test(scanner): source lockfiles from vulsio/integration#2531
Merged
Conversation
OpenSSF Scorecard alert #81 was triggered by old packages declared in scanner/testdata/fixtures/go.mod (OPA v0.35.0, docker v20.10.11, etc.) being scanned as real dependencies of vuls. Those fixtures were just copies of files already in vulsio/integration; they had been duplicated here to avoid pulling submodules in CI, which would let a fork PR redirect .gitmodules to attacker code that "go test" would then run. Delete the 30 duplicate files and have TestAnalyzeLibrary_Golden read straight from integration/data/lockfile/. CI now fetches that repo via a separate actions/checkout step pinned by commit SHA. The pin lives in the workflow file (not .gitmodules), so a fork PR cannot redirect it without a reviewable diff. The submodule entry stays for local development and "make diff". After vulsio/integration merges the matching installed.json change, bump the ref SHA in .github/workflows/test.yml and the submodule pointer to that merge commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 task
shino
changed the title
Match the integration repo's directory split (vulsio/integration#33): the merged installed.json fixture is replaced by two distinct fixtures under installed-pear/ and installed-packagist/, exercising the minimal PEAR-style and the full Packagist-style Composer 2.x package shapes separately. Update TestAnalyzeLibrary_Golden's lockfileEntry list and regenerate the golden files; drop the now-unused installed.json.json. The submodule pointer and the integration ref in .github/workflows/test.yml will be bumped together once the companion integration PR lands. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ff LIBS The two pseudo servers added in vulsio/integration#33 (replacing the old [servers.composer-vendor] that was never wired into LIBS) need to be listed here so make diff actually exercises the installed.json parser. Closes a pre-existing gap as a side effect: composer-vendor has been an orphan entry in int(-redis)-config.toml since it was added. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…plit vulsio/integration#33 has merged at 6dfd74510f5944e7c973e40d7844020d53dbb3a7. Update both sources of truth for the integration test data: - .github/workflows/test.yml: actions/checkout ref pin - integration/ submodule pointer CI on this PR can now resolve installed-pear/installed.json and installed-packagist/installed.json against the upstream merge commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes duplicated lockfile fixtures from scanner/testdata/fixtures and updates the golden tests (and CI) to source lockfile/binary fixtures from the vulsio/integration repository instead, addressing dependency-scanner noise from stale fixture dependencies.
Changes:
- Update
TestAnalyzeLibrary_Golden(and the pom online test) to read fixtures from../integration/data/lockfile, skipping if the integration repo isn’t available. - Add a dedicated
actions/checkoutstep in CI to fetchvulsio/integrationpinned to a commit SHA (without enabling submodules). - Split the composer
installed.jsonfixture intoinstalled-pear/installed.jsonandinstalled-packagist/installed.json, and refresh/add the corresponding golden outputs; delete the now-redundant local fixtures.
Reviewed changes
Copilot reviewed 16 out of 36 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
scanner/analyze_golden_test.go |
Switch golden tests to load fixtures from the integration repo; update fixture list for the composer installed.json split. |
.github/workflows/test.yml |
Add a pinned actions/checkout step to fetch vulsio/integration into integration/ for tests. |
GNUmakefile |
Update integration-test LIBS list to include composer vendor split identifiers. |
scanner/testdata/golden/installed-pear_installed.json.json |
Update expected lockfilePath for the pear composer vendor installed.json moved into a subdirectory. |
scanner/testdata/golden/installed-packagist_installed.json.json |
Add golden output for the new packagist composer vendor installed.json location. |
scanner/testdata/fixtures/requirements.txt |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/pubspec.lock |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/pom.xml |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/poetry-v2/poetry.lock |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/poetry-v1/poetry.lock |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/packages.lock.json |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/packages.config |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/mix.lock |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/installed.json |
Remove old composer vendor fixture (replaced by installed-pear/ and installed-packagist/ in integration). |
scanner/testdata/fixtures/gradle.lockfile |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/go.mod |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/datacollector.deps.json |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/conan-v2/conan.lock |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/conan-v1/conan.lock |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/bun.lock |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/Podfile.lock |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/Pipfile.lock |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/Package.resolved |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/Gemfile.lock |
Remove duplicated local fixture (now sourced from integration). |
scanner/testdata/fixtures/Directory.Packages.props |
Remove duplicated local fixture (now sourced from integration). |
Files not reviewed (1)
- scanner/testdata/fixtures/npm-v1/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Per Copilot review: os.Stat returning a non-not-exist error (e.g., permission, IO) should fail the test, not silently skip — those indicate real issues that masking would hide. Distinguish via errors.Is(err, fs.ErrNotExist). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
CI broke after the previous suggestion changed the ref to refs/pull/33/merge: that ref is server-side only while the PR is open, so once vulsio/integration#33 was merged the runner got "fatal: couldn't find remote ref refs/pull/33/merge". Pin to the actual merge commit SHA (6dfd74510f5944e7c973e40d7844020d53dbb3a7). A SHA is also the correct anchor for the security argument: a mutable ref defeats the point of pinning, since whoever can move the ref can swap in arbitrary code that go test would execute. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 16 out of 36 changed files in this pull request and generated 2 comments.
Files not reviewed (1)
- scanner/testdata/fixtures/npm-v1/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Per Copilot review: t.Skipf can mask CI misconfiguration (e.g. someone removes the integration checkout step or changes the path) and silently disable golden-test coverage. Drop the skip path entirely — both CI and local runs now hard-fail with a message pointing at the right remediation (git submodule update --init locally, or check the workflow). Removes the errors/io/fs imports that were only there for the skip branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 16 out of 36 changed files in this pull request and generated 1 comment.
Files not reviewed (1)
- scanner/testdata/fixtures/npm-v1/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 16 out of 36 changed files in this pull request and generated no new comments.
Files not reviewed (1)
- scanner/testdata/fixtures/npm-v1/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
MaineK00n
approved these changes
Apr 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
scanner/testdata/fixtures/that duplicateintegration/data/lockfile/and haveTestAnalyzeLibrary_Goldenread from the integration repo directly.actions/checkoutstep pinned to a commit SHA (nosubmodules: trueon the main checkout — that would let a fork PR redirect.gitmodulesand run attacker code undergo test).installed.jsonlockfileEntry withinstalled-pear/installed.jsonandinstalled-packagist/installed.jsonto match the directory split shipped via the companion integration PR; refresh the corresponding two golden files.GNUmakefile: addcomposer-vendor-pearandcomposer-vendor-packagistto themake diffLIBSlist so the new server entries flow through theint(-redis)-config.tomldiff target.TestAnalyzeLibrary_Golden/TestAnalyzeLibrary_PomOnline:t.Fatalf(not skip) when the integration data directory is missing, so a botched checkout in CI surfaces as a test failure rather than a silent green.Why
scanner/testdata/fixtures/go.mod(OPA v0.35.0, docker v20.10.11, etc.) being scanned as real dependencies. Those files were just copies of fixtures already present invulsio/integration— they had been duplicated so CI couldgo testwithout enabling submodules..gitmodules), so a fork PR cannot redirect it without a reviewable diff.Security note
Three patterns for fetching the integration data and their threat models:
submodules: trueonactions/checkout.gitmodulesURL → arbitrary code ingo testgit clone <hardcoded-URL>step in workflowactions/checkoutwithrepository:andref: <SHA>(this PR)repository:/ref:→ sameAll three are equivalent in worst-case scope (runner-only RCE for fork PRs,
GITHUB_TOKENis read-only and secrets are gated).actions/checkoutwas chosen because it's the standard pattern, supports SHA pin viaref:, and concentrates the trust anchor in the workflow file (not.gitmodules). Theintegrationsubmodule entry stays for local convenience andmake diff.Both
actions/checkoutsteps also setpersist-credentials: falseso the checkout token is not left on disk for the rest of the job.Companion PR
6dfd74510f5944e7c973e40d7844020d53dbb3a7) addedinstalled-pear/installed.json, moved the existinginstalled.jsontoinstalled-packagist/, and updatedint(-redis)-config.tomlto the twocomposer-vendor-*entries.ref:SHA in.github/workflows/test.ymland theintegration/submodule pointer have been bumped to that merge commit, so CI on this branch resolves bothinstalled-*goldens against the merged layout.Test plan
go test ./scanner -run TestAnalyzeLibrary_Golden -v— 36/36 PASS locally with submodule pointing at the integration merge commitscanner/testdata/fixtures/outsideanalyze_golden_test.go(detector/vuls2/testdata/fixtures/enrichis unrelated)