Skip to content

Commit ed7c9f4

Browse files
another-rexanother-rex
authored
Merge branch 'main' into consistent-sort2
2 parents 449269c + 6b8b134 commit ed7c9f4

File tree

25 files changed

+1136
-616
lines changed

25 files changed

+1136
-616
lines changed

.golangci.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,7 @@ linters-settings:
5353
regexp:
5454
files:
5555
- "!**/internal/cachedregexp/**"
56-
- "!**/main_test.go"
56+
- "!**/internal/testutility/normalize.go"
5757
deny:
5858
- pkg: "regexp"
5959
desc: "Use github.com/google/osv-scanner/v2/internal/cachedregexp instead"

cmd/osv-scanner/__snapshots__/main_test.snap

+180-57
Original file line numberDiff line numberDiff line change
@@ -448,6 +448,11 @@ overriding license for package Packagist/league/flysystem/1.0.8 with 0BSD
448448
| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | fixtures/locks-insecure/composer.lock |
449449
| https://osv.dev/CVE-2025-26519 | | Alpine | musl | 1.2.3-r4 | fixtures/locks-many/alpine.cdx.xml |
450450
+-------------------------------------+------+-----------+------------------+----------+---------------------------------------+
451+
+---------+-------------------------+
452+
| LICENSE | NO. OF PACKAGE VERSIONS |
453+
+---------+-------------------------+
454+
| UNKNOWN | 20 |
455+
+---------+-------------------------+
451456
+-------------------+-----------+------------------------------------------------+---------+-------------------------------------------------------+
452457
| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
453458
+-------------------+-----------+------------------------------------------------+---------+-------------------------------------------------------+
@@ -1448,62 +1453,27 @@ Scanned <rootdir>/fixtures/locks-insecure/osv-scanner-flutter-deps.json file as
14481453

14491454
[Test_run_Licenses/Licenses_in_summary_mode_json - 1]
14501455
{
1451-
"results": [
1452-
{
1453-
"source": {
1454-
"path": "<rootdir>/fixtures/locks-licenses/package-lock.json",
1455-
"type": "lockfile"
1456-
},
1457-
"packages": [
1458-
{
1459-
"package": {
1460-
"name": "babel",
1461-
"version": "6.23.0",
1462-
"ecosystem": "npm"
1463-
},
1464-
"licenses": [
1465-
"MIT"
1466-
]
1467-
},
1468-
{
1469-
"package": {
1470-
"name": "human-signals",
1471-
"version": "5.0.0",
1472-
"ecosystem": "npm"
1473-
},
1474-
"licenses": [
1475-
"Apache-2.0"
1476-
]
1477-
},
1478-
{
1479-
"package": {
1480-
"name": "ms",
1481-
"version": "2.1.3",
1482-
"ecosystem": "npm"
1483-
},
1484-
"licenses": [
1485-
"MIT"
1486-
]
1487-
},
1488-
{
1489-
"package": {
1490-
"name": "type-fest",
1491-
"version": "4.26.1",
1492-
"ecosystem": "npm"
1493-
},
1494-
"licenses": [
1495-
"CC0-1.0 OR MIT"
1496-
]
1497-
}
1498-
]
1499-
}
1500-
],
1456+
"results": [],
15011457
"experimental_config": {
15021458
"licenses": {
15031459
"summary": true,
15041460
"allowlist": []
15051461
}
1506-
}
1462+
},
1463+
"license_summary": [
1464+
{
1465+
"name": "MIT",
1466+
"count": 2
1467+
},
1468+
{
1469+
"name": "Apache-2.0",
1470+
"count": 1
1471+
},
1472+
{
1473+
"name": "CC0-1.0 OR MIT",
1474+
"count": 1
1475+
}
1476+
]
15071477
}
15081478

15091479
---
@@ -1520,6 +1490,13 @@ Scanned <rootdir>/fixtures/locks-licenses/package-lock.json file and found 4 pac
15201490
overriding license for package npm/babel/6.23.0 with MIT AND (LGPL-2.1-or-later OR BSD-3-Clause)
15211491
overriding license for package npm/human-signals/5.0.0 with LGPL-2.1-only OR MIT OR BSD-3-Clause
15221492
overriding license for package npm/ms/2.1.3 with MIT WITH Bison-exception-2.2
1493+
+----------------+-------------------------+
1494+
| LICENSE | NO. OF PACKAGE VERSIONS |
1495+
+----------------+-------------------------+
1496+
| MIT | 2 |
1497+
| Apache-2.0 | 1 |
1498+
| CC0-1.0 OR MIT | 1 |
1499+
+----------------+-------------------------+
15231500
+------------------------------+-----------+---------+---------+-------------------------------------------+
15241501
| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
15251502
+------------------------------+-----------+---------+---------+-------------------------------------------+
@@ -1538,6 +1515,13 @@ Scanned <rootdir>/fixtures/locks-licenses/package-lock.json file and found 4 pac
15381515
overriding license for package npm/babel/6.23.0 with MIT AND (LGPL-2.1-or-later OR BSD-3-Clause))
15391516
overriding license for package npm/human-signals/5.0.0 with LGPL-2.1-only OR OR BSD-3-Clause
15401517
overriding license for package npm/ms/2.1.3 with MIT WITH (Bison-exception-2.2 AND somethingelse)
1518+
+----------------+-------------------------+
1519+
| LICENSE | NO. OF PACKAGE VERSIONS |
1520+
+----------------+-------------------------+
1521+
| MIT | 2 |
1522+
| Apache-2.0 | 1 |
1523+
| CC0-1.0 OR MIT | 1 |
1524+
+----------------+-------------------------+
15411525
+--------------------------------------------------+-----------+---------------+---------+-------------------------------------------+
15421526
| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
15431527
+--------------------------------------------------+-----------+---------------+---------+-------------------------------------------+
@@ -1607,13 +1591,27 @@ license MIT WITH (Bison-exception-2.2 AND somethingelse) for package npm/ms/2.1.
16071591
],
16081592
"experimental_config": {
16091593
"licenses": {
1610-
"summary": false,
1594+
"summary": true,
16111595
"allowlist": [
16121596
"MIT",
16131597
"Apache-2.0"
16141598
]
16151599
}
1616-
}
1600+
},
1601+
"license_summary": [
1602+
{
1603+
"name": "MIT",
1604+
"count": 2
1605+
},
1606+
{
1607+
"name": "Apache-2.0",
1608+
"count": 1
1609+
},
1610+
{
1611+
"name": "CC0-1.0 OR MIT",
1612+
"count": 1
1613+
}
1614+
]
16171615
}
16181616

16191617
---
@@ -1674,6 +1672,88 @@ Filtered 2 vulnerabilities from output
16741672

16751673
---
16761674

1675+
[Test_run_Licenses/Show_all_Packages_with_license_summary_in_json - 1]
1676+
{
1677+
"results": [
1678+
{
1679+
"source": {
1680+
"path": "<rootdir>/fixtures/locks-licenses/package-lock.json",
1681+
"type": "lockfile"
1682+
},
1683+
"packages": [
1684+
{
1685+
"package": {
1686+
"name": "babel",
1687+
"version": "6.23.0",
1688+
"ecosystem": "npm"
1689+
},
1690+
"licenses": [
1691+
"MIT"
1692+
]
1693+
},
1694+
{
1695+
"package": {
1696+
"name": "human-signals",
1697+
"version": "5.0.0",
1698+
"ecosystem": "npm"
1699+
},
1700+
"licenses": [
1701+
"Apache-2.0"
1702+
]
1703+
},
1704+
{
1705+
"package": {
1706+
"name": "ms",
1707+
"version": "2.1.3",
1708+
"ecosystem": "npm"
1709+
},
1710+
"licenses": [
1711+
"MIT"
1712+
]
1713+
},
1714+
{
1715+
"package": {
1716+
"name": "type-fest",
1717+
"version": "4.26.1",
1718+
"ecosystem": "npm"
1719+
},
1720+
"licenses": [
1721+
"CC0-1.0 OR MIT"
1722+
]
1723+
}
1724+
]
1725+
}
1726+
],
1727+
"experimental_config": {
1728+
"licenses": {
1729+
"summary": true,
1730+
"allowlist": []
1731+
}
1732+
},
1733+
"license_summary": [
1734+
{
1735+
"name": "MIT",
1736+
"count": 2
1737+
},
1738+
{
1739+
"name": "Apache-2.0",
1740+
"count": 1
1741+
},
1742+
{
1743+
"name": "CC0-1.0 OR MIT",
1744+
"count": 1
1745+
}
1746+
]
1747+
}
1748+
1749+
---
1750+
1751+
[Test_run_Licenses/Show_all_Packages_with_license_summary_in_json - 2]
1752+
Scanning dir ./fixtures/locks-licenses/package-lock.json
1753+
Scanned <rootdir>/fixtures/locks-licenses/package-lock.json file and found 4 packages
1754+
1755+
---
1756+
16771757
[Test_run_Licenses/Some_packages_with_ignored_licenses - 1]
16781758
Scanning dir ./fixtures/locks-many
16791759
Scanned <rootdir>/fixtures/locks-many/Gemfile.lock file and found 1 package
@@ -1712,6 +1792,11 @@ overriding license for package Packagist/league/flysystem/1.0.8 with 0BSD
17121792
| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | fixtures/locks-insecure/composer.lock |
17131793
| https://osv.dev/CVE-2025-26519 | | Alpine | musl | 1.2.3-r4 | fixtures/locks-many/alpine.cdx.xml |
17141794
+-------------------------------------+------+-----------+------------------+----------+---------------------------------------+
1795+
+---------+-------------------------+
1796+
| LICENSE | NO. OF PACKAGE VERSIONS |
1797+
+---------+-------------------------+
1798+
| UNKNOWN | 17 |
1799+
+---------+-------------------------+
17151800
+-------------------+-----------+------------------+----------+---------------------------------------+
17161801
| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
17171802
+-------------------+-----------+------------------+----------+---------------------------------------+
@@ -1784,12 +1869,26 @@ overriding license for package Packagist/league/flysystem/1.0.8 with 0BSD
17841869
],
17851870
"experimental_config": {
17861871
"licenses": {
1787-
"summary": false,
1872+
"summary": true,
17881873
"allowlist": [
17891874
"MIT"
17901875
]
17911876
}
1792-
}
1877+
},
1878+
"license_summary": [
1879+
{
1880+
"name": "MIT",
1881+
"count": 2
1882+
},
1883+
{
1884+
"name": "Apache-2.0",
1885+
"count": 1
1886+
},
1887+
{
1888+
"name": "CC0-1.0 OR MIT",
1889+
"count": 1
1890+
}
1891+
]
17931892
}
17941893

17951894
---
@@ -1827,12 +1926,26 @@ Scanned <rootdir>/fixtures/locks-licenses/package-lock.json file and found 4 pac
18271926
],
18281927
"experimental_config": {
18291928
"licenses": {
1830-
"summary": false,
1929+
"summary": true,
18311930
"allowlist": [
18321931
"MIT"
18331932
]
18341933
}
1835-
}
1934+
},
1935+
"license_summary": [
1936+
{
1937+
"name": "MIT",
1938+
"count": 2
1939+
},
1940+
{
1941+
"name": "Apache-2.0",
1942+
"count": 1
1943+
},
1944+
{
1945+
"name": "CC0-1.0 OR MIT",
1946+
"count": 1
1947+
}
1948+
]
18361949
}
18371950

18381951
---
@@ -1851,6 +1964,11 @@ Scanned <rootdir>/fixtures/locks-many/package-lock.json file and found 1 package
18511964
+-------------------------------------+------+-----------+-----------+---------+---------------------------------------+
18521965
| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | fixtures/locks-many/package-lock.json |
18531966
+-------------------------------------+------+-----------+-----------+---------+---------------------------------------+
1967+
+------------+-------------------------+
1968+
| LICENSE | NO. OF PACKAGE VERSIONS |
1969+
+------------+-------------------------+
1970+
| Apache-2.0 | 1 |
1971+
+------------+-------------------------+
18541972

18551973
---
18561974

@@ -1886,6 +2004,11 @@ Scanned <rootdir>/fixtures/locks-many/package-lock.json file and found 1 package
18862004
+-------------------------------------+------+-----------+-----------+---------+---------------------------------------+
18872005
| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | fixtures/locks-many/package-lock.json |
18882006
+-------------------------------------+------+-----------+-----------+---------+---------------------------------------+
2007+
+------------+-------------------------+
2008+
| LICENSE | NO. OF PACKAGE VERSIONS |
2009+
+------------+-------------------------+
2010+
| Apache-2.0 | 1 |
2011+
+------------+-------------------------+
18892012
+-------------------+-----------+-----------+---------+---------------------------------------+
18902013
| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
18912014
+-------------------+-----------+-----------+---------+---------------------------------------+

cmd/osv-scanner/fix/main.go

+7-7
Original file line numberDiff line numberDiff line change
@@ -192,16 +192,16 @@ func Command(stdout, stderr io.Writer, r *reporter.Reporter) *cli.Command {
192192
},
193193
// Offline database flags, copied from osv-scanner scan
194194
&cli.BoolFlag{
195-
Name: "experimental-offline-vulnerabilities",
196-
Aliases: []string{"experimental-offline"},
195+
Name: "offline-vulnerabilities",
196+
Aliases: []string{"offline"},
197197
Usage: "checks for vulnerabilities using local databases that are already cached",
198198
},
199199
&cli.BoolFlag{
200-
Name: "experimental-download-offline-databases",
200+
Name: "download-offline-databases",
201201
Usage: "downloads vulnerability databases for offline comparison",
202202
},
203203
&cli.StringFlag{
204-
Name: "experimental-local-db-path",
204+
Name: "local-db-path",
205205
Usage: "sets the path that local databases should be stored",
206206
Hidden: true,
207207
},
@@ -308,12 +308,12 @@ func action(ctx *cli.Context, stdout, stderr io.Writer) (reporter.Reporter, erro
308308
}
309309

310310
userAgent := "osv-scanner_fix/" + version.OSVVersion
311-
if ctx.Bool("experimental-offline-vulnerabilities") {
311+
if ctx.Bool("offline-vulnerabilities") {
312312
matcher, err := localmatcher.NewLocalMatcher(
313313
r,
314-
ctx.String("experimental-local-db-path"),
314+
ctx.String("local-db-path"),
315315
userAgent,
316-
ctx.Bool("experimental-download-offline-databases"),
316+
ctx.Bool("download-offline-databases"),
317317
)
318318
if err != nil {
319319
return nil, err

0 commit comments

Comments
 (0)