Merge branch 'main' into license

cmd/osv-reporter/main.go

@@ -162,14 +162,8 @@ func run(args []string, stdout, stderr io.Writer) int {
 
 			// if vulnerability exists it should return error
 			if len(diffVulns.Results) > 0 {
-				// If any vulnerabilities are called, then we return VulnerabilitiesFoundErr
-				for _, vf := range diffVulns.Flatten() {
-					if vf.GroupInfo.IsCalled() {
-						return osvscanner.VulnerabilitiesFoundErr
-					}
-				}
 				// Otherwise return OnlyUncalledVulnerabilitiesFoundErr
-				return osvscanner.OnlyUncalledVulnerabilitiesFoundErr
+				return osvscanner.VulnerabilitiesFoundErr
 			}
 
 			return nil
@@ -184,11 +178,6 @@ func run(args []string, stdout, stderr io.Writer) int {
 			return 1
 		}
 
-		if errors.Is(err, osvscanner.OnlyUncalledVulnerabilitiesFoundErr) {
-			// TODO: Discuss whether to have a different exit code now that running call analysis is not default
-			return 2
-		}
-
 		if errors.Is(err, osvscanner.NoPackagesFoundErr) {
 			tableReporter.PrintError("No package sources found, --help for usage information.\n")
 			return 128

cmd/osv-scanner/callanalysis_parser.go

@@ -0,0 +1,32 @@
+package main
+
+var stableCallAnalysisStates = map[string]bool{
+	"go":   true,
+	"rust": false,
+}
+
+// Creates a map to record if languages are enabled or disabled for call analysis.
+func createCallAnalysisStates(enabledCallAnalysis []string, disabledCallAnalysis []string) map[string]bool {
+	callAnalysisStates := make(map[string]bool)
+
+	for _, language := range enabledCallAnalysis {
+		callAnalysisStates[language] = true
+	}
+
+	for _, language := range disabledCallAnalysis {
+		callAnalysisStates[language] = false
+	}
+
+	enableAll, containsAll := callAnalysisStates["all"]
+	for language, isStable := range stableCallAnalysisStates {
+		if _, exists := callAnalysisStates[language]; !exists {
+			callAnalysisStates[language] = isStable || enableAll
+		}
+		if containsAll && !enableAll {
+			callAnalysisStates[language] = false
+		}
+	}
+	delete(callAnalysisStates, "all")
+
+	return callAnalysisStates
+}

cmd/osv-scanner/callanalysis_parser_test.go

@@ -0,0 +1,64 @@
+package main
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestCreateCallAnalysisStates(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		enabledCallAnalysis        []string
+		disabledCallAnalysis       []string
+		expectedCallAnalysisStates map[string]bool
+	}{
+		{
+			enabledCallAnalysis:  []string{"go", "rust"},
+			disabledCallAnalysis: []string{},
+			expectedCallAnalysisStates: map[string]bool{
+				"go":   true,
+				"rust": true,
+			},
+		},
+		{
+			enabledCallAnalysis:  []string{"all"},
+			disabledCallAnalysis: []string{"rust"},
+			expectedCallAnalysisStates: map[string]bool{
+				"go":   true,
+				"rust": false,
+			},
+		},
+		{
+			enabledCallAnalysis:  []string{},
+			disabledCallAnalysis: []string{"all"},
+			expectedCallAnalysisStates: map[string]bool{
+				"go":   false,
+				"rust": false,
+			},
+		},
+		{
+			enabledCallAnalysis:  []string{},
+			disabledCallAnalysis: []string{"rust"},
+			expectedCallAnalysisStates: map[string]bool{
+				"go":   true,
+				"rust": false,
+			},
+		},
+		{
+			enabledCallAnalysis:  []string{"all", "rust"},
+			disabledCallAnalysis: []string{"go"},
+			expectedCallAnalysisStates: map[string]bool{
+				"go":   false,
+				"rust": true,
+			},
+		},
+	}
+
+	for _, testCase := range testCases {
+		actualCallAnalysisStates := createCallAnalysisStates(testCase.enabledCallAnalysis, testCase.disabledCallAnalysis)
+
+		if !reflect.DeepEqual(actualCallAnalysisStates, testCase.expectedCallAnalysisStates) {
+			t.Errorf("expected call analysis states to be %v, but got %v", testCase.expectedCallAnalysisStates, actualCallAnalysisStates)
+		}
+	}
+}

cmd/osv-scanner/fixtures/locks-test-ignore/osv-scanner.toml

@@ -0,0 +1,3 @@
+[[IgnoredVulns]]
+id = "CVE-2021-23424"
+reason = "Test manifest file (alpine.cdx.xml)"

cmd/osv-scanner/main.go

@@ -99,14 +99,22 @@ func run(args []string, stdout, stderr io.Writer) int {
 			},
 			&cli.BoolFlag{
 				Name:  "experimental-call-analysis",
-				Usage: "attempt call analysis on code to detect only active vulnerabilities",
+				Usage: "[Deprecated] attempt call analysis on code to detect only active vulnerabilities",
 				Value: false,
 			},
 			&cli.BoolFlag{
 				Name:  "no-ignore",
 				Usage: "also scan files that would be ignored by .gitignore",
 				Value: false,
 			},
+			&cli.StringSliceFlag{
+				Name:  "call-analysis",
+				Usage: "attempt call analysis on code to detect only active vulnerabilities",
+			},
+			&cli.StringSliceFlag{
+				Name:  "no-call-analysis",
+				Usage: "disables call graph analysis",
+			},
 			&cli.BoolFlag{
 				Name:  "experimental-local-db",
 				Usage: "checks for vulnerabilities using local databases",
@@ -159,6 +167,14 @@ func run(args []string, stdout, stderr io.Writer) int {
 				return err
 			}
 
+			var callAnalysisStates map[string]bool
+			if context.IsSet("experimental-call-analysis") {
+				callAnalysisStates = createCallAnalysisStates([]string{"all"}, context.StringSlice("no-call-analysis"))
+				r.PrintText("Warning: the experimental-call-analysis flag has been replaced. Please use the call-analysis and no-call-analysis flags instead.\n")
+			} else {
+				callAnalysisStates = createCallAnalysisStates(context.StringSlice("call-analysis"), context.StringSlice("no-call-analysis"))
+			}
+
 			vulnResult, err := osvscanner.DoScan(osvscanner.ScannerActions{
 				LockfilePaths:        context.StringSlice("lockfile"),
 				SBOMPaths:            context.StringSlice("sbom"),
@@ -168,9 +184,9 @@ func run(args []string, stdout, stderr io.Writer) int {
 				NoIgnore:             context.Bool("no-ignore"),
 				ConfigOverridePath:   context.String("config"),
 				DirectoryPaths:       context.Args().Slice(),
+				CallAnalysisStates:   callAnalysisStates,
 				ExperimentalScannerActions: osvscanner.ExperimentalScannerActions{
 					LocalDBPath:           context.String("experimental-local-db-path"),
-					CallAnalysis:          context.Bool("experimental-call-analysis"),
 					CompareLocally:        context.Bool("experimental-local-db"),
 					CompareOffline:        context.Bool("experimental-offline"),
 					ShowAllPackages:       context.Bool("experimental-all-packages"),
@@ -179,16 +195,10 @@ func run(args []string, stdout, stderr io.Writer) int {
 				},
 			}, r)
 
-			issueResultErr := errors.Join(
-				osvscanner.VulnerabilitiesFoundErr,
-				osvscanner.OnlyUncalledVulnerabilitiesFoundErr,
-				osvscanner.LicenseViolationsErr,
-				osvscanner.VulnerabilitiesFoundAndLicenseViolationsErr,
-				osvscanner.OnlyUncalledVulnerabilitiesFoundAndLicenseViolationsErr,
-			)
-			if err != nil && !errors.Is(issueResultErr, err) {
+			if err != nil && !errors.Is(err, osvscanner.VulnerabilitiesFoundErr) {
 				return err
 			}
+
 			if errPrint := r.PrintResult(&vulnResult); errPrint != nil {
 				return fmt.Errorf("failed to write output: %w", errPrint)
 			}
@@ -204,17 +214,7 @@ func run(args []string, stdout, stderr io.Writer) int {
 		}
 		switch {
 		case errors.Is(err, osvscanner.VulnerabilitiesFoundErr):
-			return 0b0001 // 1
-		case errors.Is(err, osvscanner.OnlyUncalledVulnerabilitiesFoundErr):
-			// TODO: Discuss whether to have a different exit code
-			// now that running call analysis is not default.
-			return 0b0010 // 2
-		case errors.Is(err, osvscanner.LicenseViolationsErr):
-			return 0b0100 // 4
-		case errors.Is(err, osvscanner.VulnerabilitiesFoundAndLicenseViolationsErr):
-			return 0b0101 // 5
-		case errors.Is(err, osvscanner.OnlyUncalledVulnerabilitiesFoundAndLicenseViolationsErr):
-			return 0b0110 // 6
+			return 1
 		case errors.Is(err, osvscanner.NoPackagesFoundErr):
 			r.PrintError("No package sources found, --help for usage information.\n")
 			return 128