Skip to content

Commit

Permalink
Merge branch 'main' into action-docs
Browse files Browse the repository at this point in the history
  • Loading branch information
Hayley Denbraver authored Sep 20, 2023
2 parents b6215a3 + 26c9dfd commit bbe6ce6
Show file tree
Hide file tree
Showing 26 changed files with 1,614 additions and 190 deletions.
2 changes: 1 addition & 1 deletion .goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ builds:
- -trimpath
ldflags:
# prettier-ignore
- '-s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}}'
- '-s -w -X github.com/google/osv-scanner/internal/version.OSVVersion={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}}'
goos:
# Further testing before supporting freebsd
# - freebsd
Expand Down
8 changes: 4 additions & 4 deletions cmd/osv-reporter/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"strings"

"github.com/google/osv-scanner/internal/ci"
"github.com/google/osv-scanner/internal/version"
"github.com/google/osv-scanner/pkg/models"
"github.com/google/osv-scanner/pkg/osvscanner"
"github.com/google/osv-scanner/pkg/reporter"
Expand All @@ -17,9 +18,8 @@ import (

var (
// Update this variable when doing a release
version = "1.4.0"
commit = "n/a"
date = "n/a"
commit = "n/a"
date = "n/a"
)

// splitLastArg splits the last argument by new lines and appends the split
Expand Down Expand Up @@ -47,7 +47,7 @@ func run(args []string, stdout, stderr io.Writer) int {

app := &cli.App{
Name: "osv-scanner-action-reporter",
Version: version,
Version: version.OSVVersion,
Usage: "(Experimental) generates github action output",
Description: "(Experimental) Used specifically to generate github action output ",
Suggest: true,
Expand Down
11 changes: 5 additions & 6 deletions cmd/osv-scanner/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"os"
"strings"

"github.com/google/osv-scanner/internal/version"
"github.com/google/osv-scanner/pkg/osv"
"github.com/google/osv-scanner/pkg/osvscanner"
"github.com/google/osv-scanner/pkg/reporter"
Expand All @@ -17,10 +18,8 @@ import (
)

var (
// Update this variable when doing a release
version = "1.4.0"
commit = "n/a"
date = "n/a"
commit = "n/a"
date = "n/a"
)

func run(args []string, stdout, stderr io.Writer) int {
Expand All @@ -32,11 +31,11 @@ func run(args []string, stdout, stderr io.Writer) int {
r.PrintText(fmt.Sprintf("osv-scanner version: %s\ncommit: %s\nbuilt at: %s\n", ctx.App.Version, commit, date))
}

osv.RequestUserAgent = "osv-scanner/" + version
osv.RequestUserAgent = "osv-scanner/" + version.OSVVersion

app := &cli.App{
Name: "osv-scanner",
Version: version,
Version: version.OSVVersion,
Usage: "scans various mediums for dependencies and matches it against the OSV database",
Suggest: true,
Writer: stdout,
Expand Down
182 changes: 106 additions & 76 deletions cmd/osv-scanner/main_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"testing"

"github.com/go-git/go-git/v5"
"github.com/google/osv-scanner/internal/version"
)

func createTestDir(t *testing.T) (string, func()) {
Expand Down Expand Up @@ -134,7 +135,7 @@ func TestRun(t *testing.T) {
osv-scanner version: %s
commit: n/a
built at: n/a
`, version),
`, version.OSVVersion),
wantStderr: "",
},
// one specific supported lockfile
Expand Down Expand Up @@ -314,31 +315,25 @@ func TestRun(t *testing.T) {
name: "Empty sarif output",
args: []string{"", "--format", "sarif", "./fixtures/locks-many/composer.lock"},
wantExitCode: 0,
wantStdout: `
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"informationUri": "https://github.com/google/osv-scanner",
"name": "osv-scanner",
"rules": [
{
"id": "vulnerable-packages",
"shortDescription": {
"text": "This manifest file contains one or more vulnerable packages."
}
}
]
}
},
"results": []
}
]
}
`,
wantStdout: fmt.Sprintf(`
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"informationUri": "https://github.com/google/osv-scanner",
"name": "osv-scanner",
"rules": [],
"version": "%s"
}
},
"results": []
}
]
}
`, version.OSVVersion),
wantStderr: `
Scanning dir ./fixtures/locks-many/composer.lock
Scanned %%/fixtures/locks-many/composer.lock file and found 1 package
Expand All @@ -348,60 +343,95 @@ func TestRun(t *testing.T) {
name: "Sarif with vulns",
args: []string{"", "--format", "sarif", "--config", "./fixtures/osv-scanner-empty-config.toml", "./fixtures/locks-many/package-lock.json"},
wantExitCode: 1,
wantStdout: `
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"informationUri": "https://github.com/google/osv-scanner",
"name": "osv-scanner",
"rules": [
{
"id": "vulnerable-packages",
"shortDescription": {
"text": "This manifest file contains one or more vulnerable packages."
}
}
]
}
},
"artifacts": [
{
"location": {
"uri": "fixtures/locks-many/package-lock.json"
},
"length": -1
}
],
"results": [
{
"ruleId": "vulnerable-packages",
"ruleIndex": 0,
"level": "warning",
"message": {
"text": "+-----------+-------------------------------------+------+-----------------+---------------+\n| PACKAGE \u0026nbsp; | VULNERABILITY ID \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;| CVSS | CURRENT VERSION | FIXED VERSION |\n+-----------+-------------------------------------+------+-----------------+---------------+\n| ansi-html | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 \u0026nbsp;| 0.0.1 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; | 0.0.8 \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; |\n+-----------+-------------------------------------+------+-----------------+---------------+"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "fixtures/locks-many/package-lock.json"
}
}
}
]
}
]
}
]
}
wantStdout: fmt.Sprintf(`
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"informationUri": "https://github.com/google/osv-scanner",
"name": "osv-scanner",
"rules": [
{
"id": "CVE-2021-23424",
"shortDescription": {
"text": "Uncontrolled Resource Consumption in ansi-html"
},
"fullDescription": {
"text": "This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.",
"markdown": "This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time."
},
"deprecatedIds": [
"CVE-2021-23424",
"GHSA-whgm-jr23-g3j9"
],
"help": {
"text": "\n**Your dependency is vulnerable to [CVE-2021-23424](https://osv.dev/vulnerability/CVE-2021-23424)** \n.\n\n\n\u003e ## [GHSA-whgm-jr23-g3j9](https://osv.dev/vulnerability/GHSA-whgm-jr23-g3j9)\n\u003e \n\u003e This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.\n\u003e \n\n\n---\n\n### Affected Packages\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/%%%%/fixtures/locks-many/package-lock.json | ansi-html | 0.0.1 |\n\n",
"markdown": "\n**Your dependency is vulnerable to [CVE-2021-23424](https://osv.dev/vulnerability/CVE-2021-23424)** \n.\n\n\n\u003e ## [GHSA-whgm-jr23-g3j9](https://osv.dev/vulnerability/GHSA-whgm-jr23-g3j9)\n\u003e \n\u003e This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.\n\u003e \n\n\n---\n\n### Affected Packages\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/%%%%/fixtures/locks-many/package-lock.json | ansi-html | 0.0.1 |\n\n"
}
}
],
"version": "%s"
}
},
"artifacts": [
{
"location": {
"uri": "file://%%%%/fixtures/locks-many/package-lock.json"
},
"length": -1
}
],
"results": [
{
"ruleId": "CVE-2021-23424",
"ruleIndex": 0,
"level": "warning",
"message": {
"text": "Package '[email protected]' is vulnerable to 'CVE-2021-23424' (also known as 'GHSA-whgm-jr23-g3j9')."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file://%%%%/fixtures/locks-many/package-lock.json"
}
}
}
]
}
]
}
]
}
`, version.OSVVersion),
wantStderr: `
Scanning dir ./fixtures/locks-many/package-lock.json
Scanned %%/fixtures/locks-many/package-lock.json file and found 1 package
`,
},
// output format: gh-annotations
{
name: "Empty gh-annotations output",
args: []string{"", "--format", "gh-annotations", "./fixtures/locks-many/composer.lock"},
wantExitCode: 0,
wantStdout: ``,
wantStderr: `
Scanning dir ./fixtures/locks-many/composer.lock
Scanned %%/fixtures/locks-many/composer.lock file and found 1 package
`,
},
{
name: "gh-annotations with vulns",
args: []string{"", "--format", "gh-annotations", "--config", "./fixtures/osv-scanner-empty-config.toml", "./fixtures/locks-many/package-lock.json"},
wantExitCode: 1,
wantStdout: ``,
wantStderr: `
Scanning dir ./fixtures/locks-many/package-lock.json
Scanned %%/fixtures/locks-many/package-lock.json file and found 1 package
::error file=fixtures/locks-many/package-lock.json::fixtures/locks-many/package-lock.json%0A+-----------+-------------------------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+-----------+-------------------------------------+------+-----------------+---------------+%0A| ansi-html | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | 0.0.1 | 0.0.8 |%0A+-----------+-------------------------------------+------+-----------------+---------------+
`,
},
// output format: markdown table
Expand Down
2 changes: 2 additions & 0 deletions codecov.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
ignore:
- internal/testutility
4 changes: 2 additions & 2 deletions internal/ci/fixtures/vulns/test-vuln-diff-a-a-1.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"results": [
{
"source": {
"path": "/home/rexpan/Documents/Projects/different-dir/go.mod",
"path": "/path/to/different-dir/go.mod",
"type": "lockfile"
},
"packages": [
Expand Down Expand Up @@ -82,4 +82,4 @@
]
}
]
}
}
4 changes: 2 additions & 2 deletions internal/ci/fixtures/vulns/test-vuln-diff-a-b.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"results": [
{
"source": {
"path": "/home/rexpan/Documents/Projects/scorecard-check-osv-e2e/go.mod",
"path": "/path/to/scorecard-check-osv-e2e/go.mod",
"type": "lockfile"
},
"packages": [
Expand Down Expand Up @@ -119,4 +119,4 @@
]
}
]
}
}
6 changes: 3 additions & 3 deletions internal/ci/fixtures/vulns/test-vuln-diff-c-b.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"results": [
{
"source": {
"path": "/home/rexpan/Documents/Projects/scorecard-check-osv-e2e/go.mod",
"path": "/path/to/scorecard-check-osv-e2e/go.mod",
"type": "lockfile"
},
"packages": [
Expand Down Expand Up @@ -120,7 +120,7 @@
},
{
"source": {
"path": "/home/rexpan/Documents/Projects/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock",
"path": "/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock",
"type": "lockfile"
},
"packages": [
Expand Down Expand Up @@ -326,4 +326,4 @@
]
}
]
}
}
4 changes: 2 additions & 2 deletions internal/ci/fixtures/vulns/test-vuln-results-a-1.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"results": [
{
"source": {
"path": "/home/rexpan/Documents/Projects/different-dir/go.mod",
"path": "/path/to/different-dir/go.mod",
"type": "lockfile"
},
"packages": [
Expand Down Expand Up @@ -83,7 +83,7 @@
},
{
"source": {
"path": "/home/rexpan/Documents/Projects/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock",
"path": "/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock",
"type": "lockfile"
},
"packages": [
Expand Down
4 changes: 2 additions & 2 deletions internal/ci/fixtures/vulns/test-vuln-results-a.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"results": [
{
"source": {
"path": "/home/rexpan/Documents/Projects/scorecard-check-osv-e2e/go.mod",
"path": "/path/to/scorecard-check-osv-e2e/go.mod",
"type": "lockfile"
},
"packages": [
Expand Down Expand Up @@ -83,7 +83,7 @@
},
{
"source": {
"path": "/home/rexpan/Documents/Projects/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock",
"path": "/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock",
"type": "lockfile"
},
"packages": [
Expand Down
Loading

0 comments on commit bbe6ce6

Please sign in to comment.