test: add more cases for "with no config"

G-Rath · G-Rath · commit ee4d42a97614 · 2026-02-20T09:03:36.000+13:00
diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap
@@ -5985,7 +5985,112 @@ No issues found
 
 ---
 
-[TestCommand_UpdateConfigIgnores_WithNoConfig - 1]
+[TestCommand_UpdateConfigIgnores_WithNoConfig/all - 1]
+Scanning dir <tempdir>
+Scanned <tempdir>/Gemfile.lock file and found 1 package
+Scanned <tempdir>/composer.lock file and found 0 packages
+Scanned <tempdir>/nested-1/package-lock.json file and found 3 packages
+Scanned <tempdir>/nested-2/package-lock.json file and found 3 packages
+Scanned <tempdir>/package-lock.json file and found 1 package
+Total 8 packages affected by 10 known vulnerabilities (0 Critical, 3 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
+10 vulnerabilities can be fixed.
+
+
++-------------------------------------+------+-----------+-----------+---------+---------------+--------------------------------------------------------------+
+| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE   | VERSION | FIXED VERSION | SOURCE                                                       |
++-------------------------------------+------+-----------+-----------+---------+---------------+--------------------------------------------------------------+
+| https://osv.dev/GHSA-wx95-c6cv-8532 | 5.3  | RubyGems  | nokogiri  | 1.18.9  | 1.19.1        | <tempdir>/Gemfile.lock               |
+| https://osv.dev/GHSA-2g4f-4pwh-qvx6 | 5.5  | npm       | ajv       | 6.0.0   | 8.18.0        | <tempdir>/nested-1/package-lock.json |
+| https://osv.dev/GHSA-v88g-cgmw-v5xw | 5.6  | npm       | ajv       | 6.0.0   | 6.12.3        | <tempdir>/nested-1/package-lock.json |
+| https://osv.dev/GHSA-2g4f-4pwh-qvx6 | 5.5  | npm       | ajv       | 8.0.0   | 8.18.0        | <tempdir>/nested-1/package-lock.json |
+| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | 0.0.8         | <tempdir>/nested-1/package-lock.json |
+| https://osv.dev/GHSA-2g4f-4pwh-qvx6 | 5.5  | npm       | ajv       | 6.0.0   | 8.18.0        | <tempdir>/nested-2/package-lock.json |
+| https://osv.dev/GHSA-v88g-cgmw-v5xw | 5.6  | npm       | ajv       | 6.0.0   | 6.12.3        | <tempdir>/nested-2/package-lock.json |
+| https://osv.dev/GHSA-2g4f-4pwh-qvx6 | 5.5  | npm       | ajv       | 8.0.0   | 8.18.0        | <tempdir>/nested-2/package-lock.json |
+| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | 0.0.8         | <tempdir>/nested-2/package-lock.json |
+| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | 0.0.8         | <tempdir>/package-lock.json          |
++-------------------------------------+------+-----------+-----------+---------+---------------+--------------------------------------------------------------+
+
+---
+
+[TestCommand_UpdateConfigIgnores_WithNoConfig/all - 2]
+
+---
+
+[TestCommand_UpdateConfigIgnores_WithNoConfig/deep - 1]
+Scanning dir <tempdir>
+Scanned <tempdir>/Gemfile.lock file and found 1 package
+Scanned <tempdir>/composer.lock file and found 0 packages
+Scanned <tempdir>/nested-1/package-lock.json file and found 3 packages
+Scanned <tempdir>/nested-2/package-lock.json file and found 3 packages
+Scanned <tempdir>/package-lock.json file and found 1 package
+Loaded filter from: <tempdir>/osv-scanner-test.toml
+warning: <tempdir>/nested-2/osv-scanner-test.toml has multiple ignores for GHSA-2g4f-4pwh-qvx6 - only the first will be used!
+Loaded filter from: <tempdir>/nested-2/osv-scanner-test.toml
+GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
+GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
+Filtered 2 vulnerabilities from output
+<tempdir>/nested-2/osv-scanner-test.toml has unused ignores:
+ - GHSA-2g4f-4pwh-qvx6
+Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
+8 vulnerabilities can be fixed.
+
+
++-------------------------------------+------+-----------+-----------+---------+---------------+--------------------------------------------------------------+
+| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE   | VERSION | FIXED VERSION | SOURCE                                                       |
++-------------------------------------+------+-----------+-----------+---------+---------------+--------------------------------------------------------------+
+| https://osv.dev/GHSA-wx95-c6cv-8532 | 5.3  | RubyGems  | nokogiri  | 1.18.9  | 1.19.1        | <tempdir>/Gemfile.lock               |
+| https://osv.dev/GHSA-2g4f-4pwh-qvx6 | 5.5  | npm       | ajv       | 6.0.0   | 8.18.0        | <tempdir>/nested-1/package-lock.json |
+| https://osv.dev/GHSA-v88g-cgmw-v5xw | 5.6  | npm       | ajv       | 6.0.0   | 6.12.3        | <tempdir>/nested-1/package-lock.json |
+| https://osv.dev/GHSA-2g4f-4pwh-qvx6 | 5.5  | npm       | ajv       | 8.0.0   | 8.18.0        | <tempdir>/nested-1/package-lock.json |
+| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | 0.0.8         | <tempdir>/nested-1/package-lock.json |
+| https://osv.dev/GHSA-v88g-cgmw-v5xw | 5.6  | npm       | ajv       | 6.0.0   | 6.12.3        | <tempdir>/nested-2/package-lock.json |
+| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | 0.0.8         | <tempdir>/nested-2/package-lock.json |
+| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | 0.0.8         | <tempdir>/package-lock.json          |
++-------------------------------------+------+-----------+-----------+---------+---------------+--------------------------------------------------------------+
+
+---
+
+[TestCommand_UpdateConfigIgnores_WithNoConfig/deep - 2]
+
+---
+
+[TestCommand_UpdateConfigIgnores_WithNoConfig/deep2 - 1]
+Scanning dir <tempdir>
+Scanned <tempdir>/Gemfile.lock file and found 1 package
+Scanned <tempdir>/composer.lock file and found 0 packages
+Scanned <tempdir>/nested-1/package-lock.json file and found 3 packages
+Scanned <tempdir>/nested-2/package-lock.json file and found 3 packages
+Scanned <tempdir>/package-lock.json file and found 1 package
+Loaded filter from: <tempdir>/osv-scanner-test.toml
+Loaded filter from: <tempdir>/nested-1/osv-scanner-test.toml
+CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json)
+Filtered 1 vulnerability from output
+Total 7 packages affected by 9 known vulnerabilities (0 Critical, 2 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
+9 vulnerabilities can be fixed.
+
+
++-------------------------------------+------+-----------+-----------+---------+---------------+--------------------------------------------------------------+
+| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE   | VERSION | FIXED VERSION | SOURCE                                                       |
++-------------------------------------+------+-----------+-----------+---------+---------------+--------------------------------------------------------------+
+| https://osv.dev/GHSA-wx95-c6cv-8532 | 5.3  | RubyGems  | nokogiri  | 1.18.9  | 1.19.1        | <tempdir>/Gemfile.lock               |
+| https://osv.dev/GHSA-2g4f-4pwh-qvx6 | 5.5  | npm       | ajv       | 6.0.0   | 8.18.0        | <tempdir>/nested-1/package-lock.json |
+| https://osv.dev/GHSA-v88g-cgmw-v5xw | 5.6  | npm       | ajv       | 6.0.0   | 6.12.3        | <tempdir>/nested-1/package-lock.json |
+| https://osv.dev/GHSA-2g4f-4pwh-qvx6 | 5.5  | npm       | ajv       | 8.0.0   | 8.18.0        | <tempdir>/nested-1/package-lock.json |
+| https://osv.dev/GHSA-2g4f-4pwh-qvx6 | 5.5  | npm       | ajv       | 6.0.0   | 8.18.0        | <tempdir>/nested-2/package-lock.json |
+| https://osv.dev/GHSA-v88g-cgmw-v5xw | 5.6  | npm       | ajv       | 6.0.0   | 6.12.3        | <tempdir>/nested-2/package-lock.json |
+| https://osv.dev/GHSA-2g4f-4pwh-qvx6 | 5.5  | npm       | ajv       | 8.0.0   | 8.18.0        | <tempdir>/nested-2/package-lock.json |
+| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | 0.0.8         | <tempdir>/nested-2/package-lock.json |
+| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | 0.0.8         | <tempdir>/package-lock.json          |
++-------------------------------------+------+-----------+-----------+---------+---------------+--------------------------------------------------------------+
+
+---
+
+[TestCommand_UpdateConfigIgnores_WithNoConfig/deep2 - 2]
+
+---
+
+[TestCommand_UpdateConfigIgnores_WithNoConfig/shallow - 1]
 Scanning dir <tempdir>
 Scanned <tempdir>/Gemfile.lock file and found 1 package
 Scanned <tempdir>/composer.lock file and found 0 packages
@@ -6003,7 +6108,7 @@ Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medi
 
 ---
 
-[TestCommand_UpdateConfigIgnores_WithNoConfig - 2]
+[TestCommand_UpdateConfigIgnores_WithNoConfig/shallow - 2]
 
 ---
 
diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go
@@ -1802,44 +1802,90 @@ func TestCommand_UpdateConfigIgnores(t *testing.T) {
 func TestCommand_UpdateConfigIgnores_WithNoConfig(t *testing.T) {
 	t.Parallel()
 
-	// action overwrites files, copy them to a temporary directory.
-	testDir := testutility.CreateTestDir(t)
-	var err error
+	type withFilesToRemove struct {
+		Name string
+		Args []string
+		Exit int
 
-	err = os.CopyFS(testDir, os.DirFS("./testdata/locks-with-invalid-and-configs"))
-	if err != nil {
-		t.Fatal(err)
+		Remove []string
 	}
 
-	// the test suite sets "osv-scanner-test.toml" as the default config name,
-	// but we might as well remove the "ignore all" config we have in our testdata
-	// for tools like scorecard, to be extra sure it can't interfere with our tests
-	err = os.Remove(testDir + "/osv-scanner.toml")
-	if err != nil {
-		t.Fatal(err)
-	}
+	tests := []withFilesToRemove{
+		{
+			Name: "shallow",
+			Args: []string{
+				"", "source", "--experimental-update-config-ignores",
+			},
+			Exit: 1,
 
-	// remove the expected config file
-	err = os.Remove(testDir + "/osv-scanner-test.toml")
-	if err != nil {
-		t.Fatal(err)
+			Remove: []string{"osv-scanner-test.toml"},
+		},
+		{
+			Name: "deep",
+			Args: []string{
+				"", "source", "--experimental-update-config-ignores", "-r",
+			},
+			Exit:   1,
+			Remove: []string{"nested-1/osv-scanner-test.toml"},
+		},
+		{
+			Name: "deep2",
+			Args: []string{
+				"", "source", "--experimental-update-config-ignores", "-r",
+			},
+			Exit:   1,
+			Remove: []string{"nested-2/osv-scanner-test.toml"},
+		},
+		{
+			Name: "all",
+			Args: []string{
+				"", "source", "--experimental-update-config-ignores", "-r",
+			},
+			Exit: 1,
+			Remove: []string{
+				"osv-scanner-test.toml",
+				"nested-1/osv-scanner-test.toml",
+				"nested-2/osv-scanner-test.toml",
+			},
+		},
 	}
+	for _, tt := range tests {
+		t.Run(tt.Name, func(t *testing.T) {
+			t.Parallel()
 
-	// the "update config ignores" flag should not create a config file
-	testcmd.RunAndMatchSnapshots(t, testcmd.Case{
-		Args: []string{"", "source", "--experimental-update-config-ignores", testDir},
-		Exit: 1,
-	})
+			// action overwrites files, copy them to a temporary directory.
+			testDir := testutility.CreateTestDir(t)
+
+			err := os.CopyFS(testDir, os.DirFS("./testdata/locks-with-invalid-and-configs"))
+			if err != nil {
+				t.Fatal(err)
+			}
 
-	_, err = os.Stat(testDir + "/osv-scanner.toml")
+			// remove our config files
+			for _, file := range tt.Remove {
+				err = os.Remove(testDir + "/" + file)
+				if err != nil {
+					t.Fatal(err)
+				}
+			}
 
-	if !errors.Is(err, os.ErrNotExist) {
-		t.Errorf("expected osv-scanner.toml not to be created")
-	}
+			tt.Args = append(tt.Args, testDir)
 
-	_, err = os.Stat(testDir + "/osv-scanner-test.toml")
+			// the "update config ignores" flag should not create a config file
+			testcmd.RunAndMatchSnapshots(t, testcmd.Case{
+				Name: tt.Name,
+				Args: tt.Args,
+				Exit: 1,
+			})
 
-	if !errors.Is(err, os.ErrNotExist) {
-		t.Errorf("expected osv-scanner-test.toml not to be created")
+			for _, file := range tt.Remove {
+				p := testDir + "/" + file
+				_, err = os.Stat(p)
+
+				if !errors.Is(err, os.ErrNotExist) {
+					t.Errorf("expected %s not to exist", p)
+				}
+			}
+		})
 	}
 }
