Merge branch 'google:main' into main

Author: another-rex

.golangci.yaml

@@ -42,6 +42,12 @@ linters:
     - unused
 
 linters-settings:
+  govet:
+    settings:
+      printf:
+        funcs:
+          - (github.com/google/osv-scanner/pkg/reporter.Reporter).PrintErrorf
+          - (github.com/google/osv-scanner/pkg/reporter.Reporter).PrintTextf
   depguard:
     rules:
       regexp:
@@ -66,6 +72,9 @@ linters-settings:
 
 issues:
   exclude-rules:
+    - path: pkg/reporter
+      linters:
+        - dupl
     - path: _test\.go
       linters:
         - goerr113

cmd/osv-reporter/main.go

@@ -42,7 +42,7 @@ func run(args []string, stdout, stderr io.Writer) int {
 	cli.VersionPrinter = func(ctx *cli.Context) {
 		// Use the app Writer and ErrWriter since they will be the writers to keep parallel tests consistent
 		tableReporter = reporter.NewTableReporter(ctx.App.Writer, ctx.App.ErrWriter, false, 0)
-		tableReporter.PrintText(fmt.Sprintf("osv-scanner version: %s\ncommit: %s\nbuilt at: %s\n", ctx.App.Version, commit, date))
+		tableReporter.PrintTextf("osv-scanner version: %s\ncommit: %s\nbuilt at: %s\n", ctx.App.Version, commit, date)
 	}
 
 	app := &cli.App{
@@ -179,11 +179,11 @@ func run(args []string, stdout, stderr io.Writer) int {
 		}
 
 		if errors.Is(err, osvscanner.NoPackagesFoundErr) {
-			tableReporter.PrintError("No package sources found, --help for usage information.\n")
+			tableReporter.PrintErrorf("No package sources found, --help for usage information.\n")
 			return 128
 		}
 
-		tableReporter.PrintError(fmt.Sprintf("%v\n", err))
+		tableReporter.PrintErrorf("%v\n", err)
 	}
 
 	// if we've been told to print an error, and not already exited with

cmd/osv-scanner/main.go

@@ -12,6 +12,7 @@ import (
 	"github.com/google/osv-scanner/pkg/osv"
 	"github.com/google/osv-scanner/pkg/osvscanner"
 	"github.com/google/osv-scanner/pkg/reporter"
+	"github.com/google/osv-scanner/pkg/spdx"
 	"golang.org/x/term"
 
 	"github.com/urfave/cli/v2"
@@ -28,7 +29,7 @@ func run(args []string, stdout, stderr io.Writer) int {
 	cli.VersionPrinter = func(ctx *cli.Context) {
 		// Use the app Writer and ErrWriter since they will be the writers to keep parallel tests consistent
 		r = reporter.NewTableReporter(ctx.App.Writer, ctx.App.ErrWriter, false, 0)
-		r.PrintText(fmt.Sprintf("osv-scanner version: %s\ncommit: %s\nbuilt at: %s\n", ctx.App.Version, commit, date))
+		r.PrintTextf("osv-scanner version: %s\ncommit: %s\nbuilt at: %s\n", ctx.App.Version, commit, date)
 	}
 
 	osv.RequestUserAgent = "osv-scanner/" + version.OSVVersion
@@ -171,12 +172,15 @@ func run(args []string, stdout, stderr io.Writer) int {
 				return fmt.Errorf("--experimental-licenses-summary and --experimental-licenses flags cannot be set")
 			}
 			allowlist := context.StringSlice("experimental-licenses")
-			if context.IsSet("experimental-licenses") &&
-				(len(allowlist) == 0 ||
-					(len(allowlist) == 1 && allowlist[0] == "")) {
-				return fmt.Errorf("--experimental-licenses requires at least one value")
+			if context.IsSet("experimental-licenses") {
+				if len(allowlist) == 0 ||
+					(len(allowlist) == 1 && allowlist[0] == "") {
+					return fmt.Errorf("--experimental-licenses requires at least one value")
+				}
+				if unrecognized := spdx.Unrecognized(allowlist); len(unrecognized) > 0 {
+					return fmt.Errorf("--experimental-licenses requires comma-separated spdx licenses. The following license(s) are not recognized as spdx: %s", strings.Join(unrecognized, ","))
+				}
 			}
-			// TODO: verify that the licenses they passed in are indeed spdx.
 
 			if r, err = reporter.New(format, stdout, stderr, termWidth); err != nil {
 				return err
@@ -185,7 +189,7 @@ func run(args []string, stdout, stderr io.Writer) int {
 			var callAnalysisStates map[string]bool
 			if context.IsSet("experimental-call-analysis") {
 				callAnalysisStates = createCallAnalysisStates([]string{"all"}, context.StringSlice("no-call-analysis"))
-				r.PrintText("Warning: the experimental-call-analysis flag has been replaced. Please use the call-analysis and no-call-analysis flags instead.\n")
+				r.PrintTextf("Warning: the experimental-call-analysis flag has been replaced. Please use the call-analysis and no-call-analysis flags instead.\n")
 			} else {
 				callAnalysisStates = createCallAnalysisStates(context.StringSlice("call-analysis"), context.StringSlice("no-call-analysis"))
 			}
@@ -236,10 +240,10 @@ func run(args []string, stdout, stderr io.Writer) int {
 		case errors.Is(err, osvscanner.VulnerabilitiesFoundErr):
 			return 1
 		case errors.Is(err, osvscanner.NoPackagesFoundErr):
-			r.PrintError("No package sources found, --help for usage information.\n")
+			r.PrintErrorf("No package sources found, --help for usage information.\n")
 			return 128
 		}
-		r.PrintError(fmt.Sprintf("%v\n", err))
+		r.PrintErrorf("%v\n", err)
 	}
 
 	// if we've been told to print an error, and not already exited with

cmd/osv-scanner/main_test.go

@@ -623,7 +623,7 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) {
 			args:         []string{"", "--lockfile=go.mod:./fixtures/locks-many/replace-local.mod"},
 			wantExitCode: 0,
 			wantStdout: `
-				Scanned <rootdir>/fixtures/locks-many/replace-local.mod file as a go.mod and found 2 packages
+				Scanned <rootdir>/fixtures/locks-many/replace-local.mod file as a go.mod and found 1 package
 				Filtered 1 local package/s from the scan.
 				No issues found
 			`,

docs/README.md

@@ -11,9 +11,19 @@ Here are other [pre-requisites] and instructions for running the [docs locally].
 [pre-requisites]: https://docs.github.com/en/pages/setting-up-a-github-pages-site-with-jekyll/testing-your-github-pages-site-locally-with-jekyll#prerequisites
 [docs locally]: https://docs.github.com/en/pages/setting-up-a-github-pages-site-with-jekyll/testing-your-github-pages-site-locally-with-jekyll#building-your-site-locally
 
-## Contributing to the docs
+## Formatting docs
 
-Please see [CONTRIBUTING.md](https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md/#contributing-documentation) for information on contributing documentation.
+We use - [Prettier](https://prettier.io/) to standardize the format of markdown and config files.
+
+This requires [node/npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm) to be installed.
+
+### Running the formatter
+
+Run the following in the project directory:
+
+```shell
+./scripts/run_formatters.sh
+```
 
 ## Documentation theme
 

docs/github-action.md

@@ -20,18 +20,16 @@ nav_order: 7
 
 OSV-Scanner is offered as a GitHub Action. We currently have two different GitHub Actions:
 
-1. An action that triggers a scan with each [pull request](./github-action.md#scans-on-prs) and will only check for new vulnerabilities introduced through the pull request.
-2. An action that performs a single vulnerability scan, which can be configured to scan on a [regular schedule](./github-action.md#scheduled-scans), or used as a check [on releases](./github-action.md#scan-on-release) to prevent releasing with known vulnerabilities in dependencies.
+1. An action that triggers a scan with each [pull request](./github-action.md#scan-on-pull-request) and will only report new vulnerabilities introduced through the pull request.
+2. An action that performs a full vulnerability scan, which can be configured to scan on a [regular schedule](./github-action.md#scheduled-scans). The full vulnerability scan can also be configured to run [on release](./github-action.md#scan-on-release) to prevent releasing with known vulnerabilities in dependencies.
 
-## Scans on PRs
+## Scan on pull request
 
-Scanning your project on each pull request can help you keep vulnerabilities out of your project. This GitHub Action compares a vulnerability scan of the target branch to a vulnerability scan of the feature branch, and will fail if there are new vulnerabilities found which doesn't exist in the target branch. You will be notified of any new vulnerabilities introduced through the feature branch. You can also choose to [prevent merging](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) if new vulnerabilities are introduced through the feature branch.
+Scanning your project on each pull request can help you keep vulnerabilities out of your project. This GitHub Action compares a vulnerability scan of the target branch to a vulnerability scan of the feature branch, and will fail if there are new vulnerabilities introduced through the feature branch. You may choose to [prevent merging](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) if new vulnerabilities are introduced, but by default the check will only warn users.
 
 ### Instructions
 
-In your project repository, create a new file `.github/workflows/osv-scanner-pr.yml`.
-
-Include the following in the [`osv-scanner-pr.yml`](https://github.com/google/osv-scanner/blob/main/.github/workflows/osv-scanner-pr.yml) file:
+In your project repository, create a new file `.github/workflows/osv-scanner-pr.yml` and include the following:
 
 ```yml
 name: OSV-Scanner PR Scan
@@ -51,104 +49,20 @@ permissions:
 
 jobs:
   scan-pr:
-    uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable-pr.yml@main"
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.5.0"
 ```
 
 ### View results
 
 Results may be viewed by clicking on the details of the failed action, either from your project's actions tab or directly on the PR. Results are also included in GitHub annotations on the "Files changed" tab for the PR.
 
-### Customization
-
-`osv-scanner-reusable.yml` takes two optional inputs:
-
-- `scan-args`: This value is passed to `osv-scanner` CLI after being split by each line. See the [usage](./usage) page for the available options.
-  Importantly `--format` and `--output` flags are already set by the reusable workflow and should not be overridden here.
-  Default:
-  ```bash
-    --recursive # Recursively scan subdirectories
-    --skip-git=true # Skip commit scanning to focus on dependencies
-    ./ # Start the scan from the root of the repository
-  ```
-- `results-file-name`: This is the name of the final SARIF file uploaded to Github.
-  Default: `results.sarif`
-- `download-artifact`: Optional artifact to download for scanning. Can be used if you need to do some preprocessing to prepare the lockfiles for scanning.
-  If the file names in the artifact are not standard lockfile names, make sure to add custom scan-args to specify the lockfile type and path (see [specify lockfiles](./usage#specify-lockfiles)).
-- `upload-sarif`: Whether to upload the results to Security > Code Scanning. Defaults to `true`.
-
-<details markdown="block">
-<summary>
-Examples
-</summary>
-
-##### Scan specific lockfiles
-
-```yml
-jobs:
-  scan-pr:
-    uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable.yml"
-    with:
-      scan-args: |-
-        --lockfile=./path/to/lockfile1
-        --lockfile=requirements.txt:./path/to/python-lockfile2.txt
-```
-
-##### Default arguments
-
-```yml
-jobs:
-  scan-pr:
-    uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable.yml"
-    with:
-      scan-args: |-
-        --recursive
-        --skip-git=true
-        ./
-```
-
-##### Using download-artifact input to support preprocessing
-
-```yml
-jobs:
-  extract-deps:
-    name: Extract Dependencies
-    # ...
-    steps:
-      # ... Steps to extract your dependencies
-      - name: "upload osv-scanner deps" # Upload the deps
-        uses: actions/upload-artifact@v4
-        with:
-          name: converted-OSV-Scanner-deps
-          path: osv-scanner-deps.json
-          retention-days: 2
-  vuln-scan:
-    name: Vulnerability scanning
-    # makes sure the extraction step is completed before running the scanner
-    needs: extract-deps
-    uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable.yml@main"
-    with:
-      # Download the artifact uploaded in extract-deps step
-      download-artifact: converted-OSV-Scanner-deps
-      # Scan only the file inside the uploaded artifact
-      scan-args: |-
-        --lockfile=osv-scanner:osv-scanner-deps.json
-    permissions:
-      # Needed to upload the SARIF results to code-scanning dashboard.
-      security-events: write
-      contents: read
-```
-
-</details>
-
 ## Scheduled scans
 
 Regularly scanning your project for vulnerabilities can alert you to new vulnerabilities in your dependency tree. This GitHub Action will scan your project on a set schedule and report all known vulnerabilities. If vulnerabilities are found the action will return a failed status.
 
 ### Instructions
 
-In your project repository, create a new file `.github/workflows/osv-scanner-scheduled.yml`.
-
-Include the following in the [`osv-scanner-scheduled.yml`](https://github.com/google/osv-scanner/blob/main/.github/workflows/osv-scanner-scheduled.yml) file:
+In your project repository, create a new file `.github/workflows/osv-scanner-scheduled.yml` and include the following:
 
 ```yml
 name: OSV-Scanner Scheduled Scan
@@ -168,15 +82,11 @@ permissions:
 
 jobs:
   scan-scheduled:
-    uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable.yml@main"
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.5.0"
 ```
 
 As written, the scanner will run on 12:30 pm UTC every Monday, and also on every push to the main branch. You can change the schedule by following the instructions [here](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule).
 
-### Customization
-
-`osv-scanner-reusable-pr.yml` has the same customization options as `osv-scanner-reusable.yml`, which is described [here](./github-action.md#customization).
-
 ### View results
 
 Maintainers can review results of the scan by navigating to their project's `security > code scanning` tab. Vulnerability details can also be viewed by clicking on the details of the failed action.
@@ -223,3 +133,83 @@ jobs:
 ### View results
 
 Results may be viewed by clicking on the details of the failed release action from the action tab.
+
+## Customization
+
+The GitHub Actions have the following optional inputs:
+
+- `scan-args`: This value is passed to `osv-scanner` CLI after being split by each line. See the [usage](./usage) page for the available options. The `--format` and `--output` flags are already set by the reusable workflow and should not be overridden here.
+  Default:
+  ```bash
+    --recursive # Recursively scan subdirectories
+    --skip-git=true # Skip commit scanning to focus on dependencies
+    ./ # Start the scan from the root of the repository
+  ```
+- `results-file-name`: This is the name of the final SARIF file uploaded to Github.
+  Default: `results.sarif`
+- `download-artifact`: Optional artifact to download for scanning. Can be used if you need to do some preprocessing to prepare the lockfiles for scanning. If the file names in the artifact are not standard lockfile names, make sure to add custom scan-args to specify the lockfile type and path (see [specify lockfiles](./usage#specify-lockfiles)).
+- `upload-sarif`: Whether to upload the results to Security > Code Scanning. Defaults to `true`.
+
+<details markdown="block">
+<summary>
+Examples
+</summary>
+
+#### Scan specific lockfiles
+
+```yml
+jobs:
+  scan-pr:
+    uses: "google/osv-scanner-action/.github/workflows/[email protected]"
+    with:
+      scan-args: |-
+        --lockfile=./path/to/lockfile1
+        --lockfile=requirements.txt:./path/to/python-lockfile2.txt
+```
+
+#### Default arguments
+
+```yml
+jobs:
+  scan-pr:
+    uses: "google/osv-scanner-action/.github/workflows/[email protected]"
+    with:
+      scan-args: |-
+        --recursive
+        --skip-git=true
+        ./
+```
+
+#### Using download-artifact input to support preprocessing
+
+```yml
+jobs:
+  extract-deps:
+    name: Extract Dependencies
+    # ...
+    steps:
+      # ... Steps to extract your dependencies
+      - name: "upload osv-scanner deps" # Upload the deps
+        uses: actions/upload-artifact@v4
+        with:
+          name: converted-OSV-Scanner-deps
+          path: osv-scanner-deps.json
+          retention-days: 2
+  vuln-scan:
+    name: Vulnerability scanning
+    # makes sure the extraction step is completed before running the scanner
+    needs: extract-deps
+    uses: "google/osv-scanner-action/.github/workflows/[email protected]"
+    with:
+      # Download the artifact uploaded in extract-deps step
+      download-artifact: converted-OSV-Scanner-deps
+      # Scan only the file inside the uploaded artifact
+      scan-args: |-
+        --lockfile=osv-scanner:osv-scanner-deps.json
+    permissions:
+      # Needed to upload the SARIF results to code-scanning dashboard.
+      security-events: write
+      contents: read
+```
+
+</details>

go.mod

@@ -5,9 +5,9 @@ go 1.21
 require (
 	deps.dev/api/v3alpha v0.0.0-20231114023923-e40c4d5c34e5
 	github.com/BurntSushi/toml v1.3.2
-	github.com/CycloneDX/cyclonedx-go v0.7.2
+	github.com/CycloneDX/cyclonedx-go v0.8.0
 	github.com/go-git/go-billy/v5 v5.5.0
-	github.com/go-git/go-git/v5 v5.10.1
+	github.com/go-git/go-git/v5 v5.11.0
 	github.com/google/go-cmp v0.6.0
 	github.com/hexops/gotextdiff v1.0.3
 	github.com/ianlancetaylor/demangle v0.0.0-20231023195312-e2daf7ba7156