Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package osv-scanner for openSUSE:Factory
checked in at 2023-05-17 10:53:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/osv-scanner (Old)
and /work/SRC/openSUSE:Factory/.osv-scanner.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "osv-scanner"
Wed May 17 10:53:32 2023 rev:6 rq:1087489 version:1.3.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/osv-scanner/osv-scanner.changes 2023-04-26
17:26:58.066185539 +0200
+++ /work/SRC/openSUSE:Factory/.osv-scanner.new.1533/osv-scanner.changes
2023-05-17 10:54:02.623642217 +0200
@@ -1,0 +2,34 @@
+Wed May 17 05:07:22 UTC 2023 - ka...@b1-systems.de
+
+- Update to version 1.3.3:
+ * Add new line and fix test to avoid having to change version
+ twice (#387)
+ * 1.3.3 Release (#385)
+ * Use upload draft assets option (#384)
+ * chore(deps): update golang:alpine docker digest to ee2f23f
+ (#380)
+ * chore(deps): update slsa-framework/slsa-github-generator action
+ to v1.6.0 (#383)
+ * fix(deps): update osv-scanner minor (#381)
+ * Remove --hash from version in requirements.txt (#379)
+ * Small formatting changes (#377)
+ * chore(deps): bump github.com/cloudflare/circl from 1.1.0 to
+ 1.3.3 (#378)
+ * add unit tests for results.go (#368)
+ * Improve exit docs and add No vulns found to output (#373)
+ * Update exit docs (#375)
+ * chore(deps): update github/codeql-action action to v2.3.3
+ (#372)
+ * chore(deps): update golang:alpine docker digest to 913de96
+ (#305)
+ * fix: handle cyclical `-r`s in `requirements.txt` (#366)
+ * fix: don't panic on empty files (#367)
+ * fix(deps): update osv-scanner minor (#327)
+ * Update spdx to 0.5.0 (#365)
+ * Update pkg/osv to allow overriding the http client / transport.
+ (#357)
+ * chore(deps): update github/codeql-action action to v2.3.2
+ (#363)
+ * Enable osvVulnerabilityAlerts (#362)
+
+-------------------------------------------------------------------
Old:
----
osv-scanner-1.3.2.obscpio
New:
----
osv-scanner-1.3.3.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ osv-scanner.spec ++++++
--- /var/tmp/diff_new_pack.NBTkig/_old 2023-05-17 10:54:03.163645124 +0200
+++ /var/tmp/diff_new_pack.NBTkig/_new 2023-05-17 10:54:03.171645168 +0200
@@ -19,7 +19,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: osv-scanner
-Version: 1.3.2
+Version: 1.3.3
Release: 0
Summary: Vulnerability scanner written in Go
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.NBTkig/_old 2023-05-17 10:54:03.215645405 +0200
+++ /var/tmp/diff_new_pack.NBTkig/_new 2023-05-17 10:54:03.219645426 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/google/osv-scanner</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v1.3.2</param>
+ <param name="revision">v1.3.3</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.NBTkig/_old 2023-05-17 10:54:03.243645556 +0200
+++ /var/tmp/diff_new_pack.NBTkig/_new 2023-05-17 10:54:03.247645577 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/google/osv-scanner</param>
- <param
name="changesrevision">c6d02d122f65ce3550eb002e4cbff6f1307aaa6a</param></service></servicedata>
+ <param
name="changesrevision">dbeaddee112d005d950988cf07c09d91a4966fa8</param></service></servicedata>
(No newline at EOF)
++++++ osv-scanner-1.3.2.obscpio -> osv-scanner-1.3.3.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/osv-scanner-1.3.2/.github/workflows/codeql-analysis.yml
new/osv-scanner-1.3.3/.github/workflows/codeql-analysis.yml
--- old/osv-scanner-1.3.2/.github/workflows/codeql-analysis.yml 2023-04-26
06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/.github/workflows/codeql-analysis.yml 2023-05-17
06:40:15.000000000 +0200
@@ -44,7 +44,7 @@
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses:
github/codeql-action/init@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0
+ uses:
github/codeql-action/init@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a
config file.
@@ -55,7 +55,7 @@
# Autobuild attempts to build any compiled languages (C/C++, C#, or
Java).
# If this step fails, then you should remove it and run the build
manually (see below)
- name: Autobuild
- uses:
github/codeql-action/autobuild@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0
+ uses:
github/codeql-action/autobuild@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
# â¹ï¸ Command-line programs to run using the OS shell.
# ð https://git.io/JvXDl
@@ -69,4 +69,4 @@
# make release
- name: Perform CodeQL Analysis
- uses:
github/codeql-action/analyze@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 # v2.3.0
+ uses:
github/codeql-action/analyze@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/.github/workflows/goreleaser.yml
new/osv-scanner-1.3.3/.github/workflows/goreleaser.yml
--- old/osv-scanner-1.3.2/.github/workflows/goreleaser.yml 2023-04-26
06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/.github/workflows/goreleaser.yml 2023-05-17
06:40:15.000000000 +0200
@@ -63,7 +63,8 @@
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
- uses:
slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
+ uses:
slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0
with:
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
- upload-assets: false # upload to a new release
+ upload-assets: true # upload to a new release
+ draft-release: true # upload to a new draft release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/.github/workflows/scorecards.yml
new/osv-scanner-1.3.3/.github/workflows/scorecards.yml
--- old/osv-scanner-1.3.2/.github/workflows/scorecards.yml 2023-04-26
06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/.github/workflows/scorecards.yml 2023-05-17
06:40:15.000000000 +0200
@@ -67,6 +67,6 @@
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
- uses:
github/codeql-action/upload-sarif@b2c19fb9a2a485599ccf4ed5d65527d94bc57226 #
v2.3.0
+ uses:
github/codeql-action/upload-sarif@29b1f65c5e92e24fe6b6647da1eaabe529cec70f #
v2.3.3
with:
sarif_file: results.sarif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/CHANGELOG.md
new/osv-scanner-1.3.3/CHANGELOG.md
--- old/osv-scanner-1.3.2/CHANGELOG.md 2023-04-26 06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/CHANGELOG.md 2023-05-17 06:40:15.000000000 +0200
@@ -1,97 +1,165 @@
-v1.3.2:
-===
+# v1.3.3:
### Fixes
-- [Bug #341](https://github.com/google/osv-scanner/pull/341) Make the reporter
public to allow calling DoScan with non nil reporters.
-- [Bug #335](https://github.com/google/osv-scanner/issues/335) Improve SBOM
parsing and relaxing name requirements when explicitly scanning with `--sbom`.
-- [Bug #333](https://github.com/google/osv-scanner/issues/333) Improve
scanning speed for regex heavy lockfiles by caching regex compilation.
-- [Bug #349](https://github.com/google/osv-scanner/pull/349) Improve SBOM
documentation and error messages.
+- [Bug #369](https://github.com/google/osv-scanner/issues/369) Fix
+ requirements.txt misparsing lines that contain `--hash`.
+- [Bug #237](https://github.com/google/osv-scanner/issues/237) Clarify when
no
+ vulnerabilities are found.
+- [Bug #354](https://github.com/google/osv-scanner/issues/354) Fix cycle in
+ requirements.txt causing infinite recursion.
+- [Bug #367](https://github.com/google/osv-scanner/issues/367) Fix panic when
+ parsing empty lockfile.
-v1.3.1:
-===
+### API Features
-### Fixes
-- [Bug #319](https://github.com/google/osv-scanner/issues/319) Fix
segmentation fault when parsing CycloneDX without dependencies.
+- [Feature #357](https://github.com/google/osv-scanner/pull/357) Update
+ `pkg/osv` to allow overriding the http client / transport
-v1.3.0:
-===
+# v1.3.2:
-### Major Features:
+### Fixes
-- [Feature #198](https://github.com/google/osv-scanner/pull/198) GoVulnCheck
integration! Try it out when scanning go code by adding the
`--experimental-call-analysis` flag.
-- [Feature #260](https://github.com/google/osv-scanner/pull/198) Support `-r`
flag in `requirements.txt` files.
-- [Feature #300](https://github.com/google/osv-scanner/pull/300) Make
`IgnoredVulns` also ignore aliases.
-- [Feature #304](https://github.com/google/osv-scanner/pull/304) OSV-Scanner
now runs faster when there's multiple vulnerabilities.
+- [Bug #341](https://github.com/google/osv-scanner/pull/341) Make the
reporter
+ public to allow calling DoScan with non nil reporters.
+- [Bug #335](https://github.com/google/osv-scanner/issues/335) Improve SBOM
+ parsing and relaxing name requirements when explicitly scanning with
+ `--sbom`.
+- [Bug #333](https://github.com/google/osv-scanner/issues/333) Improve
+ scanning speed for regex heavy lockfiles by caching regex compilation.
+- [Bug #349](https://github.com/google/osv-scanner/pull/349) Improve SBOM
+ documentation and error messages.
+
+# v1.3.1:
### Fixes
-- [Bug #249](https://github.com/google/osv-scanner/issues/249) Support yarn
locks with quoted properties.
-- [Bug #232](https://github.com/google/osv-scanner/issues/232) Parse nested
CycloneDX components correctly.
-- [Bug #257](https://github.com/google/osv-scanner/issues/257) More specific
cyclone dx parsing.
-- [Bug #256](https://github.com/google/osv-scanner/issues/256) Avoid panic
when parsing `file:` dependencies in `pnpm` lockfiles.
-- [Bug #261](https://github.com/google/osv-scanner/issues/261) Deduplicate
packages that appear multiple times in `Pipenv.lock` files.
-- [Bug #267](https://github.com/google/osv-scanner/issues/267) Properly handle
comparing zero versions in Maven.
-- [Bug #279](https://github.com/google/osv-scanner/issues/279) Trim leading
zeros off when comparing numerical components in Maven versions.
-- [Bug #291](https://github.com/google/osv-scanner/issues/291) Check if PURL
is valid before adding it to queries.
-- [Bug #293](https://github.com/google/osv-scanner/issues/293) Avoid infinite
loops parsing Maven poms with syntax errors
-- [Bug #295](https://github.com/google/osv-scanner/issues/295) Set version in
the source code, this allows version to be displayed in most package managers.
-- [Bug #297](https://github.com/google/osv-scanner/issues/297) Support Pipenv
develop packages without versions.
-#### API Features
-- [Feature #310](https://github.com/google/osv-scanner/pull/310) Improve the
OSV models to allow for 3rd party use of the library.
+- [Bug #319](https://github.com/google/osv-scanner/issues/319) Fix
+ segmentation fault when parsing CycloneDX without dependencies.
-v1.2.0:
-===
+# v1.3.0:
### Major Features:
-- [Feature #168](https://github.com/google/osv-scanner/pull/168) Support for
scanning debian package status file, usually located in `/var/lib/dpkg/status`.
Thanks @cmaritan
-- [Feature #94](https://github.com/google/osv-scanner/pull/94) Specify what
parser should be used in `--lockfile`.
-- [Feature #158](https://github.com/google/osv-scanner/pull/158) Specify
output format to use with the `--format` flag.
-- [Feature #165](https://github.com/google/osv-scanner/pull/165) Respect
`.gitignore` files by default when scanning.
-- [Feature #156](https://github.com/google/osv-scanner/pull/156) Support
markdown table output format. Thanks @deftdawg
-- [Feature #59](https://github.com/google/osv-scanner/pull/59) Support
`conan.lock` lockfiles and ecosystem Thanks @SSE4
-- Updated documentation! Check it out here:
https://google.github.io/osv-scanner/
-
-### Minor Updates:
-- [Feature #178](https://github.com/google/osv-scanner/pull/178) Support SPDX
2.3.
-- [Feature #221](https://github.com/google/osv-scanner/pull/221) Support
dependencyManagement section in Maven poms.
-- [Feature #167](https://github.com/google/osv-scanner/pull/167) Make
osvscanner API library public.
-- [Feature #141](https://github.com/google/osv-scanner/pull/141) Retry OSV API
calls to mitigate transient network issues. Thanks @davift
-- [Feature #220](https://github.com/google/osv-scanner/pull/220) Vulnerability
output is ordered deterministically.
-- [Feature #179](https://github.com/google/osv-scanner/pull/179) Log number of
packages scanned from SBOM.
-- General dependency updates
+- [Feature #198](https://github.com/google/osv-scanner/pull/198) GoVulnCheck
+ integration! Try it out when scanning go code by adding the
+ `--experimental-call-analysis` flag.
+- [Feature #260](https://github.com/google/osv-scanner/pull/198) Support `-r`
+ flag in `requirements.txt` files.
+- [Feature #300](https://github.com/google/osv-scanner/pull/300) Make
+ `IgnoredVulns` also ignore aliases.
+- [Feature #304](https://github.com/google/osv-scanner/pull/304) OSV-Scanner
+ now runs faster when there's multiple vulnerabilities.
### Fixes
-- [Bug #161](https://github.com/google/osv-scanner/pull/161) Exit with non
zero exit code when there is a general error.
-- [Bug #185](https://github.com/google/osv-scanner/pull/185) Properly omit
Source from JSON output.
-v1.1.0:
-===
+- [Bug #249](https://github.com/google/osv-scanner/issues/249) Support yarn
+ locks with quoted properties.
+- [Bug #232](https://github.com/google/osv-scanner/issues/232) Parse nested
+ CycloneDX components correctly.
+- [Bug #257](https://github.com/google/osv-scanner/issues/257) More specific
+ cyclone dx parsing.
+- [Bug #256](https://github.com/google/osv-scanner/issues/256) Avoid panic
+ when parsing `file:` dependencies in `pnpm` lockfiles.
+- [Bug #261](https://github.com/google/osv-scanner/issues/261) Deduplicate
+ packages that appear multiple times in `Pipenv.lock` files.
+- [Bug #267](https://github.com/google/osv-scanner/issues/267) Properly
handle
+ comparing zero versions in Maven.
+- [Bug #279](https://github.com/google/osv-scanner/issues/279) Trim leading
+ zeros off when comparing numerical components in Maven versions.
+- [Bug #291](https://github.com/google/osv-scanner/issues/291) Check if PURL
+ is valid before adding it to queries.
+- [Bug #293](https://github.com/google/osv-scanner/issues/293) Avoid infinite
+ loops parsing Maven poms with syntax errors
+- [Bug #295](https://github.com/google/osv-scanner/issues/295) Set version in
+ the source code, this allows version to be displayed in most package
+ managers.
+- [Bug #297](https://github.com/google/osv-scanner/issues/297) Support Pipenv
+ develop packages without versions.
-This update adds support for NuGet ecosystem and various bug fixes by the
community.
+### API Features
-- [Feature #98](https://github.com/google/osv-scanner/pull/98): Support for
NuGet ecosystem.
-- [Feature #71](https://github.com/google/osv-scanner/issues/71): Now supports
Pipfile.lock scanning.
-- [Bug #85](https://github.com/google/osv-scanner/issues/85): Even better
support for narrow terminals by shortening osv.dev URLs.
-- [Bug #105](https://github.com/google/osv-scanner/issues/105): Fix rare cases
of too many open file handles.
-- [Bug #131](https://github.com/google/osv-scanner/pull/131): Fix table
highlighting overflow.
-- [Bug #101](https://github.com/google/osv-scanner/issues/101): Now supports
32 bit systems.
+- [Feature #310](https://github.com/google/osv-scanner/pull/310) Improve the
+ OSV models to allow for 3rd party use of the library.
+# v1.2.0:
-v1.0.2
-===
+### Major Features:
-This is a minor patch release to mitigate human readable output issues on
narrow terminals (#85).
+- [Feature #168](https://github.com/google/osv-scanner/pull/168) Support for
+ scanning debian package status file, usually located in
+ `/var/lib/dpkg/status`. Thanks @cmaritan
+- [Feature #94](https://github.com/google/osv-scanner/pull/94) Specify what
+ parser should be used in `--lockfile`.
+- [Feature #158](https://github.com/google/osv-scanner/pull/158) Specify
+ output format to use with the `--format` flag.
+- [Feature #165](https://github.com/google/osv-scanner/pull/165) Respect
+ `.gitignore` files by default when scanning.
+- [Feature #156](https://github.com/google/osv-scanner/pull/156) Support
+ markdown table output format. Thanks @deftdawg
+- [Feature #59](https://github.com/google/osv-scanner/pull/59) Support
+ `conan.lock` lockfiles and ecosystem Thanks @SSE4
+- Updated documentation! Check it out here:
+ https://google.github.io/osv-scanner/
-- [Bug #85](https://github.com/google/osv-scanner/issues/85): Better support
for narrow terminals.
+### Minor Updates:
+- [Feature #178](https://github.com/google/osv-scanner/pull/178) Support SPDX
+ 2.3.
+- [Feature #221](https://github.com/google/osv-scanner/pull/221) Support
+ dependencyManagement section in Maven poms.
+- [Feature #167](https://github.com/google/osv-scanner/pull/167) Make
+ osvscanner API library public.
+- [Feature #141](https://github.com/google/osv-scanner/pull/141) Retry OSV
API
+ calls to mitigate transient network issues. Thanks @davift
+- [Feature #220](https://github.com/google/osv-scanner/pull/220)
Vulnerability
+ output is ordered deterministically.
+- [Feature #179](https://github.com/google/osv-scanner/pull/179) Log number
of
+ packages scanned from SBOM.
+- General dependency updates
-v1.0.1
-===
-Various bug fixes and improvements. Many thanks to the amazing contributions
and suggestions from the community!
+### Fixes
-- Feature: ARM64 builds are now also available!
-- [Feature #46](https://github.com/google/osv-scanner/pull/46): Gradle
lockfile support.
-- [Feature #50](https://github.com/google/osv-scanner/pull/46): Add version
command.
-- [Bug #52](https://github.com/google/osv-scanner/issues/52): Fixes 0 exit
code being wrongly emitted when vulnerabilities are present.
+- [Bug #161](https://github.com/google/osv-scanner/pull/161) Exit with non
+ zero exit code when there is a general error.
+- [Bug #185](https://github.com/google/osv-scanner/pull/185) Properly omit
+ Source from JSON output.
+
+# v1.1.0:
+
+This update adds support for NuGet ecosystem and various bug fixes by the
+community.
+
+- [Feature #98](https://github.com/google/osv-scanner/pull/98): Support for
+ NuGet ecosystem.
+- [Feature #71](https://github.com/google/osv-scanner/issues/71): Now
supports
+ Pipfile.lock scanning.
+- [Bug #85](https://github.com/google/osv-scanner/issues/85): Even better
+ support for narrow terminals by shortening osv.dev URLs.
+- [Bug #105](https://github.com/google/osv-scanner/issues/105): Fix rare
cases
+ of too many open file handles.
+- [Bug #131](https://github.com/google/osv-scanner/pull/131): Fix table
+ highlighting overflow.
+- [Bug #101](https://github.com/google/osv-scanner/issues/101): Now supports
+ 32 bit systems.
+
+# v1.0.2
+
+This is a minor patch release to mitigate human readable output issues on
narrow
+terminals (#85).
+
+- [Bug #85](https://github.com/google/osv-scanner/issues/85): Better support
+ for narrow terminals.
+
+# v1.0.1
+
+Various bug fixes and improvements. Many thanks to the amazing contributions
and
+suggestions from the community!
+
+- Feature: ARM64 builds are now also available!
+- [Feature #46](https://github.com/google/osv-scanner/pull/46): Gradle
+ lockfile support.
+- [Feature #50](https://github.com/google/osv-scanner/pull/46): Add version
+ command.
+- [Bug #52](https://github.com/google/osv-scanner/issues/52): Fixes 0 exit
+ code being wrongly emitted when vulnerabilities are present.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/Dockerfile
new/osv-scanner-1.3.3/Dockerfile
--- old/osv-scanner-1.3.2/Dockerfile 2023-04-26 06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/Dockerfile 2023-05-17 06:40:15.000000000 +0200
@@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-FROM
golang:alpine@sha256:74a382917f6eaa7cc2d000dc2cd412a7f823f343b3b6268b20d84d057bc56718
+FROM
golang:alpine@sha256:ee2f23f1a612da71b8a4cd78fec827f1e67b0a8546a98d257cca441a4ddbebcb
RUN mkdir /src
WORKDIR /src
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/cmd/osv-scanner/main.go
new/osv-scanner-1.3.3/cmd/osv-scanner/main.go
--- old/osv-scanner-1.3.2/cmd/osv-scanner/main.go 2023-04-26
06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/cmd/osv-scanner/main.go 2023-05-17
06:40:15.000000000 +0200
@@ -14,7 +14,7 @@
var (
// Update this variable when doing a release
- version = "1.3.2"
+ version = "1.3.3"
commit = "n/a"
date = "n/a"
)
@@ -132,10 +132,17 @@
ExperimentalCallAnalysis:
context.Bool("experimental-call-analysis"),
}, r)
+ if err != nil &&
+ !errors.Is(err,
osvscanner.VulnerabilitiesFoundErr) &&
+ !errors.Is(err,
osvscanner.OnlyUncalledVulnerabilitiesFoundErr) {
+ //nolint:wrapcheck
+ return err
+ }
+
if errPrint := r.PrintResult(&vulnResult); errPrint !=
nil {
return fmt.Errorf("failed to write output: %w",
errPrint)
}
- //nolint:wrapcheck
+
return err
},
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/cmd/osv-scanner/main_test.go
new/osv-scanner-1.3.3/cmd/osv-scanner/main_test.go
--- old/osv-scanner-1.3.2/cmd/osv-scanner/main_test.go 2023-04-26
06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/cmd/osv-scanner/main_test.go 2023-05-17
06:40:15.000000000 +0200
@@ -117,11 +117,11 @@
name: "",
args: []string{"", "--version"},
wantExitCode: 0,
- wantStdout: `
- osv-scanner version: 1.3.2
+ wantStdout: fmt.Sprintf(`
+ osv-scanner version: %s
commit: n/a
built at: n/a
- `,
+ `, version),
wantStderr: "",
},
// one specific supported lockfile
@@ -132,6 +132,7 @@
wantStdout: `
Scanning dir ./fixtures/locks-many/composer.lock
Scanned %%/fixtures/locks-many/composer.lock
file and found 1 packages
+ No vulnerabilities found
`,
wantStderr: "",
},
@@ -181,6 +182,7 @@
Scanned %%/fixtures/locks-many/alpine.cdx.xml
as CycloneDX SBOM and found 15 packages
Scanned %%/fixtures/locks-many/composer.lock
file and found 1 packages
Scanned %%/fixtures/locks-many/yarn.lock file
and found 1 packages
+ No vulnerabilities found
`,
wantStderr: "",
},
@@ -206,6 +208,7 @@
wantStdout: `
Scanning dir ./fixtures/locks-one-with-nested
Scanned
%%/fixtures/locks-one-with-nested/yarn.lock file and found 1 packages
+ No vulnerabilities found
`,
wantStderr: "",
},
@@ -218,6 +221,7 @@
Scanning dir ./fixtures/locks-one-with-nested
Scanned
%%/fixtures/locks-one-with-nested/nested/composer.lock file and found 1 packages
Scanned
%%/fixtures/locks-one-with-nested/yarn.lock file and found 1 packages
+ No vulnerabilities found
`,
wantStderr: "",
},
@@ -230,6 +234,7 @@
Scanning dir ./fixtures/locks-gitignore
Scanned
%%/fixtures/locks-gitignore/Gemfile.lock file and found 1 packages
Scanned
%%/fixtures/locks-gitignore/subdir/yarn.lock file and found 1 packages
+ No vulnerabilities found
`,
wantStderr: "",
},
@@ -248,6 +253,7 @@
Scanned
%%/fixtures/locks-gitignore/subdir/composer.lock file and found 1 packages
Scanned
%%/fixtures/locks-gitignore/subdir/yarn.lock file and found 1 packages
Scanned %%/fixtures/locks-gitignore/yarn.lock
file and found 1 packages
+ No vulnerabilities found
`,
wantStderr: "",
},
@@ -288,6 +294,7 @@
wantStdout: `
Scanning dir ./fixtures/locks-many/composer.lock
Scanned %%/fixtures/locks-many/composer.lock
file and found 1 packages
+ No vulnerabilities found
`,
wantStderr: "",
},
@@ -327,6 +334,7 @@
wantExitCode: 0,
wantStdout: `
Scanned %%/fixtures/locks-many/composer.lock
file and found 1 packages
+ No vulnerabilities found
`,
wantStderr: "",
},
@@ -467,6 +475,7 @@
wantExitCode: 0,
wantStdout: `
Scanned %%/fixtures/locks-many/installed file
as a apk-installed and found 1 packages
+ No vulnerabilities found
`,
wantStderr: "",
},
@@ -481,6 +490,7 @@
wantExitCode: 0,
wantStdout: `
Scanned %%/fixtures/locks-many/status file as a
dpkg-status and found 1 packages
+ No vulnerabilities found
`,
wantStderr: "",
},
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/docs/configuration.md
new/osv-scanner-1.3.3/docs/configuration.md
--- old/osv-scanner-1.3.2/docs/configuration.md 2023-04-26 06:38:13.000000000
+0200
+++ new/osv-scanner-1.3.3/docs/configuration.md 2023-05-17 06:40:15.000000000
+0200
@@ -4,17 +4,17 @@
permalink: /configuration/
nav_order: 4
---
-## Configure OSV-Scanner
+# Configure OSV-Scanner
To configure scanning, place an osv-scanner.toml file in the scanned file's
directory. To override this osv-scanner.toml file, pass the
`--config=/path/to/config.toml` flag with the path to the configuration you
want to apply instead.
Currently, there is only 1 option to configure:
-### Ignore vulnerabilities by ID
+## Ignore vulnerabilities by ID
To ignore a vulnerability, enter the ID under the `IgnoreVulns` key.
Optionally, add an expiry date or reason.
-#### Example
+### Example
```toml
[[IgnoredVulns]]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/docs/contribute.md
new/osv-scanner-1.3.3/docs/contribute.md
--- old/osv-scanner-1.3.2/docs/contribute.md 2023-04-26 06:38:13.000000000
+0200
+++ new/osv-scanner-1.3.3/docs/contribute.md 2023-05-17 06:40:15.000000000
+0200
@@ -4,11 +4,11 @@
permalink: /contribute/
nav_order: 6
---
-## Contribute
+# Contribute
-### Report Problems
+## Report Problems
If you have what looks like a bug, please use the [Github issue tracking
system](https://github.com/google/osv-scanner/issues). Before you file an
issue, please search existing issues to see if your issue is already covered.
-### Contributing code to `osv-scanner`
+## Contributing code to `osv-scanner`
See
[CONTRIBUTING.md](https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md)
for documentation on how to contribute code.
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/docs/installation.md
new/osv-scanner-1.3.3/docs/installation.md
--- old/osv-scanner-1.3.2/docs/installation.md 2023-04-26 06:38:13.000000000
+0200
+++ new/osv-scanner-1.3.3/docs/installation.md 2023-05-17 06:40:15.000000000
+0200
@@ -5,47 +5,47 @@
nav_order: 2
---
-## Installing
+# Installation
You may download the [SLSA3](https://slsa.dev) compliant binaries for Linux,
macOS, and Windows from our [releases
page](https://github.com/google/osv-scanner/releases).
-### Package Managers
+## Package Managers
[](https://repology.org/project/osv-scanner/versions)
-#### Windows Scoop
+### Windows Scoop
[Windows Scoop](https://scoop.sh) users can install osv-scanner from the
[official
bucket](https://github.com/ScoopInstaller/Main/blob/master/bucket/osv-scanner.json):
```bash
scoop install osv-scanner
```
-#### Homebrew
+### Homebrew
[Homebrew](https://brew.sh/) users can install
[osv-scanner](https://formulae.brew.sh/formula/osv-scanner) via:
```bash
brew install osv-scanner
```
-#### Arch Linux
+### Arch Linux
Arch Linux users can install osv-scanner from the official repo:
```bash
pacman -S osv-scanner
```
-#### Alpine Linux
+### Alpine Linux
Alpine Linux users can install osv-scanner from the official repo:
```bash
apk add osv-scanner
```
-#### OpenBSD
+### OpenBSD
OpenBSD users can install osv-scanner from the official repo:
```bash
pkg_add osv-scanner
```
-### Install from source
+## Install from source
Alternatively, you can install this from source by running:
@@ -55,7 +55,7 @@
This requires Go 1.18+ to be installed.
-### Build from source
+## Build from source
See [CONTRIBUTING.md](CONTRIBUTING.md) file.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/docs/output.md
new/osv-scanner-1.3.3/docs/output.md
--- old/osv-scanner-1.3.2/docs/output.md 2023-04-26 06:38:13.000000000
+0200
+++ new/osv-scanner-1.3.3/docs/output.md 2023-05-17 06:40:15.000000000
+0200
@@ -4,11 +4,11 @@
permalink: /output/
nav_order: 5
---
-## Output formats
+# Output formats
You can control the format used by the scanner to output results with the
`--format` flag.
-### Table (Default)
+## Table (Default)
The default format, which outputs the results as a human-readable table.
@@ -31,7 +31,7 @@
---
-### Markdown Table
+## Markdown Table
```bash
osv-scanner --format markdown your/project/dir
@@ -60,7 +60,7 @@
---
-### JSON
+## JSON
```bash
osv-scanner --format json your/project/dir
@@ -171,4 +171,16 @@
}
```
-</details>
\ No newline at end of file
+</details>
+
+## Return Codes
+
+|-----
+| Exit Code |Reason|
+|:---------------:|------------|
+| `0` | Packages were found when scanning, but does not match any known
vulnerabilities. |
+| `1` | Packages were found when scanning, and there are vulnerabilities. |
+| `1-126` | Reserved for vulnerability result related errors. |
+| `127` | General Error. |
+| `128` | No packages found (likely caused by the scanning format not picking
up any files to scan). |
+| `129-255` | Reserved for non result related errors. |
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/docs/usage.md
new/osv-scanner-1.3.3/docs/usage.md
--- old/osv-scanner-1.3.2/docs/usage.md 2023-04-26 06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/docs/usage.md 2023-05-17 06:40:15.000000000 +0200
@@ -4,11 +4,22 @@
permalink: /usage/
nav_order: 3
---
-## Usage
+# Usage
+
+{: .no_toc }
+
+<details open markdown="block">
+ <summary>
+ Table of contents
+ </summary>
+ {: .text-delta }
+- TOC
+{:toc}
+</details>
OSV-Scanner parses lockfiles, SBOMs, and git directories to determine your
project's open source dependencies. These dependencies are matched against the
OSV database via the [OSV.dev API](https://osv.dev#use-the-api) and known
vulnerabilities are returned to you in the output.
-### General use case: scanning a directory
+## General use case: scanning a directory
```bash
osv-scanner -r /path/to/your/dir
@@ -20,7 +31,7 @@
Git directories are searched for the latest commit hash. Searching for git
commit hash is intended to work with projects that use git submodules or a
similar mechanism where dependencies are checked out as real git repositories.
-### Ignored files
+## Ignored files
By default, OSV-Scanner will not scan files that are ignored by `.gitignore`
files. All recursively scanned files are matched to a git repository (if it
exists) and any matching `.gitignore` files within that repository are taken
into account.
@@ -28,7 +39,7 @@
The `--no-ignore` flag can be used to force the scanner to scan ignored files.
-### Specify SBOM
+## Specify SBOM
If you want to check for known vulnerabilities only in dependencies in your
SBOM, you can use the following command:
@@ -47,7 +58,7 @@
[CycloneDX]: https://cyclonedx.org/
[Package URLs]: https://github.com/package-url/purl-spec
-### Specify Lockfile(s)
+## Specify Lockfile(s)
If you want to check for known vulnerabilities in specific lockfiles, you can
use the following command:
```bash
@@ -99,7 +110,7 @@
osv-scanner --lockfile ':/path/to/my:projects/package-lock.json'
```
-### Scanning with call analysis
+## Scanning with call analysis
{: .note }
Features and flags with the `experimental` prefix might change or be removed
with only a minor version update.
@@ -110,17 +121,17 @@
To enable call analysis, call OSV-Scanner with the
`--experimental-call-analysis` flag.
-#### Supported languages
+### Supported languages
- `go`
- Additional dependencies:
- `go` compiler needs to be installed and available on PATH
-#### Example
+### Example
```bash
osv-scanner --experimental-call-analysis ./my/project/path
```
-### Scanning a Debian based docker image packages
+## Scanning a Debian based docker image packages
Preview
{: .label }
@@ -132,13 +143,13 @@
This currently does not scan the filesystem of the Docker container, and has
various other limitations. Follow [this
issue](https://github.com/google/osv-scanner/issues/64) for updates on
container scanning!
-#### Example
+### Example
```bash
osv-scanner --docker image_name:latest
```
-### Running in a Docker Container
+## Running in a Docker Container
The simplest way to get the osv-scanner docker image is to pull from GitHub
Container Registry:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/go.mod new/osv-scanner-1.3.3/go.mod
--- old/osv-scanner-1.3.2/go.mod 2023-04-26 06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/go.mod 2023-05-17 06:40:15.000000000 +0200
@@ -11,13 +11,13 @@
github.com/jedib0t/go-pretty/v6 v6.4.6
github.com/kr/pretty v0.3.1
github.com/package-url/packageurl-go v0.1.0
- github.com/spdx/tools-golang v0.4.0
- github.com/urfave/cli/v2 v2.25.1
- golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53
+ github.com/spdx/tools-golang v0.5.0
+ github.com/urfave/cli/v2 v2.25.3
+ golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea
golang.org/x/mod v0.10.0
- golang.org/x/sync v0.1.0
- golang.org/x/term v0.7.0
- golang.org/x/tools v0.8.0
+ golang.org/x/sync v0.2.0
+ golang.org/x/term v0.8.0
+ golang.org/x/tools v0.9.1
golang.org/x/vuln v0.0.0-20230303230808-d3042fecc4e3
gopkg.in/yaml.v3 v3.0.1
)
@@ -26,7 +26,8 @@
github.com/Microsoft/go-winio v0.5.2 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 //
indirect
github.com/acomagu/bufpipe v1.0.4 // indirect
- github.com/cloudflare/circl v1.1.0 // indirect
+ github.com/anchore/go-struct-converter
v0.0.0-20221118182256-c68fdcfa2092 // indirect
+ github.com/cloudflare/circl v1.3.3 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
github.com/emirpasic/gods v1.18.1 // indirect
github.com/go-git/gcfg v1.5.0 // indirect
@@ -45,7 +46,7 @@
github.com/xanzy/ssh-agent v0.3.3 // indirect
github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
golang.org/x/crypto v0.6.0 // indirect
- golang.org/x/net v0.9.0 // indirect
- golang.org/x/sys v0.7.0 // indirect
+ golang.org/x/net v0.10.0 // indirect
+ golang.org/x/sys v0.8.0 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/go.sum new/osv-scanner-1.3.3/go.sum
--- old/osv-scanner-1.3.2/go.sum 2023-04-26 06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/go.sum 2023-05-17 06:40:15.000000000 +0200
@@ -8,6 +8,8 @@
github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8/go.mod
h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g=
github.com/acomagu/bufpipe v1.0.4
h1:e3H4WUzM3npvo5uv95QuJM3cQspFNtFBzvJ2oNjKIDQ=
github.com/acomagu/bufpipe v1.0.4/go.mod
h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
+github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092
h1:aM1rlcoLz8y5B2r4tTLMiVTrMtpfY0O8EScKJxaSaEc=
+github.com/anchore/go-struct-converter
v0.0.0-20221118182256-c68fdcfa2092/go.mod
h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=
github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be
h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod
h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
@@ -15,8 +17,9 @@
github.com/bradleyjkemp/cupaloy/v2 v2.8.0
h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
github.com/bwesterb/go-ristretto v1.2.0/go.mod
h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
github.com/client9/misspell v0.3.4
h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
-github.com/cloudflare/circl v1.1.0
h1:bZgT/A+cikZnKIwn7xL2OBj012Bmvho/o6RpRvv3GKY=
github.com/cloudflare/circl v1.1.0/go.mod
h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
+github.com/cloudflare/circl v1.3.3
h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
+github.com/cloudflare/circl v1.3.3/go.mod
h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
github.com/cpuguy83/go-md2man/v2 v2.0.2
h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod
h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/creack/pty v1.1.9/go.mod
h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -36,7 +39,6 @@
github.com/go-git/go-git-fixtures/v4 v4.3.1/go.mod
h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo=
github.com/go-git/go-git/v5 v5.6.1
h1:q4ZRqQl4pR/ZJHc1L5CFjGA1a10u76aV1iC+nh+bHsk=
github.com/go-git/go-git/v5 v5.6.1/go.mod
h1:mvyoL6Unz0PiTQrGQfSfiLFhBH1c1e84ylC2MDs4ee8=
-github.com/google/go-cmp v0.5.7/go.mod
h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
github.com/google/go-cmp v0.5.9/go.mod
h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/imdario/mergo v0.3.13
h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
@@ -86,18 +88,21 @@
github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod
h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=
github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89
h1:dArkMwZ7Mf2JiU8OfdmqIv8QaHT4oyifLIe1UhsF1SY=
github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89/go.mod
h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=
-github.com/spdx/tools-golang v0.4.0
h1:jdhnW8zYelURCbYTphiviFKZkWu51in0E4A1KT2csP0=
-github.com/spdx/tools-golang v0.4.0/go.mod
h1:VHzvNsKAfAGqs4ZvwRL+7a0dNsL20s7lGui4K9C0xQM=
+github.com/spdx/tools-golang v0.5.0
h1:/fqihV2Jna7fmow65dHpgKNsilgLK7ICpd2tkCnPEyY=
+github.com/spdx/tools-golang v0.5.0/go.mod
h1:kkGlrSXXfHwuSzHQZJRV3aKu9ZXCq/MSf2+xyiJH1lM=
github.com/stretchr/objx v0.1.0/go.mod
h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod
h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod
h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
github.com/stretchr/testify v1.2.2/go.mod
h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.4.0/go.mod
h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.7.0/go.mod
h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.1/go.mod
h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.4/go.mod
h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.0/go.mod
h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.2
h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
-github.com/urfave/cli/v2 v2.25.1
h1:zw8dSP7ghX0Gmm8vugrs6q9Ku0wzweqPyshy+syu9Gw=
-github.com/urfave/cli/v2 v2.25.1/go.mod
h1:GHupkWPMM0M/sj1a2b4wUrWBPzazNrIjouW6fmdJLxc=
+github.com/stretchr/testify v1.8.2/go.mod
h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/urfave/cli/v2 v2.25.3
h1:VJkt6wvEBOoSjPFQvOkv6iWIrsJyCrKGtCtxXWwmGeY=
+github.com/urfave/cli/v2 v2.25.3/go.mod
h1:GHupkWPMM0M/sj1a2b4wUrWBPzazNrIjouW6fmdJLxc=
github.com/xanzy/ssh-agent v0.3.3
h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
github.com/xanzy/ssh-agent v0.3.3/go.mod
h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673
h1:bAn7/zixMGCfxrRTfdpNzjtPYqr8smhKouy9mxVdGPU=
@@ -112,8 +117,8 @@
golang.org/x/crypto v0.1.0/go.mod
h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
golang.org/x/crypto v0.6.0/go.mod
h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53
h1:5llv2sWeaMSnA3w2kS57ouQQ4pudlXrR0dCgw51QK9o=
-golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53/go.mod
h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
+golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea
h1:vLCWI/yYrdEHyN2JzIzPO3aaQJHQdp89IZBA/+azVC4=
+golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea/go.mod
h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod
h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk=
@@ -126,12 +131,12 @@
golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
-golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
+golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod
h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod
h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
+golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod
h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -149,15 +154,15 @@
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod
h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod
h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod
h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ=
-golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
+golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -169,12 +174,11 @@
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod
h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.1.12/go.mod
h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.2.0/go.mod
h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
-golang.org/x/tools v0.8.0 h1:vSDcovVPld282ceKgDimkRSC8kpaH1dgyc9UMzlt84Y=
-golang.org/x/tools v0.8.0/go.mod
h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4=
+golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo=
+golang.org/x/tools v0.9.1/go.mod
h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
golang.org/x/vuln v0.0.0-20230303230808-d3042fecc4e3
h1:9GJsAwSzB/ztwMwsEm3ihUgCXHCULbNsubxqIrdKa44=
golang.org/x/vuln v0.0.0-20230303230808-d3042fecc4e3/go.mod
h1:LTLnfk/dpXDNKsX6aCg/cI4LyCVnTyrQhgV/yLJuly0=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod
h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod
h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod
h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod
h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod
h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/internal/sbom/spdx.go
new/osv-scanner-1.3.3/internal/sbom/spdx.go
--- old/osv-scanner-1.3.2/internal/sbom/spdx.go 2023-04-26 06:38:13.000000000
+0200
+++ new/osv-scanner-1.3.3/internal/sbom/spdx.go 2023-05-17 06:40:15.000000000
+0200
@@ -8,9 +8,9 @@
"strings"
spdx_json "github.com/spdx/tools-golang/json"
- "github.com/spdx/tools-golang/rdfloader"
- "github.com/spdx/tools-golang/spdx/v2_3"
- "github.com/spdx/tools-golang/tvloader"
+ "github.com/spdx/tools-golang/rdf"
+ "github.com/spdx/tools-golang/spdx/v2/v2_3"
+ "github.com/spdx/tools-golang/tagvalue"
)
type SPDX struct{}
@@ -25,15 +25,15 @@
spdxLoaders = []loader{
{
name: "json",
- loader: spdx_json.Load2_3,
+ loader: spdx_json.Read,
},
{
name: "rdf",
- loader: rdfloader.Load2_3,
+ loader: rdf.Read,
},
{
name: "tv",
- loader: tvloader.Load2_3,
+ loader: tagvalue.Read,
},
}
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/cyclic-r-complex-1.txt
new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/cyclic-r-complex-1.txt
--- old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/cyclic-r-complex-1.txt
1970-01-01 01:00:00.000000000 +0100
+++ new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/cyclic-r-complex-1.txt
2023-05-17 06:40:15.000000000 +0200
@@ -0,0 +1,3 @@
+-r ./cyclic-r-complex-2.txt
+
+cyclic-r-complex==1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/cyclic-r-complex-2.txt
new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/cyclic-r-complex-2.txt
--- old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/cyclic-r-complex-2.txt
1970-01-01 01:00:00.000000000 +0100
+++ new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/cyclic-r-complex-2.txt
2023-05-17 06:40:15.000000000 +0200
@@ -0,0 +1,4 @@
+-r ./../pip/cyclic-r-complex-1.txt
+-r ./cyclic-r-complex-3.txt
+
+cyclic-r-complex==2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/cyclic-r-complex-3.txt
new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/cyclic-r-complex-3.txt
--- old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/cyclic-r-complex-3.txt
1970-01-01 01:00:00.000000000 +0100
+++ new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/cyclic-r-complex-3.txt
2023-05-17 06:40:15.000000000 +0200
@@ -0,0 +1,4 @@
+-r ./cyclic-r-complex-1.txt
+-r ./cyclic-r-complex-2.txt
+
+cyclic-r-complex==3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/cyclic-r-self.txt
new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/cyclic-r-self.txt
--- old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/cyclic-r-self.txt
1970-01-01 01:00:00.000000000 +0100
+++ new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/cyclic-r-self.txt
2023-05-17 06:40:15.000000000 +0200
@@ -0,0 +1,4 @@
+-r ./cyclic-r-self.txt
+
+requests==1.2.3
+pandas==0.23.4
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/duplicate-r-base.txt
new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/duplicate-r-base.txt
--- old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/duplicate-r-base.txt
1970-01-01 01:00:00.000000000 +0100
+++ new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/duplicate-r-base.txt
2023-05-17 06:40:15.000000000 +0200
@@ -0,0 +1 @@
+django==0.1.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/duplicate-r-dev.txt
new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/duplicate-r-dev.txt
--- old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/duplicate-r-dev.txt
1970-01-01 01:00:00.000000000 +0100
+++ new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/duplicate-r-dev.txt
2023-05-17 06:40:15.000000000 +0200
@@ -0,0 +1,5 @@
+-r ./duplicate-r-base.txt
+-r ./duplicate-r-test.txt
+
+pandas==0.23.4
+requests==1.2.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/duplicate-r-test.txt
new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/duplicate-r-test.txt
--- old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/duplicate-r-test.txt
1970-01-01 01:00:00.000000000 +0100
+++ new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/duplicate-r-test.txt
2023-05-17 06:40:15.000000000 +0200
@@ -0,0 +1,4 @@
+-r ./duplicate-r-base.txt
+
+requests==1.2.3
+unittest==1.0.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/line-continuation.txt
new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/line-continuation.txt
--- old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/line-continuation.txt
1970-01-01 01:00:00.000000000 +0100
+++ new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/line-continuation.txt
2023-05-17 06:40:15.000000000 +0200
@@ -0,0 +1,17 @@
+# unescaped
+foo==\
+\
+ \
+ \
+1.2.3
+
+# escaped, a literal backslash for some reason
+bar == 4.5\\
+.6
+
+# comments are stripped only after line continuations are processed
+baz == 7.8.9 # \
+baz == 1.2.3
+
+# continue to end
+qux == 10.11.12\
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/with-per-requirement-options.txt
new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/with-per-requirement-options.txt
---
old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pip/with-per-requirement-options.txt
1970-01-01 01:00:00.000000000 +0100
+++
new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pip/with-per-requirement-options.txt
2023-05-17 06:40:15.000000000 +0200
@@ -0,0 +1,12 @@
+boto3==1.26.121
--hash=sha256:f87d694c351eba1dfd19b5bef5892a1047e7adb09c57c2c00049de209a8ab55d
+foo == 1.0.0
+
+# from https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking-mode
+
+FooProject == 1.2 \
+
--hash=sha256:2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 \
+
--hash=sha256:486ea46224d1bb4fb680f34f7c9ad96a8f24ec88be73ea8e5a6c65260e9cb8a7
+
+# from
https://pip.pypa.io/en/stable/reference/requirements-file-format/#influencing-the-build-system
+
+BarProject >= 1.2 --global-option="--no-user-cfg"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pnpm/empty.yaml
new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pnpm/empty.yaml
--- old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pnpm/empty.yaml 2023-04-26
06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pnpm/empty.yaml 2023-05-17
06:40:15.000000000 +0200
@@ -1,7 +1 @@
-lockfileVersion: 5.3
-
-specifiers:
-
-dependencies:
-
-packages:
+# this is an empty file!
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pnpm/no-packages.yaml
new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pnpm/no-packages.yaml
--- old/osv-scanner-1.3.2/pkg/lockfile/fixtures/pnpm/no-packages.yaml
1970-01-01 01:00:00.000000000 +0100
+++ new/osv-scanner-1.3.3/pkg/lockfile/fixtures/pnpm/no-packages.yaml
2023-05-17 06:40:15.000000000 +0200
@@ -0,0 +1,7 @@
+lockfileVersion: 5.3
+
+specifiers:
+
+dependencies:
+
+packages:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/pkg/lockfile/parse-pnpm-lock.go
new/osv-scanner-1.3.3/pkg/lockfile/parse-pnpm-lock.go
--- old/osv-scanner-1.3.2/pkg/lockfile/parse-pnpm-lock.go 2023-04-26
06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/pkg/lockfile/parse-pnpm-lock.go 2023-05-17
06:40:15.000000000 +0200
@@ -177,5 +177,10 @@
return []PackageDetails{}, fmt.Errorf("could not parse %s: %w",
pathToLockfile, err)
}
+ // this will happen if the file is empty
+ if parsedLockfile == nil {
+ parsedLockfile = &PnpmLockfile{}
+ }
+
return parsePnpmLock(*parsedLockfile), nil
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/osv-scanner-1.3.2/pkg/lockfile/parse-pnpm-lock_test.go
new/osv-scanner-1.3.3/pkg/lockfile/parse-pnpm-lock_test.go
--- old/osv-scanner-1.3.2/pkg/lockfile/parse-pnpm-lock_test.go 2023-04-26
06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/pkg/lockfile/parse-pnpm-lock_test.go 2023-05-17
06:40:15.000000000 +0200
@@ -23,13 +23,25 @@
expectPackages(t, packages, []lockfile.PackageDetails{})
}
-func TestParsePnpmLock_NoPackages(t *testing.T) {
+func TestParsePnpmLock_Empty(t *testing.T) {
t.Parallel()
packages, err := lockfile.ParsePnpmLock("fixtures/pnpm/empty.yaml")
if err != nil {
t.Errorf("Got unexpected error: %v", err)
+ }
+
+ expectPackages(t, packages, []lockfile.PackageDetails{})
+}
+
+func TestParsePnpmLock_NoPackages(t *testing.T) {
+ t.Parallel()
+
+ packages, err :=
lockfile.ParsePnpmLock("fixtures/pnpm/no-packages.yaml")
+
+ if err != nil {
+ t.Errorf("Got unexpected error: %v", err)
}
expectPackages(t, packages, []lockfile.PackageDetails{})
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/osv-scanner-1.3.2/pkg/lockfile/parse-requirements-txt.go
new/osv-scanner-1.3.3/pkg/lockfile/parse-requirements-txt.go
--- old/osv-scanner-1.3.2/pkg/lockfile/parse-requirements-txt.go
2023-04-26 06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/pkg/lockfile/parse-requirements-txt.go
2023-05-17 06:40:15.000000000 +0200
@@ -38,12 +38,11 @@
}
if constraint != "" {
- splitted := strings.Split(line, constraint)
-
- name = strings.TrimSpace(splitted[0])
+ unprocessedName, unprocessedVersion, _ := strings.Cut(line,
constraint)
+ name = strings.TrimSpace(unprocessedName)
if constraint != "!=" {
- version = strings.TrimSpace(splitted[1])
+ version, _, _ =
strings.Cut(strings.TrimSpace(unprocessedVersion), " ")
}
}
@@ -70,7 +69,7 @@
// per https://www.python.org/dev/peps/pep-0503/#normalized-names
name = cachedregexp.MustCompile(`[-_.]+`).ReplaceAllString(name, "-")
name = strings.ToLower(name)
- name = strings.Split(name, "[")[0]
+ name, _, _ = strings.Cut(name, "[")
return name
}
@@ -93,7 +92,18 @@
strings.HasPrefix(line, "/")
}
+func isLineContinuation(line string) bool {
+ // checks that the line ends with an odd number of back slashes,
+ // meaning the last one isn't escaped
+ var re = cachedregexp.MustCompile(`([^\\]|^)(\\{2})*\\$`)
+
+ return re.MatchString(line)
+}
+
func ParseRequirementsTxt(pathToLockfile string) ([]PackageDetails, error) {
+ return parseRequirementsTxt(pathToLockfile, map[string]struct{}{})
+}
+func parseRequirementsTxt(pathToLockfile string, requiredAlready
map[string]struct{}) ([]PackageDetails, error) {
packages := map[string]PackageDetails{}
file, err := os.Open(pathToLockfile)
@@ -103,14 +113,29 @@
defer file.Close()
scanner := bufio.NewScanner(file)
-
for scanner.Scan() {
- line := removeComments(scanner.Text())
+ line := scanner.Text()
+
+ for isLineContinuation(line) {
+ line = strings.TrimSuffix(line, "\\")
+
+ if scanner.Scan() {
+ line += scanner.Text()
+ }
+ }
+
+ line = removeComments(line)
+
+ if ar := strings.TrimPrefix(line, "-r "); ar != line {
+ ar = filepath.Join(filepath.Dir(pathToLockfile), ar)
+
+ if _, ok := requiredAlready[ar]; ok {
+ continue
+ }
+
+ requiredAlready[ar] = struct{}{}
- if strings.HasPrefix(line, "-r ") {
- details, err := ParseRequirementsTxt(
- filepath.Join(filepath.Dir(pathToLockfile),
strings.TrimPrefix(line, "-r ")),
- )
+ details, err := parseRequirementsTxt(ar,
requiredAlready)
if err != nil {
return []PackageDetails{}, fmt.Errorf("failed
to include %s: %w", line, err)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/osv-scanner-1.3.2/pkg/lockfile/parse-requirements-txt_test.go
new/osv-scanner-1.3.3/pkg/lockfile/parse-requirements-txt_test.go
--- old/osv-scanner-1.3.2/pkg/lockfile/parse-requirements-txt_test.go
2023-04-26 06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/pkg/lockfile/parse-requirements-txt_test.go
2023-05-17 06:40:15.000000000 +0200
@@ -432,3 +432,170 @@
expectErrContaining(t, err, "could not open")
expectPackages(t, packages, []lockfile.PackageDetails{})
}
+
+func TestParseRequirementsTxt_DuplicateROptions(t *testing.T) {
+ t.Parallel()
+
+ packages, err :=
lockfile.ParseRequirementsTxt("fixtures/pip/duplicate-r-dev.txt")
+
+ if err != nil {
+ t.Errorf("Got unexpected error: %v", err)
+ }
+
+ expectPackages(t, packages, []lockfile.PackageDetails{
+ {
+ Name: "django",
+ Version: "0.1.0",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ {
+ Name: "pandas",
+ Version: "0.23.4",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ {
+ Name: "requests",
+ Version: "1.2.3",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ {
+ Name: "unittest",
+ Version: "1.0.0",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ })
+}
+
+func TestParseRequirementsTxt_CyclicRSelf(t *testing.T) {
+ t.Parallel()
+
+ packages, err :=
lockfile.ParseRequirementsTxt("fixtures/pip/cyclic-r-self.txt")
+
+ if err != nil {
+ t.Errorf("Got unexpected error: %v", err)
+ }
+
+ expectPackages(t, packages, []lockfile.PackageDetails{
+ {
+ Name: "pandas",
+ Version: "0.23.4",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ {
+ Name: "requests",
+ Version: "1.2.3",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ })
+}
+
+func TestParseRequirementsTxt_CyclicRComplex(t *testing.T) {
+ t.Parallel()
+
+ packages, err :=
lockfile.ParseRequirementsTxt("fixtures/pip/cyclic-r-complex-1.txt")
+
+ if err != nil {
+ t.Errorf("Got unexpected error: %v", err)
+ }
+
+ expectPackages(t, packages, []lockfile.PackageDetails{
+ {
+ Name: "cyclic-r-complex",
+ Version: "1",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ {
+ Name: "cyclic-r-complex",
+ Version: "2",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ {
+ Name: "cyclic-r-complex",
+ Version: "3",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ })
+}
+
+func TestParseRequirementsTxt_WithPerRequirementOptions(t *testing.T) {
+ t.Parallel()
+
+ packages, err :=
lockfile.ParseRequirementsTxt("fixtures/pip/with-per-requirement-options.txt")
+
+ if err != nil {
+ t.Errorf("Got unexpected error: %v", err)
+ }
+
+ expectPackages(t, packages, []lockfile.PackageDetails{
+ {
+ Name: "boto3",
+ Version: "1.26.121",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ {
+ Name: "foo",
+ Version: "1.0.0",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ {
+ Name: "fooproject",
+ Version: "1.2",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ {
+ Name: "barproject",
+ Version: "1.2",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ })
+}
+
+func TestParseRequirementsTxt_LineContinuation(t *testing.T) {
+ t.Parallel()
+
+ packages, err :=
lockfile.ParseRequirementsTxt("fixtures/pip/line-continuation.txt")
+
+ if err != nil {
+ t.Errorf("Got unexpected error: %v", err)
+ }
+
+ expectPackages(t, packages, []lockfile.PackageDetails{
+ {
+ Name: "foo",
+ Version: "1.2.3",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ {
+ Name: "bar",
+ Version: "4.5\\\\",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ {
+ Name: "baz",
+ Version: "7.8.9",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ {
+ Name: "qux",
+ Version: "10.11.12",
+ Ecosystem: lockfile.PipEcosystem,
+ CompareAs: lockfile.PipEcosystem,
+ },
+ })
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/pkg/models/results_test.go
new/osv-scanner-1.3.3/pkg/models/results_test.go
--- old/osv-scanner-1.3.2/pkg/models/results_test.go 1970-01-01
01:00:00.000000000 +0100
+++ new/osv-scanner-1.3.3/pkg/models/results_test.go 2023-05-17
06:40:15.000000000 +0200
@@ -0,0 +1,50 @@
+package models
+
+import (
+ "testing"
+
+ "github.com/google/go-cmp/cmp"
+)
+
+func TestFlatten(t *testing.T) {
+ t.Parallel()
+ // Test case 1: When there are no vulnerabilities
+ vulns := VulnerabilityResults{Results: []PackageSource{}}
+ expectedFlattened := []VulnerabilityFlattened{}
+ flattened := vulns.Flatten()
+ if diff := cmp.Diff(flattened, expectedFlattened); diff != "" {
+ t.Errorf("Flatten() returned unexpected result (-got
+want):\n%s", diff)
+ }
+
+ // Test case 2: When there are vulnerabilities
+ group := GroupInfo{IDs: []string{"CVE-2021-1234"}}
+ pkg := PackageVulns{
+ Package: PackageInfo{Name: "package"},
+ Groups: []GroupInfo{group},
+ Vulnerabilities: []Vulnerability{
+ {
+ ID: "CVE-2021-1234",
+ Severity: []Severity{
+ {
+ Type: SeverityType("high"),
+ Score: "1",
+ },
+ },
+ },
+ },
+ }
+ source := PackageSource{Source: SourceInfo{Path: "package"}, Packages:
[]PackageVulns{pkg}}
+ vulns = VulnerabilityResults{Results: []PackageSource{source}}
+ expectedFlattened = []VulnerabilityFlattened{
+ {
+ Source: source.Source,
+ Package: pkg.Package,
+ Vulnerability: pkg.Vulnerabilities[0],
+ GroupInfo: group,
+ },
+ }
+ flattened = vulns.Flatten()
+ if diff := cmp.Diff(flattened, expectedFlattened); diff != "" {
+ t.Errorf("Flatten() returned unexpected result (-got
+want):\n%s", diff)
+ }
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/pkg/osv/osv.go
new/osv-scanner-1.3.3/pkg/osv/osv.go
--- old/osv-scanner-1.3.2/pkg/osv/osv.go 2023-04-26 06:38:13.000000000
+0200
+++ new/osv-scanner-1.3.3/pkg/osv/osv.go 2023-05-17 06:40:15.000000000
+0200
@@ -127,6 +127,12 @@
// MakeRequest sends a batched query to osv.dev
func MakeRequest(request BatchedQuery) (*BatchedResponse, error) {
+ return MakeRequestWithClient(request, http.DefaultClient)
+}
+
+// MakeRequestWithClient sends a batched query to osv.dev with the provided
+// http client.
+func MakeRequestWithClient(request BatchedQuery, client *http.Client)
(*BatchedResponse, error) {
// API has a limit of 1000 bulk query per request
queryChunks := chunkBy(request.Queries, maxQueriesPerRequest)
var totalOsvResp BatchedResponse
@@ -140,7 +146,7 @@
resp, err := makeRetryRequest(func() (*http.Response, error) {
// We do not need a specific context
//nolint:noctx
- return http.Post(QueryEndpoint, "application/json",
requestBuf)
+ return client.Post(QueryEndpoint, "application/json",
requestBuf)
})
if err != nil {
return nil, err
@@ -166,9 +172,15 @@
// Get a Vulnerability for the given ID.
func Get(id string) (*models.Vulnerability, error) {
+ return GetWithClient(id, http.DefaultClient)
+}
+
+// GetWithClient gets a Vulnerability for the given ID with the provided http
+// client.
+func GetWithClient(id string, client *http.Client) (*models.Vulnerability,
error) {
resp, err := makeRetryRequest(func() (*http.Response, error) {
//nolint:noctx
- return http.Get(GetEndpoint + "/" + id)
+ return client.Get(GetEndpoint + "/" + id)
})
if err != nil {
return nil, err
@@ -192,6 +204,12 @@
// Hydrate fills the results of the batched response with the full
// Vulnerability details.
func Hydrate(resp *BatchedResponse) (*HydratedBatchedResponse, error) {
+ return HydrateWithClient(resp, http.DefaultClient)
+}
+
+// HydrateWithClient fills the results of the batched response with the full
+// Vulnerability details using the provided http client.
+func HydrateWithClient(resp *BatchedResponse, client *http.Client)
(*HydratedBatchedResponse, error) {
hydrated := HydratedBatchedResponse{}
ctx := context.TODO()
// Preallocate the array to avoid slice reallocations when inserting
later
@@ -211,7 +229,7 @@
}
go func(id string, batchIdx int, resultIdx int) {
- vuln, err := Get(id)
+ vuln, err := GetWithClient(id, client)
if err != nil {
errChan <- err
} else {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/pkg/reporter/table_reporter.go
new/osv-scanner-1.3.3/pkg/reporter/table_reporter.go
--- old/osv-scanner-1.3.2/pkg/reporter/table_reporter.go 2023-04-26
06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/pkg/reporter/table_reporter.go 2023-05-17
06:40:15.000000000 +0200
@@ -38,6 +38,11 @@
}
func (r *TableReporter) PrintResult(vulnResult *models.VulnerabilityResults)
error {
+ if len(vulnResult.Results) == 0 && !r.hasPrintedError {
+ fmt.Fprintf(r.stdout, "No vulnerabilities found\n")
+ return nil
+ }
+
if r.markdown {
output.PrintMarkdownTableResults(vulnResult, r.stdout)
} else {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/osv-scanner-1.3.2/renovate.json
new/osv-scanner-1.3.3/renovate.json
--- old/osv-scanner-1.3.2/renovate.json 2023-04-26 06:38:13.000000000 +0200
+++ new/osv-scanner-1.3.3/renovate.json 2023-05-17 06:40:15.000000000 +0200
@@ -7,6 +7,7 @@
"schedule": ["before 6am on monday"],
"labels": ["dependencies"],
"postUpdateOptions": ["gomodTidy"],
+ "osvVulnerabilityAlerts": true,
"packageRules": [
{
"matchUpdateTypes": ["major"],
++++++ osv-scanner.obsinfo ++++++
--- /var/tmp/diff_new_pack.NBTkig/_old 2023-05-17 10:54:03.515647020 +0200
+++ /var/tmp/diff_new_pack.NBTkig/_new 2023-05-17 10:54:03.519647042 +0200
@@ -1,5 +1,5 @@
name: osv-scanner
-version: 1.3.2
-mtime: 1682483893
-commit: c6d02d122f65ce3550eb002e4cbff6f1307aaa6a
+version: 1.3.3
+mtime: 1684298415
+commit: dbeaddee112d005d950988cf07c09d91a4966fa8
++++++ vendor.tar.gz ++++++
++++ 26995 lines of diff (skipped)
