Merge branch 'main' into c-c++

hayleycd · Nov 7, 2023 · 67d80b1 · 67d80b1
2 parents ba779e1 + 8fef787
commit 67d80b1
Show file tree

Hide file tree

Showing 48 changed files with 1,577 additions and 154 deletions.
diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.19
+1.20
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,21 @@
+# v1.4.3:
+
+### Features
+- [Feature #621](https://github.com/google/osv-scanner/pull/621)
+  Add support for scanning vendored C/C++ files.
+- [Feature #581](https://github.com/google/osv-scanner/pull/581)
+  Scan submodules commit hashes.
+
+### Fixes
+- [Bug #626](https://github.com/google/osv-scanner/issues/626)
+  Fix gitignore matching for root directory
+- [Bug #622](https://github.com/google/osv-scanner/issues/622)
+  Go binary not found should not be an error
+- [Bug #588](https://github.com/google/osv-scanner/issues/588)
+  handle npm/yarn aliased packages
+- [Bug #607](https://github.com/google/osv-scanner/pull/607)
+  fix: remove some extra newlines in sarif report
+
 # v1.4.2:
 
 ### Fixes

diff --git a/cmd/osv-scanner/fixtures/locks-licenses/package-lock.json b/cmd/osv-scanner/fixtures/locks-licenses/package-lock.json
diff --git a/cmd/osv-scanner/fixtures/locks-licenses/package.json b/cmd/osv-scanner/fixtures/locks-licenses/package.json
@@ -0,0 +1,7 @@
+{
+  "dependencies": {
+    "babel": "^6.23.0",
+    "human-signals": "^5.0.0",
+    "ms": "^2.1.3"
+  }
+}
diff --git a/cmd/osv-scanner/fixtures/locks-many/replace-local.mod b/cmd/osv-scanner/fixtures/locks-many/replace-local.mod
@@ -0,0 +1,7 @@
+require (
+    golang.org/x/net v1.2.3
+)
+
+replace (
+    golang.org/x/net v1.2.3 => ./fork/net
+)
diff --git a/cmd/osv-scanner/main.go b/cmd/osv-scanner/main.go
@@ -120,6 +120,14 @@ func run(args []string, stdout, stderr io.Writer) int {
 				Usage:  "sets the path that local databases should be stored",
 				Hidden: true,
 			},
+			&cli.BoolFlag{
+				Name:  "experimental-all-packages",
+				Usage: "when json output is selected, prints all packages",
+			},
+			&cli.StringSliceFlag{
+				Name:  "experimental-licenses",
+				Usage: "report on licenses",
+			},
 		},
 		ArgsUsage: "[directory1 directory2...]",
 		Action: func(context *cli.Context) error {
@@ -161,25 +169,31 @@ func run(args []string, stdout, stderr io.Writer) int {
 				ConfigOverridePath:   context.String("config"),
 				DirectoryPaths:       context.Args().Slice(),
 				ExperimentalScannerActions: osvscanner.ExperimentalScannerActions{
-					LocalDBPath:    context.String("experimental-local-db-path"),
-					CallAnalysis:   context.Bool("experimental-call-analysis"),
-					CompareLocally: context.Bool("experimental-local-db"),
-					CompareOffline: context.Bool("experimental-offline"),
+					LocalDBPath:           context.String("experimental-local-db-path"),
+					CallAnalysis:          context.Bool("experimental-call-analysis"),
+					CompareLocally:        context.Bool("experimental-local-db"),
+					CompareOffline:        context.Bool("experimental-offline"),
+					ShowAllPackages:       context.Bool("experimental-all-packages"),
+					ScanLicenses:          context.IsSet("experimental-licenses"),
+					ScanLicensesAllowlist: context.StringSlice("experimental-licenses"),
 				},
 			}, r)
 
-			if err != nil &&
-				!errors.Is(err, osvscanner.VulnerabilitiesFoundErr) &&
-				!errors.Is(err, osvscanner.OnlyUncalledVulnerabilitiesFoundErr) {
-				//nolint:wrapcheck
+			issueResultErr := errors.Join(
+				osvscanner.VulnerabilitiesFoundErr,
+				osvscanner.OnlyUncalledVulnerabilitiesFoundErr,
+				osvscanner.LicenseViolationsErr,
+				osvscanner.VulnerabilitiesFoundAndLicenseViolationsErr,
+				osvscanner.OnlyUncalledVulnerabilitiesFoundAndLicenseViolationsErr,
+			)
+			if err != nil && !errors.Is(issueResultErr, err) {
 				return err
 			}
-
 			if errPrint := r.PrintResult(&vulnResult); errPrint != nil {
 				return fmt.Errorf("failed to write output: %w", errPrint)
 			}
 
-			// Could be nil, VulnerabilitiesFoundErr, or OnlyUncalledVulnerabilitiesFoundErr
+			// This may be nil.
 			return err
 		},
 	}
@@ -188,20 +202,23 @@ func run(args []string, stdout, stderr io.Writer) int {
 		if r == nil {
 			r = reporter.NewTableReporter(stdout, stderr, false, 0)
 		}
-		if errors.Is(err, osvscanner.VulnerabilitiesFoundErr) {
-			return 1
-		}
-
-		if errors.Is(err, osvscanner.OnlyUncalledVulnerabilitiesFoundErr) {
-			// TODO: Discuss whether to have a different exit code now that running call analysis is not default
-			return 2
-		}
-
-		if errors.Is(err, osvscanner.NoPackagesFoundErr) {
+		switch {
+		case errors.Is(err, osvscanner.VulnerabilitiesFoundErr):
+			return 0b0001 // 1
+		case errors.Is(err, osvscanner.OnlyUncalledVulnerabilitiesFoundErr):
+			// TODO: Discuss whether to have a different exit code
+			// now that running call analysis is not default.
+			return 0b0010 // 2
+		case errors.Is(err, osvscanner.LicenseViolationsErr):
+			return 0b0100 // 4
+		case errors.Is(err, osvscanner.VulnerabilitiesFoundAndLicenseViolationsErr):
+			return 0b0101 // 5
+		case errors.Is(err, osvscanner.OnlyUncalledVulnerabilitiesFoundAndLicenseViolationsErr):
+			return 0b0110 // 6
+		case errors.Is(err, osvscanner.NoPackagesFoundErr):
 			r.PrintError("No package sources found, --help for usage information.\n")
 			return 128
 		}
-
 		r.PrintError(fmt.Sprintf("%v\n", err))
 	}