---------------+------------+------------------+---------------+ +-------------------------------------------------------------------------------------------------------------------------------+ -| Source:lockfile:app/target.jar/META-INF/maven/org.apache.commons/commons-configuration2/pom.properties | +| Source:artifact:app/target.jar/META-INF/maven/org.apache.commons/commons-configuration2/pom.properties | +-------------------------------------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +-------------------------------------------+-------------------+---------------+------------+------------------+---------------+ | org.apache.commons:commons-configuration2 | 2.8.0 | Fix Available | 2 | # 5 Layer | -- | +-------------------------------------------+-------------------+---------------+------------+------------------+---------------+ +------------------------------------------------------------------------------------------------------------------+ -| Source:lockfile:app/target.jar/META-INF/maven/org.eclipse.jetty/jetty-http/pom.properties | +| Source:artifact:app/target.jar/META-INF/maven/org.eclipse.jetty/jetty-http/pom.properties | +------------------------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +------------------------------+-------------------+---------------+------------+------------------+---------------+ | org.eclipse.jetty:jetty-http | 9.4.53.v20231009 | Fix Available | 1 | # 5 Layer | -- | +------------------------------+-------------------+---------------+------------+------------------+---------------+ -For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. -You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestRun_OCIImage/Scanning_java_image_with_some_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. --- [TestRun_OCIImage/Scanning_python_image_with_no_packages - 1] Scanning local image tarball "../../internal/image/fixtures/test-python-empty.tar" + Container Scanning Result (Debian GNU/Linux 10 (buster)): Total 12 packages affected by 17 vulnerabilities (0 Critical, 2 High, 1 Medium, 0 Low, 14 Unknown) from 2 ecosystems. 17 vulnerabilities have fixes available. PyPI +---------------------------------------------------------------------------------------------+ -| Source:lockfile:usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | +| Source:artifact:usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | pip | 23.0.1 | Fix Available | 1 | # 13 Layer | python | +---------+-------------------+---------------+------------+------------------+---------------+ +------------------------------------------------------------------------------------------------+ -| Source:lockfile:usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA | +| Source:artifact:usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA | +------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +------------+-------------------+---------------+------------+------------------+---------------+ @@ -3062,66 +3068,68 @@ Debian:10 | util-linux | 2.33.1-0.1 | Fix Available | 1 | # 0 Layer | python | +------------------------+------------------------+---------------+------------+------------------+---------------+ -For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. -You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestRun_OCIImage/Scanning_python_image_with_no_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. --- [TestRun_OCIImage/Scanning_python_image_with_some_packages - 1] Scanning local image tarball "../../internal/image/fixtures/test-python-full.tar" + Container Scanning Result (Debian GNU/Linux 10 (buster)): Total 17 packages affected by 31 vulnerabilities (0 Critical, 8 High, 8 Medium, 0 Low, 15 Unknown) from 2 ecosystems. 31 vulnerabilities have fixes available. PyPI +---------------------------------------------------------------------------------------------+ -| Source:lockfile:usr/local/lib/python3.9/site-packages/Django-1.11.29.dist-info/METADATA | +| Source:artifact:usr/local/lib/python3.9/site-packages/Django-1.11.29.dist-info/METADATA | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | django | 1.11.29 | Fix Available | 3 | # 17 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ -| Source:lockfile:usr/local/lib/python3.9/site-packages/Flask-0.12.2.dist-info/METADATA | +| Source:artifact:usr/local/lib/python3.9/site-packages/Flask-0.12.2.dist-info/METADATA | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | flask | 0.12.2 | Fix Available | 3 | # 17 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ -| Source:lockfile:usr/local/lib/python3.9/site-packages/idna-2.7.dist-info/METADATA | +| Source:artifact:usr/local/lib/python3.9/site-packages/idna-2.7.dist-info/METADATA | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | idna | 2.7 | Fix Available | 1 | # 17 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ -| Source:lockfile:usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | +| Source:artifact:usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | pip | 23.0.1 | Fix Available | 1 | # 13 Layer | python | +---------+-------------------+---------------+------------+------------------+---------------+ +----------------------------------------------------------------------------------------------+ -| Source:lockfile:usr/local/lib/python3.9/site-packages/requests-2.20.0.dist-info/METADATA | +| Source:artifact:usr/local/lib/python3.9/site-packages/requests-2.20.0.dist-info/METADATA | +----------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +----------+-------------------+---------------+------------+------------------+---------------+ | requests | 2.20.0 | Fix Available | 2 | # 17 Layer | -- | +----------+-------------------+---------------+------------+------------------+---------------+ +------------------------------------------------------------------------------------------------+ -| Source:lockfile:usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA | +| Source:artifact:usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA | +------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +------------+-------------------+---------------+------------+------------------+---------------+ | setuptools | 58.1.0 | Fix Available | 2 | # 13 Layer | python | +------------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ -| Source:lockfile:usr/local/lib/python3.9/site-packages/urllib3-1.24.3.dist-info/METADATA | +| Source:artifact:usr/local/lib/python3.9/site-packages/urllib3-1.24.3.dist-info/METADATA | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ @@ -3145,59 +3153,61 @@ Debian:10 | util-linux | 2.33.1-0.1 | Fix Available | 1 | # 0 Layer | python | +------------------------+------------------------+---------------+------------+------------------+---------------+ -For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. -You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestRun_OCIImage/Scanning_python_image_with_some_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. --- [TestRun_OCIImage/scanning_image_with_go_binary - 1] Scanning local image tarball "../../internal/image/fixtures/test-package-tracing.tar" + Container Scanning Result (Alpine Linux v3.20): Total 7 packages affected by 27 vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 27 Unknown) from 2 ecosystems. 27 vulnerabilities have fixes available. Go +---------------------------------------------------------------------------------------------+ -| Source:lockfile:go/bin/more-vuln-overwrite-less-vuln | +| Source:artifact:go/bin/more-vuln-overwrite-less-vuln | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | stdlib | 1.22.4 | Fix Available | 4 | # 9 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ -| Source:lockfile:go/bin/ptf-1.2.0 | +| Source:artifact:go/bin/ptf-1.2.0 | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | stdlib | 1.22.4 | Fix Available | 4 | # 2 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ -| Source:lockfile:go/bin/ptf-1.3.0 | +| Source:artifact:go/bin/ptf-1.3.0 | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | stdlib | 1.22.4 | Fix Available | 4 | # 4 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ -| Source:lockfile:go/bin/ptf-1.3.0-moved | +| Source:artifact:go/bin/ptf-1.3.0-moved | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | stdlib | 1.22.4 | Fix Available | 4 | # 3 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ -| Source:lockfile:go/bin/ptf-1.4.0 | +| Source:artifact:go/bin/ptf-1.4.0 | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | stdlib | 1.22.4 | Fix Available | 4 | # 2 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ -| Source:lockfile:go/bin/ptf-vulnerable | +| Source:artifact:go/bin/ptf-vulnerable | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ @@ -3212,17 +3222,19 @@ Alpine:v3.20 | openssl | 3.3.1-r0 | Fix Available | 3 | # 0 Layer | alpine | +---------+-------------------+---------------+------------+------------------+---------------+ -For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. -You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestRun_OCIImage/scanning_image_with_go_binary - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. --- [TestRun_OCIImage/scanning_node_modules_using_npm_with_no_packages - 1] Scanning local image tarball "../../internal/image/fixtures/test-node_modules-npm-empty.tar" + Container Scanning Result (Alpine Linux v3.19): Total 2 packages affected by 10 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 6 Unknown) from 1 ecosystems. 10 vulnerabilities have fixes available. @@ -3237,24 +3249,26 @@ Alpine:v3.19 | openssl | 3.1.4-r5 | Fix Available | 6 | # 0 Layer | alpine | +---------+-------------------+---------------+------------+------------------+---------------+ -For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. -You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestRun_OCIImage/scanning_node_modules_using_npm_with_no_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. --- [TestRun_OCIImage/scanning_node_modules_using_npm_with_some_packages - 1] Scanning local image tarball "../../internal/image/fixtures/test-node_modules-npm-full.tar" + Container Scanning Result (Alpine Linux v3.19): Total 4 packages affected by 13 vulnerabilities (2 Critical, 0 High, 5 Medium, 0 Low, 6 Unknown) from 2 ecosystems. 12 vulnerabilities have fixes available. npm +-------------------------------------------------------------------------------------------------+ -| Source:lockfile:prod/app/node_modules/.package-lock.json | +| Source:artifact:prod/app/node_modules/.package-lock.json | +----------+-------------------+------------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +----------+-------------------+------------------+------------+------------------+---------------+ @@ -3271,17 +3285,19 @@ Alpine:v3.19 | openssl | 3.1.4-r5 | Fix Available | 6 | # 0 Layer | alpine | +---------+-------------------+---------------+------------+------------------+---------------+ -For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. -You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestRun_OCIImage/scanning_node_modules_using_npm_with_some_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. --- [TestRun_OCIImage/scanning_node_modules_using_pnpm_with_no_packages - 1] Scanning local image tarball "../../internal/image/fixtures/test-node_modules-pnpm-empty.tar" + Container Scanning Result (Alpine Linux v3.19): Total 2 packages affected by 10 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 6 Unknown) from 1 ecosystems. 10 vulnerabilities have fixes available. @@ -3296,17 +3312,19 @@ Alpine:v3.19 | openssl | 3.1.4-r5 | Fix Available | 6 | # 0 Layer | alpine | +---------+-------------------+---------------+------------+------------------+---------------+ -For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. -You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestRun_OCIImage/scanning_node_modules_using_pnpm_with_no_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. --- [TestRun_OCIImage/scanning_node_modules_using_pnpm_with_some_packages - 1] Scanning local image tarball "../../internal/image/fixtures/test-node_modules-pnpm-full.tar" + Container Scanning Result (Alpine Linux v3.19): Total 2 packages affected by 10 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 6 Unknown) from 1 ecosystems. 10 vulnerabilities have fixes available. @@ -3321,17 +3339,19 @@ Alpine:v3.19 | openssl | 3.1.4-r5 | Fix Available | 6 | # 0 Layer | alpine | +---------+-------------------+---------------+------------+------------------+---------------+ -For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. -You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestRun_OCIImage/scanning_node_modules_using_pnpm_with_some_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. --- [TestRun_OCIImage/scanning_node_modules_using_yarn_with_no_packages - 1] Scanning local image tarball "../../internal/image/fixtures/test-node_modules-yarn-empty.tar" + Container Scanning Result (Alpine Linux v3.19): Total 2 packages affected by 10 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 6 Unknown) from 1 ecosystems. 10 vulnerabilities have fixes available. @@ -3346,17 +3366,19 @@ Alpine:v3.19 | openssl | 3.1.4-r5 | Fix Available | 6 | # 0 Layer | alpine | +---------+-------------------+---------------+------------+------------------+---------------+ -For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. -You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestRun_OCIImage/scanning_node_modules_using_yarn_with_no_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. --- [TestRun_OCIImage/scanning_node_modules_using_yarn_with_some_packages - 1] Scanning local image tarball "../../internal/image/fixtures/test-node_modules-yarn-full.tar" + Container Scanning Result (Alpine Linux v3.19): Total 2 packages affected by 10 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 6 Unknown) from 1 ecosystems. 10 vulnerabilities have fixes available. @@ -3371,12 +3393,13 @@ Alpine:v3.19 | openssl | 3.1.4-r5 | Fix Available | 6 | # 0 Layer | alpine | +---------+-------------------+---------------+------------+------------------+---------------+ -For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. -You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestRun_OCIImage/scanning_node_modules_using_yarn_with_some_packages - 2] +Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. --- diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go index 6c76797296c..5b2db5ccc26 100644 --- a/cmd/osv-scanner/main_test.go +++ b/cmd/osv-scanner/main_test.go @@ -3,6 +3,7 @@ package main import ( "bytes" + "errors" "os" "path/filepath" "reflect" @@ -825,62 +826,62 @@ func TestRun_OCIImage(t *testing.T) { tests := []cliTestCase{ { name: "Invalid path", - args: []string{"", "--experimental-oci-image", "./fixtures/oci-image/no-file-here.tar"}, + args: []string{"", "scan", "image", "--archive", "./fixtures/oci-image/no-file-here.tar"}, exit: 127, }, { name: "Alpine 3.10 image tar with 3.18 version file", - args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-alpine.tar"}, + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-alpine.tar"}, exit: 1, }, { name: "Scanning python image with some packages", - args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-python-full.tar"}, + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-python-full.tar"}, exit: 1, }, { name: "Scanning python image with no packages", - args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-python-empty.tar"}, + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-python-empty.tar"}, exit: 1, }, { name: "Scanning java image with some packages", - args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-java-full.tar"}, + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-java-full.tar"}, exit: 1, }, { name: "scanning node_modules using npm with no packages", - args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-node_modules-npm-empty.tar"}, + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-node_modules-npm-empty.tar"}, exit: 1, }, { name: "scanning node_modules using npm with some packages", - args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-node_modules-npm-full.tar"}, + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-node_modules-npm-full.tar"}, exit: 1, }, { name: "scanning node_modules using yarn with no packages", - args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-node_modules-yarn-empty.tar"}, + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-node_modules-yarn-empty.tar"}, exit: 1, }, { name: "scanning node_modules using yarn with some packages", - args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-node_modules-yarn-full.tar"}, + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-node_modules-yarn-full.tar"}, exit: 1, }, { name: "scanning node_modules using pnpm with no packages", - args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-node_modules-pnpm-empty.tar"}, + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-node_modules-pnpm-empty.tar"}, exit: 1, }, { name: "scanning node_modules using pnpm with some packages", - args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-node_modules-pnpm-full.tar"}, + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-node_modules-pnpm-full.tar"}, exit: 1, }, { name: "scanning image with go binary", - args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-package-tracing.tar"}, + args: []string{"", "scan", "image", "--archive", "../../internal/image/fixtures/test-package-tracing.tar"}, exit: 1, }, } From fcd85331ebf7d1948fe8a29dcd4949f898223ee4 Mon Sep 17 00:00:00 2001 From: Rex P Date: Tue, 28 Jan 2025 14:38:11 +1100 Subject: [PATCH 07/11] Update snaps again --- cmd/osv-scanner/__snapshots__/main_test.snap | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index e5d6a895549..460167a28de 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -2961,7 +2961,7 @@ failed to load image from tarball with path "./fixtures/oci-image/no-file-here.t Scanning local image tarball "../../internal/image/fixtures/test-java-full.tar" Container Scanning Result (Alpine Linux v3.21): -Total 9 packages affected by 12 vulnerabilities (1 Critical, 5 High, 6 Medium, 0 Low, 0 Unknown) from 1 ecosystems. +Total 9 packages affected by 12 vulnerabilities (1 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 1 ecosystems. 12 vulnerabilities have fixes available. Maven @@ -3178,8 +3178,8 @@ Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the Scanning local image tarball "../../internal/image/fixtures/test-package-tracing.tar" Container Scanning Result (Alpine Linux v3.20): -Total 7 packages affected by 27 vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 27 Unknown) from 2 ecosystems. -27 vulnerabilities have fixes available. +Total 7 packages affected by 39 vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 39 Unknown) from 2 ecosystems. +39 vulnerabilities have fixes available. Go +---------------------------------------------------------------------------------------------+ @@ -3187,42 +3187,42 @@ Go +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ -| stdlib | 1.22.4 | Fix Available | 4 | # 9 Layer | -- | +| stdlib | 1.22.4 | Fix Available | 6 | # 9 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:go/bin/ptf-1.2.0 | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ -| stdlib | 1.22.4 | Fix Available | 4 | # 2 Layer | -- | +| stdlib | 1.22.4 | Fix Available | 6 | # 2 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:go/bin/ptf-1.3.0 | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ -| stdlib | 1.22.4 | Fix Available | 4 | # 4 Layer | -- | +| stdlib | 1.22.4 | Fix Available | 6 | # 4 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:go/bin/ptf-1.3.0-moved | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ -| stdlib | 1.22.4 | Fix Available | 4 | # 3 Layer | -- | +| stdlib | 1.22.4 | Fix Available | 6 | # 3 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:go/bin/ptf-1.4.0 | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ -| stdlib | 1.22.4 | Fix Available | 4 | # 2 Layer | -- | +| stdlib | 1.22.4 | Fix Available | 6 | # 2 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:go/bin/ptf-vulnerable | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ -| stdlib | 1.22.4 | Fix Available | 4 | # 7 Layer | -- | +| stdlib | 1.22.4 | Fix Available | 6 | # 7 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ Alpine:v3.20 +---------------------------------------------------------------------------------------------+ From 048c1420bd712f2e0f696cb399efb55b3d97bb2c Mon Sep 17 00:00:00 2001 From: Rex P Date: Tue, 28 Jan 2025 14:41:27 +1100 Subject: [PATCH 08/11] Remove logging lines --- pkg/osvscanner/osvscanner.go | 8 -------- 1 file changed, 8 deletions(-) diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 54e94f4d470..7b07038cf7e 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -4,7 +4,6 @@ import ( "context" "errors" "fmt" - "log" "net/http" "os" "strings" @@ -332,13 +331,6 @@ func DoContainerScan(actions ScannerActions, r reporter.Reporter) (models.Vulner for i, inv := range scalibrSR.Inventories { scanResult.PackageScanResults[i].PackageInfo = imodels.FromInventory(inv) scanResult.PackageScanResults[i].LayerDetails = inv.LayerDetails - - if scanResult.PackageScanResults[i].PackageInfo.Ecosystem().Ecosystem == osvschema.EcosystemMaven { - if inv.Name == "kafka-clients" { - log.Printf("%v", scanResult.PackageScanResults[i].PackageInfo.Name()) - - } - } } // --- Fill Image Metadata --- From c0b0695fd26fbc785ca01b2d36ca4a94b3ec60ba Mon Sep 17 00:00:00 2001 From: Rex P Date: Tue, 28 Jan 2025 15:43:42 +1100 Subject: [PATCH 09/11] Add a TODO. --- internal/imodels/imodels.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/imodels/imodels.go b/internal/imodels/imodels.go index db29185c23a..f4d45eda1c8 100644 --- a/internal/imodels/imodels.go +++ b/internal/imodels/imodels.go @@ -66,6 +66,7 @@ func (pkg *PackageInfo) Name() string { return "stdlib" } + // TODO: Move the normalization to another where matching logic happens. // Patch python package names to be normalized if pkg.Ecosystem().Ecosystem == osvschema.EcosystemPyPI { // per https://peps.python.org/pep-0503/#normalized-names From 87b7b8800b3897be8e995874f9e68f812e112d5e Mon Sep 17 00:00:00 2001 From: Rex P Date: Tue, 28 Jan 2025 16:29:05 +1100 Subject: [PATCH 10/11] Update osv-scalibr --- cmd/osv-scanner/__snapshots__/main_test.snap | 68 +++----------------- go.mod | 3 +- go.sum | 4 ++ 3 files changed, 16 insertions(+), 59 deletions(-) diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index 460167a28de..ccaf36f5017 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -2965,69 +2965,21 @@ Total 9 packages affected by 12 vulnerabilities (1 Critical, 4 High, 7 Medium, 0 12 vulnerabilities have fixes available. Maven -+-----------------------------------------------------------------------------------------------------------------------+ -| Source:artifact:app/target.jar/META-INF/maven/com.google.protobuf/protobuf-java/pom.properties | -+-----------------------------------+-------------------+---------------+------------+------------------+---------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | -+-----------------------------------+-------------------+---------------+------------+------------------+---------------+ -| com.google.protobuf:protobuf-java | 3.21.12 | Fix Available | 1 | # 5 Layer | -- | -+-----------------------------------+-------------------+---------------+------------+------------------+---------------+ -+------------------------------------------------------------------------------------------------------------------+ -| Source:artifact:app/target.jar/META-INF/maven/com.nimbusds/nimbus-jose-jwt/pom.properties | -+------------------------------+-------------------+---------------+------------+------------------+---------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | -+------------------------------+-------------------+---------------+------------+------------------+---------------+ -| com.nimbusds:nimbus-jose-jwt | 9.31 | Fix Available | 1 | # 5 Layer | -- | -+------------------------------+-------------------+---------------+------------+------------------+---------------+ -+-----------------------------------------------------------------------------------------------------+ -| Source:artifact:app/target.jar/META-INF/maven/dnsjava/dnsjava/pom.properties | -+-----------------+-------------------+---------------+------------+------------------+---------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | -+-----------------+-------------------+---------------+------------+------------------+---------------+ -| dnsjava:dnsjava | 3.4.0 | Fix Available | 1 | # 5 Layer | -- | -+-----------------+-------------------+---------------+------------+------------------+---------------+ -+---------------------------------------------------------------------------------------------------------------+ -| Source:artifact:app/target.jar/META-INF/maven/io.netty/netty-codec-http/pom.properties | -+---------------------------+-------------------+---------------+------------+------------------+---------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | -+---------------------------+-------------------+---------------+------------+------------------+---------------+ -| io.netty:netty-codec-http | 4.1.100.Final | Fix Available | 1 | # 5 Layer | -- | -+---------------------------+-------------------+---------------+------------+------------------+---------------+ -+-----------------------------------------------------------------------------------------------------------+ -| Source:artifact:app/target.jar/META-INF/maven/io.netty/netty-common/pom.properties | -+-----------------------+-------------------+---------------+------------+------------------+---------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | -+-----------------------+-------------------+---------------+------------+------------------+---------------+ -| io.netty:netty-common | 4.1.100.Final | Fix Available | 1 | # 5 Layer | -- | -+-----------------------+-------------------+---------------+------------+------------------+---------------+ -+----------------------------------------------------------------------------------------------------------+ -| Source:artifact:app/target.jar/META-INF/maven/org.apache.avro/avro/pom.properties | -+----------------------+-------------------+---------------+------------+------------------+---------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | -+----------------------+-------------------+---------------+------------+------------------+---------------+ -| org.apache.avro:avro | 1.9.2 | Fix Available | 2 | # 5 Layer | -- | -+----------------------+-------------------+---------------+------------+------------------+---------------+ -+-------------------------------------------------------------------------------------------------------------------------+ -| Source:artifact:app/target.jar/META-INF/maven/org.apache.commons/commons-compress/pom.properties | -+-------------------------------------+-------------------+---------------+------------+------------------+---------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | -+-------------------------------------+-------------------+---------------+------------+------------------+---------------+ -| org.apache.commons:commons-compress | 1.21 | Fix Available | 2 | # 5 Layer | -- | -+-------------------------------------+-------------------+---------------+------------+------------------+---------------+ +-------------------------------------------------------------------------------------------------------------------------------+ -| Source:artifact:app/target.jar/META-INF/maven/org.apache.commons/commons-configuration2/pom.properties | +| Source:artifact:app/target.jar | +-------------------------------------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +-------------------------------------------+-------------------+---------------+------------+------------------+---------------+ -| org.apache.commons:commons-configuration2 | 2.8.0 | Fix Available | 2 | # 5 Layer | -- | +| com.google.protobuf:protobuf-java | 3.21.12 | Fix Available | 1 | # 4 Layer | -- | +| com.nimbusds:nimbus-jose-jwt | 9.31 | Fix Available | 1 | # 4 Layer | -- | +| dnsjava:dnsjava | 3.4.0 | Fix Available | 1 | # 4 Layer | -- | +| io.netty:netty-codec-http | 4.1.100.Final | Fix Available | 1 | # 4 Layer | -- | +| io.netty:netty-common | 4.1.100.Final | Fix Available | 1 | # 4 Layer | -- | +| org.apache.avro:avro | 1.9.2 | Fix Available | 2 | # 4 Layer | -- | +| org.apache.commons:commons-compress | 1.21 | Fix Available | 2 | # 4 Layer | -- | +| org.apache.commons:commons-configuration2 | 2.8.0 | Fix Available | 2 | # 4 Layer | -- | +| org.eclipse.jetty:jetty-http | 9.4.53.v20231009 | Fix Available | 1 | # 4 Layer | -- | +-------------------------------------------+-------------------+---------------+------------+------------------+---------------+ -+------------------------------------------------------------------------------------------------------------------+ -| Source:artifact:app/target.jar/META-INF/maven/org.eclipse.jetty/jetty-http/pom.properties | -+------------------------------+-------------------+---------------+------------+------------------+---------------+ -| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | -+------------------------------+-------------------+---------------+------------+------------------+---------------+ -| org.eclipse.jetty:jetty-http | 9.4.53.v20231009 | Fix Available | 1 | # 5 Layer | -- | -+------------------------------+-------------------+---------------+------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. diff --git a/go.mod b/go.mod index 809b1f499ea..cddbd16378a 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/go-git/go-billy/v5 v5.6.2 github.com/go-git/go-git/v5 v5.13.1 github.com/google/go-cmp v0.6.0 - github.com/google/osv-scalibr v0.1.6-0.20250123155336-85f39dea4c05 + github.com/google/osv-scalibr v0.1.6-0.20250128013153-34aef7c77adf github.com/ianlancetaylor/demangle v0.0.0-20240912202439-0a2b6291aafd github.com/jedib0t/go-pretty/v6 v6.6.5 github.com/muesli/reflow v0.3.0 @@ -104,6 +104,7 @@ require ( github.com/mattn/go-runewidth v0.0.16 // indirect github.com/mattn/go-sqlite3 v1.14.22 // indirect github.com/microcosm-cc/bluemonday v1.0.27 // indirect + github.com/microsoft/go-rustaudit v0.0.0-20240820110456-0e2abec02f8b // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/moby/locker v1.0.1 // indirect github.com/moby/sys/mountinfo v0.6.2 // indirect diff --git a/go.sum b/go.sum index 1d9d56315d6..d01d3267529 100644 --- a/go.sum +++ b/go.sum @@ -184,6 +184,8 @@ github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/osv-scalibr v0.1.6-0.20250123155336-85f39dea4c05 h1:47dObbqXVFPmg39yLeRWfKZYw2xR6O2BJVLmgC6Zygw= github.com/google/osv-scalibr v0.1.6-0.20250123155336-85f39dea4c05/go.mod h1:nikSO3CqGGRQY05sGgzsgf4+84p5xCmPWOiaSomkuAU= +github.com/google/osv-scalibr v0.1.6-0.20250128013153-34aef7c77adf h1:s6PZEjcMocRehGjuHIFN7Chy8VlMw4XheLgLaWRx21U= +github.com/google/osv-scalibr v0.1.6-0.20250128013153-34aef7c77adf/go.mod h1:jKAptk1dYWBO91ODkI5XYKDDvZEbLKQH9DSXcTtUDSw= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -233,6 +235,8 @@ github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk= github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA= +github.com/microsoft/go-rustaudit v0.0.0-20240820110456-0e2abec02f8b h1:84JbAJpjZ8p1ttV6dpIqfe8IehWMf0i8DPSgmE9aZuA= +github.com/microsoft/go-rustaudit v0.0.0-20240820110456-0e2abec02f8b/go.mod h1:vYT9HE7WCvL64iVeZylKmCsWKfE+JZ8105iuh2Trk8g= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= From 9a02ddc6c749dfb28d0fe6cb85a42130c31c62a8 Mon Sep 17 00:00:00 2001 From: Rex P Date: Wed, 29 Jan 2025 10:18:24 +1100 Subject: [PATCH 11/11] Update snaps --- cmd/osv-scanner/__snapshots__/main_test.snap | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index fd90512affb..e19d169088d 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -2919,6 +2919,16 @@ Scanned /fixtures/maven-transitive/pom.xml file and found 3 packages --- +[TestRun_MoreLockfiles/cabal.project.freeze - 1] +Scanned /fixtures/locks-scalibr/cabal.project.freeze file and found 6 packages ++--------------------------------+------+-----------+-----------------+---------+---------------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++--------------------------------+------+-----------+-----------------+---------+---------------------------------------------+ +| https://osv.dev/HSEC-2024-0009 | | Hackage | biscuit-haskell | 0.3.0.0 | fixtures/locks-scalibr/cabal.project.freeze | ++--------------------------------+------+-----------+-----------------+---------+---------------------------------------------+ + +--- + [TestRun_MoreLockfiles/cabal.project.freeze - 2] --- @@ -2970,8 +2980,8 @@ Alpine:v3.18 +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ -| openssl | 1.1.1k-r0 | Fix Available | 38 | # 2 Layer | -- | -| zlib | 1.2.11-r1 | Fix Available | 2 | # 2 Layer | -- | +| openssl | 1.1.1k-r0 | Fix Available | 38 | # 3 Layer | -- | +| zlib | 1.2.11-r1 | Fix Available | 2 | # 3 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.