From d019ac72d6100ed178bae8ff947c3f24b3874fdb Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Thu, 23 Apr 2026 06:16:36 +0000 Subject: [PATCH 1/3] fix(deps): update osv-scanner minor --- go.mod | 32 +++++++++++++------------- go.sum | 72 +++++++++++++++++++++++++++++----------------------------- 2 files changed, 52 insertions(+), 52 deletions(-) diff --git a/go.mod b/go.mod index 0f90f6bfec8..5558b0b9b9b 100644 --- a/go.mod +++ b/go.mod @@ -4,19 +4,19 @@ go 1.26.2 require ( charm.land/glamour/v2 v2.0.0 - charm.land/lipgloss/v2 v2.0.1 + charm.land/lipgloss/v2 v2.0.3 deps.dev/api/v3 v3.0.0-20260225225317-765e10b45d5b deps.dev/api/v3alpha v0.0.0-20260225225317-765e10b45d5b github.com/BurntSushi/toml v1.6.0 github.com/CycloneDX/cyclonedx-go v0.10.0 - github.com/gkampitakis/go-snaps v0.5.20 + github.com/gkampitakis/go-snaps v0.5.21 github.com/go-git/go-git/v5 v5.18.0 github.com/gobwas/glob v0.2.3 github.com/google/go-cmp v0.7.0 github.com/google/osv-scalibr v0.4.6-0.20260318175007-ec4239d68fb9 github.com/ianlancetaylor/demangle v0.0.0-20251118225945-96ee0021ea0f - github.com/jedib0t/go-pretty/v6 v6.7.8 - github.com/modelcontextprotocol/go-sdk v1.4.1 + github.com/jedib0t/go-pretty/v6 v6.7.9 + github.com/modelcontextprotocol/go-sdk v1.5.0 github.com/opencontainers/go-digest v1.0.0 github.com/ossf/osv-schema/bindings/go v0.0.0-20260304051245-ec3272c283e4 github.com/owenrumney/go-sarif/v3 v3.3.0 @@ -25,12 +25,12 @@ require ( github.com/tidwall/gjson v1.18.0 github.com/tidwall/pretty v1.2.1 github.com/tidwall/sjson v1.2.5 - github.com/urfave/cli/v3 v3.7.0 + github.com/urfave/cli/v3 v3.8.0 go.yaml.in/yaml/v4 v4.0.0-rc.4 golang.org/x/sync v0.20.0 - golang.org/x/term v0.40.0 + golang.org/x/term v0.42.0 golang.org/x/vuln v1.1.4 - google.golang.org/grpc v1.79.3 + google.golang.org/grpc v1.80.0 google.golang.org/protobuf v1.36.11 gopkg.in/dnaeon/go-vcr.v4 v4.0.6 osv.dev/bindings/go v0.0.0-20260306051416-1f963c5a9f4f @@ -63,10 +63,10 @@ require ( github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/charmbracelet/bubbles v0.21.0 // indirect github.com/charmbracelet/bubbletea v1.3.5 // indirect - github.com/charmbracelet/colorprofile v0.4.2 // indirect + github.com/charmbracelet/colorprofile v0.4.3 // indirect github.com/charmbracelet/lipgloss v1.1.1-0.20250404203927-76690c660834 // indirect github.com/charmbracelet/ultraviolet v0.0.0-20260205113103-524a6607adb8 // indirect - github.com/charmbracelet/x/ansi v0.11.6 // indirect + github.com/charmbracelet/x/ansi v0.11.7 // indirect github.com/charmbracelet/x/cellbuf v0.0.15 // indirect github.com/charmbracelet/x/exp/slice v0.0.0-20250711012602-b1f986320f7e // indirect github.com/charmbracelet/x/term v0.2.2 // indirect @@ -133,13 +133,13 @@ require ( github.com/klauspost/compress v1.18.4 // indirect github.com/kr/pretty v0.3.1 // indirect github.com/kr/text v0.2.0 // indirect - github.com/lucasb-eyer/go-colorful v1.3.0 // indirect + github.com/lucasb-eyer/go-colorful v1.4.0 // indirect github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 // indirect github.com/maruel/natural v1.1.1 // indirect github.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-localereader v0.0.1 // indirect - github.com/mattn/go-runewidth v0.0.20 // indirect + github.com/mattn/go-runewidth v0.0.23 // indirect github.com/mattn/go-shellwords v1.0.12 // indirect github.com/michaelkedar/xml v0.0.0-20250501021638-021a7b1a061e // indirect github.com/microcosm-cc/bluemonday v1.0.27 // indirect @@ -217,11 +217,11 @@ require ( golang.org/x/exp v0.0.0-20250911091902-df9299821621 // indirect golang.org/x/mod v0.33.0 // indirect golang.org/x/net v0.51.0 // indirect - golang.org/x/oauth2 v0.34.0 // indirect - golang.org/x/sys v0.42.0 // indirect - golang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2 // indirect + golang.org/x/oauth2 v0.35.0 // indirect + golang.org/x/sys v0.43.0 // indirect + golang.org/x/telemetry v0.0.0-20260209163413-e7419c687ee4 // indirect golang.org/x/text v0.34.0 // indirect - golang.org/x/tools v0.41.0 // indirect + golang.org/x/tools v0.42.0 // indirect golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect google.golang.org/genproto v0.0.0-20250707201910-8d1bb00bc6a7 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 // indirect @@ -240,4 +240,4 @@ require ( // github.com/containerd/containerd v1.7.x is incompatible with runtime-spec v1.3.0. // https://github.com/google/osv-scanner/pull/2705#issuecomment-4212012410 -replace github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.2.1 +replace github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.3.0 diff --git a/go.sum b/go.sum index 02240ee5406..d76e4272f99 100644 --- a/go.sum +++ b/go.sum @@ -2,8 +2,8 @@ bitbucket.org/creachadair/stringset v0.0.14 h1:t1ejQyf8utS4GZV/4fM+1gvYucggZkfhb bitbucket.org/creachadair/stringset v0.0.14/go.mod h1:Ej8fsr6rQvmeMDf6CCWMWGb14H9mz8kmDgPPTdiVT0w= charm.land/glamour/v2 v2.0.0 h1:IDBoqLEy7Hdpb9VOXN+khLP/XSxtJy1VsHuW/yF87+U= charm.land/glamour/v2 v2.0.0/go.mod h1:kjq9WB0s8vuUYZNYey2jp4Lgd9f4cKdzAw88FZtpj/w= -charm.land/lipgloss/v2 v2.0.1 h1:6Xzrn49+Py1Um5q/wZG1gWgER2+7dUyZ9XMEufqPSys= -charm.land/lipgloss/v2 v2.0.1/go.mod h1:KjPle2Qd3YmvP1KL5OMHiHysGcNwq6u83MUjYkFvEkM= +charm.land/lipgloss/v2 v2.0.3 h1:yM2zJ4Cf5Y51b7RHIwioil4ApI/aypFXXVHSwlM6RzU= +charm.land/lipgloss/v2 v2.0.3/go.mod h1:7myLU9iG/3xluAWzpY/fSxYYHCgoKTie7laxk6ATwXA= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs= cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10= @@ -86,14 +86,14 @@ github.com/charmbracelet/bubbles v0.21.0 h1:9TdC97SdRVg/1aaXNVWfFH3nnLAwOXr8Fn6u github.com/charmbracelet/bubbles v0.21.0/go.mod h1:HF+v6QUR4HkEpz62dx7ym2xc71/KBHg+zKwJtMw+qtg= github.com/charmbracelet/bubbletea v1.3.5 h1:JAMNLTbqMOhSwoELIr0qyP4VidFq72/6E9j7HHmRKQc= github.com/charmbracelet/bubbletea v1.3.5/go.mod h1:TkCnmH+aBd4LrXhXcqrKiYwRs7qyQx5rBgH5fVY3v54= -github.com/charmbracelet/colorprofile v0.4.2 h1:BdSNuMjRbotnxHSfxy+PCSa4xAmz7szw70ktAtWRYrY= -github.com/charmbracelet/colorprofile v0.4.2/go.mod h1:0rTi81QpwDElInthtrQ6Ni7cG0sDtwAd4C4le060fT8= +github.com/charmbracelet/colorprofile v0.4.3 h1:QPa1IWkYI+AOB+fE+mg/5/4HRMZcaXex9t5KX76i20Q= +github.com/charmbracelet/colorprofile v0.4.3/go.mod h1:/zT4BhpD5aGFpqQQqw7a+VtHCzu+zrQtt1zhMt9mR4Q= github.com/charmbracelet/lipgloss v1.1.1-0.20250404203927-76690c660834 h1:ZR7e0ro+SZZiIZD7msJyA+NjkCNNavuiPBLgerbOziE= github.com/charmbracelet/lipgloss v1.1.1-0.20250404203927-76690c660834/go.mod h1:aKC/t2arECF6rNOnaKaVU6y4t4ZeHQzqfxedE/VkVhA= github.com/charmbracelet/ultraviolet v0.0.0-20260205113103-524a6607adb8 h1:eyFRbAmexyt43hVfeyBofiGSEmJ7krjLOYt/9CF5NKA= github.com/charmbracelet/ultraviolet v0.0.0-20260205113103-524a6607adb8/go.mod h1:SQpCTRNBtzJkwku5ye4S3HEuthAlGy2n9VXZnWkEW98= -github.com/charmbracelet/x/ansi v0.11.6 h1:GhV21SiDz/45W9AnV2R61xZMRri5NlLnl6CVF7ihZW8= -github.com/charmbracelet/x/ansi v0.11.6/go.mod h1:2JNYLgQUsyqaiLovhU2Rv/pb8r6ydXKS3NIttu3VGZQ= +github.com/charmbracelet/x/ansi v0.11.7 h1:kzv1kJvjg2S3r9KHo8hDdHFQLEqn4RBCb39dAYC84jI= +github.com/charmbracelet/x/ansi v0.11.7/go.mod h1:9qGpnAVYz+8ACONkZBUWPtL7lulP9No6p1epAihUZwQ= github.com/charmbracelet/x/cellbuf v0.0.15 h1:ur3pZy0o6z/R7EylET877CBxaiE1Sp1GMxoFPAIztPI= github.com/charmbracelet/x/cellbuf v0.0.15/go.mod h1:J1YVbR7MUuEGIFPCaaZ96KDl5NoS0DAWkskup+mOY+Q= github.com/charmbracelet/x/exp/golden v0.0.0-20250806222409-83e3a29d542f h1:pk6gmGpCE7F3FcjaOEKYriCvpmIN4+6OS/RD0vm4uIA= @@ -200,8 +200,8 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs= github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo= -github.com/gkampitakis/go-snaps v0.5.20 h1:FGKonEeQPJ12t7RQj6cTPa881fl5c8HYarMLv5vP7sg= -github.com/gkampitakis/go-snaps v0.5.20/go.mod h1:gC3YqxQTPyIXvQrw/Vpt3a8VqR1MO8sVpZFWN4DGwNs= +github.com/gkampitakis/go-snaps v0.5.21 h1:SvhSFeZviQXwlT+dnGyAIATVehkhqRVW6qfQZhCZH+Y= +github.com/gkampitakis/go-snaps v0.5.21/go.mod h1:gC3YqxQTPyIXvQrw/Vpt3a8VqR1MO8sVpZFWN4DGwNs= github.com/glebarez/go-sqlite v1.20.3 h1:89BkqGOXR9oRmG58ZrzgoY/Fhy5x0M+/WV48U5zVrZ4= github.com/glebarez/go-sqlite v1.20.3/go.mod h1:u3N6D/wftiAzIOJtZl6BmedqxmmkDfH3q+ihjqxC9u0= github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c= @@ -239,8 +239,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/gohugoio/hashstructure v0.5.0 h1:G2fjSBU36RdwEJBWJ+919ERvOVqAg9tfcYp47K9swqg= github.com/gohugoio/hashstructure v0.5.0/go.mod h1:Ser0TniXuu/eauYmrwM4o64EBvySxNzITEOLlm4igec= -github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo= -github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= +github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY= +github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ= @@ -290,8 +290,8 @@ github.com/icholy/digest v1.1.0 h1:HfGg9Irj7i+IX1o1QAmPfIBNu/Q5A5Tu3n/MED9k9H4= github.com/icholy/digest v1.1.0/go.mod h1:QNrsSGQ5v7v9cReDI0+eyjsXGUoRSUZQHeQ5C4XLa0Y= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= -github.com/jedib0t/go-pretty/v6 v6.7.8 h1:BVYrDy5DPBA3Qn9ICT+PokP9cvCv1KaHv2i+Hc8sr5o= -github.com/jedib0t/go-pretty/v6 v6.7.8/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU= +github.com/jedib0t/go-pretty/v6 v6.7.9 h1:frarzQWmkZd97syT81+TH8INKPpzoxQnk+Mk5EIHSrM= +github.com/jedib0t/go-pretty/v6 v6.7.9/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= @@ -308,8 +308,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= -github.com/lucasb-eyer/go-colorful v1.3.0 h1:2/yBRLdWBZKrf7gB40FoiKfAWYQ0lqNcbuQwVHXptag= -github.com/lucasb-eyer/go-colorful v1.3.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= +github.com/lucasb-eyer/go-colorful v1.4.0 h1:UtrWVfLdarDgc44HcS7pYloGHJUjHV/4FwW4TvVgFr4= +github.com/lucasb-eyer/go-colorful v1.4.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 h1:EnfXoSqDfSNJv0VBNqY/88RNnhSGYkrHaO0mmFGbVsc= github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40/go.mod h1:vy1vK6wD6j7xX6O6hXe621WabdtNkou2h7uRtTfRMyg= github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo= @@ -321,8 +321,8 @@ github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4= github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88= github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk= -github.com/mattn/go-runewidth v0.0.20 h1:WcT52H91ZUAwy8+HUkdM3THM6gXqXuLJi9O3rjcQQaQ= -github.com/mattn/go-runewidth v0.0.20/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs= +github.com/mattn/go-runewidth v0.0.23 h1:7ykA0T0jkPpzSvMS5i9uoNn2Xy3R383f9HDx3RybWcw= +github.com/mattn/go-runewidth v0.0.23/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs= github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk= github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= github.com/michaelkedar/xml v0.0.0-20250501021638-021a7b1a061e h1:wAq84z83n895uvsZIoSNdzw0NbhP08NiIq8/JOlrJ6Y= @@ -353,8 +353,8 @@ github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28= github.com/moby/term v0.0.0-20221205130635-1aeaba878587 h1:HfkjXDfhgVaN5rmueG8cL8KKeFNecRCXFhaJ2qZ5SKA= github.com/moby/term v0.0.0-20221205130635-1aeaba878587/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= -github.com/modelcontextprotocol/go-sdk v1.4.1 h1:M4x9GyIPj+HoIlHNGpK2hq5o3BFhC+78PkEaldQRphc= -github.com/modelcontextprotocol/go-sdk v1.4.1/go.mod h1:Bo/mS87hPQqHSRkMv4dQq1XCu6zv4INdXnFZabkNU6s= +github.com/modelcontextprotocol/go-sdk v1.5.0 h1:CHU0FIX9kpueNkxuYtfYQn1Z0slhFzBZuq+x6IiblIU= +github.com/modelcontextprotocol/go-sdk v1.5.0/go.mod h1:gggDIhoemhWs3BGkGwd1umzEXCEMMvAnhTrnbXJKKKA= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= github.com/morikuni/aec v1.1.0 h1:vBBl0pUnvi/Je71dsRrhMBtreIqNMYErSAbEeb8jrXQ= @@ -375,8 +375,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= -github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww= -github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5diQ8ibYCRkxg= +github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.13.1 h1:A8nNeceYngH9Ow++M+VVEwJVpdFmrlxsN22F+ISDCJE= github.com/opencontainers/selinux v1.13.1/go.mod h1:S10WXZ/osk2kWOYKy1x2f/eXF5ZHJoUs8UU/2caNRbg= github.com/ossf/osv-schema/bindings/go v0.0.0-20260304051245-ec3272c283e4 h1:4zC49SlXs2waAuZJFEP1lAGf9Bgjg8SQww6y8C9znJ0= @@ -482,8 +482,8 @@ github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0 h1:2f304B10 github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0/go.mod h1:278M4p8WsNh3n4a1eqiFcV2FGk7wE5fwUpUom9mK9lE= github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= -github.com/urfave/cli/v3 v3.7.0 h1:AGSnbUyjtLiM+WJUb4dzXKldl/gL+F8OwmRDtVr6g2U= -github.com/urfave/cli/v3 v3.7.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso= +github.com/urfave/cli/v3 v3.8.0 h1:XqKPrm0q4P0q5JpoclYoCAv0/MIvH/jZ2umzuf8pNTI= +github.com/urfave/cli/v3 v3.8.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso= github.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4= github.com/vbatts/tar-split v0.12.2/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA= github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= @@ -582,8 +582,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo= golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw= -golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= +golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ= +golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -611,14 +611,14 @@ golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= -golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= -golang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2 h1:O1cMQHRfwNpDfDJerqRoE2oD+AFlyid87D40L/OkkJo= -golang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2/go.mod h1:b7fPSJ0pKZ3ccUh8gnTONJxhn3c/PS6tyzQvyqw4iA8= +golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI= +golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/telemetry v0.0.0-20260209163413-e7419c687ee4 h1:bTLqdHv7xrGlFbvf5/TXNxy/iUwwdkjhqQTJDjW7aj0= +golang.org/x/telemetry v0.0.0-20260209163413-e7419c687ee4/go.mod h1:g5NllXBEermZrmR51cJDQxmJUHUOfRAaNyWBM+R+548= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg= -golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM= +golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY= +golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -637,8 +637,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc= -golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg= +golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k= +golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0= golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM= golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY= golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM= @@ -651,8 +651,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da h1:noIWHXmPHxILtqtCOPIhSt0ABwskkZKjD3bXGnZGpNY= golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= -gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= -gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= +gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4= +gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= @@ -669,8 +669,8 @@ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyac google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE= -google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= +google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM= +google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From 1fd64b89f6922ee93dfd02fd5f425410fa959ca8 Mon Sep 17 00:00:00 2001 From: Rex P Date: Fri, 24 Apr 2026 15:59:25 +1000 Subject: [PATCH 2/3] Fix cli change issues --- .../fix/__snapshots__/command_test.snap | 116 +-- .../source/__snapshots__/command_test.snap | 25 +- cmd/osv-scanner/scan/source/command_test.go | 4 +- .../cassettes/TestCommand_Transitive.yaml | 741 +++++++++++++++++- go.mod | 3 +- go.sum | 4 +- 6 files changed, 813 insertions(+), 80 deletions(-) diff --git a/cmd/osv-scanner/fix/__snapshots__/command_test.snap b/cmd/osv-scanner/fix/__snapshots__/command_test.snap index 25ab91872ac..0276e8ad534 100755 --- a/cmd/osv-scanner/fix/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/fix/__snapshots__/command_test.snap @@ -5260,16 +5260,16 @@ unsupported strategy "force" - must be one of: in-place, relax, override [TestCommand/fix_non-interactive_in-place_package-lock.json - 1] Guided remediation (the fix command) can be risky when run on untrusted projects. It may trigger the package manager to execute scripts or follow external registries specified in the project. Please ensure you trust the source code and artifacts before proceeding. -Found 15 vulnerabilities matching the filter -Can fix 8/15 matching vulnerabilities by changing 5 dependencies +Found 16 vulnerabilities matching the filter +Can fix 8/16 matching vulnerabilities by changing 5 dependencies UPGRADED-PACKAGE: minimatch,3.1.2,3.1.5 UPGRADED-PACKAGE: brace-expansion,1.1.11,1.1.14 -UPGRADED-PACKAGE: ajv,6.12.6,6.14.0 +UPGRADED-PACKAGE: ajv,6.12.6,6.15.0 UPGRADED-PACKAGE: concat-stream,1.5.0,1.6.1 UPGRADED-PACKAGE: hosted-git-info,2.1.4,2.8.9 FIXED-VULN-IDS: GHSA-23c5-xmqv-rm74,GHSA-2g4f-4pwh-qvx6,GHSA-3ppc-4f35-3m26,GHSA-43f8-2h32-f4cj,GHSA-7r86-cg39-jmmj,GHSA-f886-m6hf-6m8v,GHSA-g74r-ffvr-5q9f,GHSA-v6h2-p8h4-qcjw -REMAINING-VULNS: 7 -UNFIXABLE-VULNS: 7 +REMAINING-VULNS: 8 +UNFIXABLE-VULNS: 8 --- @@ -5293,9 +5293,9 @@ UNFIXABLE-VULNS: 7 } }, "node_modules/ajv": { - "version": "6.14.0", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz", - "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==", + "version": "6.15.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", + "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "dependencies": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", @@ -6229,9 +6229,9 @@ UNFIXABLE-VULNS: 7 }, "dependencies": { "ajv": { - "version": "6.14.0", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz", - "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==", + "version": "6.15.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", + "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "requires": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", @@ -7148,6 +7148,16 @@ UNFIXABLE-VULNS: 7 "version": "1.1.11" } ] + }, + { + "id": "GHSA-w5hq-g745-h8pq", + "packages": [ + { + "name": "uuid", + "version": "3.4.0" + } + ], + "unactionable": true } ], "patches": [ @@ -7225,7 +7235,7 @@ UNFIXABLE-VULNS: 7 { "name": "ajv", "versionFrom": "6.12.6", - "versionTo": "6.14.0", + "versionTo": "6.15.0", "transitive": true } ], @@ -7309,9 +7319,9 @@ Guided remediation (the fix command) can be risky when run on untrusted projects } }, "node_modules/ajv": { - "version": "6.14.0", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz", - "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==", + "version": "6.15.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", + "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "dependencies": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", @@ -8245,9 +8255,9 @@ Guided remediation (the fix command) can be risky when run on untrusted projects }, "dependencies": { "ajv": { - "version": "6.14.0", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz", - "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==", + "version": "6.15.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", + "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "requires": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", @@ -9437,6 +9447,16 @@ Guided remediation (the fix command) can be risky when run on untrusted projects } ], "unactionable": true + }, + { + "id": "GHSA-w5hq-g745-h8pq", + "packages": [ + { + "name": "uuid", + "version": "3.4.0" + } + ], + "unactionable": true } ], "patches": [ @@ -9575,12 +9595,12 @@ UNFIXABLE-VULNS: 0 [TestCommand/fix_non-interactive_relax_package.json - 1] Guided remediation (the fix command) can be risky when run on untrusted projects. It may trigger the package manager to execute scripts or follow external registries specified in the project. Please ensure you trust the source code and artifacts before proceeding. -Found 7 vulnerabilities matching the filter -Can fix 3/7 matching vulnerabilities by changing 1 dependencies +Found 8 vulnerabilities matching the filter +Can fix 3/8 matching vulnerabilities by changing 1 dependencies UPGRADED-PACKAGE: npm-registry-client,6.2.0,^7.5.0 FIXED-VULN-IDS: GHSA-43f8-2h32-f4cj,GHSA-c2qf-rxjj-qqgw,GHSA-c6rq-rjc2-86v2 -REMAINING-VULNS: 4 -UNFIXABLE-VULNS: 4 +REMAINING-VULNS: 5 +UNFIXABLE-VULNS: 5 --- @@ -9608,16 +9628,16 @@ UNFIXABLE-VULNS: 4 [TestCommand/fix_non_interactive_in_place_package_lock_json_with_native_data_source - 1] Guided remediation (the fix command) can be risky when run on untrusted projects. It may trigger the package manager to execute scripts or follow external registries specified in the project. Please ensure you trust the source code and artifacts before proceeding. -Found 15 vulnerabilities matching the filter -Can fix 8/15 matching vulnerabilities by changing 5 dependencies +Found 16 vulnerabilities matching the filter +Can fix 8/16 matching vulnerabilities by changing 5 dependencies UPGRADED-PACKAGE: minimatch,3.1.2,3.1.5 UPGRADED-PACKAGE: brace-expansion,1.1.11,1.1.14 -UPGRADED-PACKAGE: ajv,6.12.6,6.14.0 +UPGRADED-PACKAGE: ajv,6.12.6,6.15.0 UPGRADED-PACKAGE: concat-stream,1.5.0,1.6.1 UPGRADED-PACKAGE: hosted-git-info,2.1.4,2.8.9 FIXED-VULN-IDS: GHSA-23c5-xmqv-rm74,GHSA-2g4f-4pwh-qvx6,GHSA-3ppc-4f35-3m26,GHSA-43f8-2h32-f4cj,GHSA-7r86-cg39-jmmj,GHSA-f886-m6hf-6m8v,GHSA-g74r-ffvr-5q9f,GHSA-v6h2-p8h4-qcjw -REMAINING-VULNS: 7 -UNFIXABLE-VULNS: 7 +REMAINING-VULNS: 8 +UNFIXABLE-VULNS: 8 --- @@ -9641,9 +9661,9 @@ UNFIXABLE-VULNS: 7 } }, "node_modules/ajv": { - "version": "6.14.0", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz", - "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==", + "version": "6.15.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", + "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "dependencies": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", @@ -10577,9 +10597,9 @@ UNFIXABLE-VULNS: 7 }, "dependencies": { "ajv": { - "version": "6.14.0", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz", - "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==", + "version": "6.15.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", + "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "requires": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", @@ -11427,16 +11447,16 @@ manifest or lockfile is required [TestCommand_OfflineDatabase/fix_non_interactive_in_place_package_lock_json_with_offline_vulns - 1] Guided remediation (the fix command) can be risky when run on untrusted projects. It may trigger the package manager to execute scripts or follow external registries specified in the project. Please ensure you trust the source code and artifacts before proceeding. -Found 15 vulnerabilities matching the filter -Can fix 8/15 matching vulnerabilities by changing 5 dependencies +Found 16 vulnerabilities matching the filter +Can fix 8/16 matching vulnerabilities by changing 5 dependencies UPGRADED-PACKAGE: minimatch,3.1.2,3.1.5 UPGRADED-PACKAGE: brace-expansion,1.1.11,1.1.14 -UPGRADED-PACKAGE: ajv,6.12.6,6.14.0 +UPGRADED-PACKAGE: ajv,6.12.6,6.15.0 UPGRADED-PACKAGE: concat-stream,1.5.0,1.6.1 UPGRADED-PACKAGE: hosted-git-info,2.1.4,2.8.9 FIXED-VULN-IDS: GHSA-23c5-xmqv-rm74,GHSA-2g4f-4pwh-qvx6,GHSA-3ppc-4f35-3m26,GHSA-43f8-2h32-f4cj,GHSA-7r86-cg39-jmmj,GHSA-f886-m6hf-6m8v,GHSA-g74r-ffvr-5q9f,GHSA-v6h2-p8h4-qcjw -REMAINING-VULNS: 7 -UNFIXABLE-VULNS: 7 +REMAINING-VULNS: 8 +UNFIXABLE-VULNS: 8 --- @@ -11460,9 +11480,9 @@ UNFIXABLE-VULNS: 7 } }, "node_modules/ajv": { - "version": "6.14.0", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz", - "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==", + "version": "6.15.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", + "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "dependencies": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", @@ -12396,9 +12416,9 @@ UNFIXABLE-VULNS: 7 }, "dependencies": { "ajv": { - "version": "6.14.0", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz", - "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==", + "version": "6.15.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", + "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "requires": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", @@ -13170,12 +13190,12 @@ UNFIXABLE-VULNS: 7 [TestCommand_OfflineDatabase/fix_non_interactive_relax_package_json_with_offline_vulns - 1] Guided remediation (the fix command) can be risky when run on untrusted projects. It may trigger the package manager to execute scripts or follow external registries specified in the project. Please ensure you trust the source code and artifacts before proceeding. -Found 7 vulnerabilities matching the filter -Can fix 3/7 matching vulnerabilities by changing 1 dependencies +Found 8 vulnerabilities matching the filter +Can fix 3/8 matching vulnerabilities by changing 1 dependencies UPGRADED-PACKAGE: npm-registry-client,6.2.0,^7.5.0 FIXED-VULN-IDS: GHSA-43f8-2h32-f4cj,GHSA-c2qf-rxjj-qqgw,GHSA-c6rq-rjc2-86v2 -REMAINING-VULNS: 4 -UNFIXABLE-VULNS: 4 +REMAINING-VULNS: 5 +UNFIXABLE-VULNS: 5 --- diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 5bdb7a12589..ba3962049c9 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -2683,14 +2683,13 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5 --- -[TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_nothing - 1] +[TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_default - 1] +Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- -[TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_nothing - 2] -Incorrect Usage: flag needs an argument: --experimental-plugins= - -flag needs an argument: --experimental-plugins= +[TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_default - 2] +No package sources found, --help for usage information. --- @@ -2853,9 +2852,7 @@ could not determine extractor, requested package-lock.json --- [TestCommand_ExplicitExtractors_WithoutDefaults/empty_plugins_flag_does_nothing - 2] -Incorrect Usage: flag needs an argument: --experimental-plugins= - -flag needs an argument: --experimental-plugins= +at least one extractor must be enabled --- @@ -4767,7 +4764,7 @@ Filtered 1 local/unscannable package/s from the scan. Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded Go local db from /osv-scanner/Go/all.zip -Total 21 packages affected by 178 known vulnerabilities (18 Critical, 75 High, 55 Medium, 5 Low, 25 Unknown) from 2 ecosystems. +Total 22 packages affected by 182 known vulnerabilities (18 Critical, 75 High, 55 Medium, 5 Low, 29 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -4817,6 +4814,8 @@ Total 21 packages affected by 178 known vulnerabilities (18 Critical, 75 High, 5 | https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-41989 | | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-41990 | | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -4929,6 +4928,7 @@ Total 21 packages affected by 178 known vulnerabilities (18 Critical, 75 High, 5 | https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-20230 | | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -4954,6 +4954,7 @@ Total 21 packages affected by 178 known vulnerabilities (18 Critical, 75 High, 5 | https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-5958 | | Debian | sed | 4.4-1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -4995,7 +4996,7 @@ Filtered 1 local/unscannable package/s from the scan. Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded Go local db from /osv-scanner/Go/all.zip -Total 21 packages affected by 178 known vulnerabilities (18 Critical, 75 High, 55 Medium, 5 Low, 25 Unknown) from 2 ecosystems. +Total 22 packages affected by 182 known vulnerabilities (18 Critical, 75 High, 55 Medium, 5 Low, 29 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -5045,6 +5046,8 @@ Total 21 packages affected by 178 known vulnerabilities (18 Critical, 75 High, 5 | https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-41989 | | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-41990 | | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -5157,6 +5160,7 @@ Total 21 packages affected by 178 known vulnerabilities (18 Critical, 75 High, 5 | https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2017-20230 | | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -5182,6 +5186,7 @@ Total 21 packages affected by 178 known vulnerabilities (18 Critical, 75 High, 5 | https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-5958 | | Debian | sed | 4.4-1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go index f5fae2b96cc..a87a79eeb0c 100644 --- a/cmd/osv-scanner/scan/source/command_test.go +++ b/cmd/osv-scanner/scan/source/command_test.go @@ -489,9 +489,9 @@ func TestCommand_ExplicitExtractors_WithDefaults(t *testing.T) { tests := []testcmd.Case{ { - Name: "empty_plugins_flag_does_nothing", + Name: "empty_plugins_flag_does_default", Args: []string{"", "source", "--experimental-plugins="}, - Exit: 127, + Exit: 128, }, { Name: "extractors_cancelled_out_specified_individually", diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml index 1dd867a211f..7bf8da35738 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml @@ -1475,6 +1475,163 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 997 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "PyPI", + "name": "click" + }, + "version": "8.3.2" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "flask" + }, + "version": "1.0.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "flask-cors" + }, + "version": "1.0.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "itsdangerous" + }, + "version": "2.2.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "jinja2" + }, + "version": "3.1.6" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "markupsafe" + }, + "version": "3.0.3" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "pandas" + }, + "version": "0.23.4" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug" + }, + "version": "3.1.8" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_Transitive/requirements.txt_resolution_fallback + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 880 + body: | + { + "results": [ + {}, + { + "vulns": [ + { + "id": "GHSA-68rp-wp8r-4726", + "modified": "2026-02-23T23:43:45.778179Z" + }, + { + "id": "GHSA-m2qf-hxjv-5gpq", + "modified": "2025-02-21T05:42:17.337040Z" + }, + { + "id": "PYSEC-2023-62", + "modified": "2023-11-08T04:12:28.231927Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-43qf-4rqw-9q2g", + "modified": "2026-02-04T02:30:19.251090Z" + }, + { + "id": "GHSA-7rxf-gvfg-47g4", + "modified": "2026-02-04T04:27:15.173118Z" + }, + { + "id": "GHSA-84pr-m4jr-85g5", + "modified": "2026-02-04T02:57:32.875272Z" + }, + { + "id": "GHSA-8vgw-p6qm-5gr7", + "modified": "2026-02-04T02:42:09.564281Z" + }, + { + "id": "GHSA-hxwh-jpp2-84pm", + "modified": "2026-02-04T02:15:39.891834Z" + }, + { + "id": "GHSA-xc3p-ff3m-f46v", + "modified": "2024-09-20T20:01:25.449661Z" + }, + { + "id": "PYSEC-2020-43", + "modified": "2025-10-09T07:22:50.566622Z" + }, + { + "id": "PYSEC-2024-71", + "modified": "2025-10-09T08:27:44.186589Z" + } + ] + }, + {}, + {}, + {}, + { + "vulns": [ + { + "id": "PYSEC-2020-73", + "modified": "2023-11-08T04:02:12.263851Z" + } + ] + }, + {} + ] + } + headers: + Content-Length: + - "880" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s - request: proto: HTTP/1.1 proto_major: 1 @@ -1646,7 +1803,7 @@ interactions: "ecosystem": "PyPI", "name": "click" }, - "version": "8.3.2" + "version": "8.3.3" }, { "package": { @@ -2339,7 +2496,7 @@ interactions: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 - content_length: 1604 + content_length: 1610 host: api.osv.dev body: | { @@ -2349,7 +2506,7 @@ interactions: "ecosystem": "PyPI", "name": "certifi" }, - "version": "2026.2.25" + "version": "2026.4.22" }, { "package": { @@ -2363,7 +2520,7 @@ interactions: "ecosystem": "PyPI", "name": "click" }, - "version": "8.3.1" + "version": "8.3.3" }, { "package": { @@ -2377,14 +2534,14 @@ interactions: "ecosystem": "PyPI", "name": "flask" }, - "version": "1.0" + "version": "1.0.0" }, { "package": { "ecosystem": "PyPI", "name": "idna" }, - "version": "2.7" + "version": "2.7.0" }, { "package": { @@ -2412,7 +2569,7 @@ interactions: "ecosystem": "PyPI", "name": "pytz" }, - "version": "2026.1.post1" + "version": "2026.1.0.post1" }, { "package": { @@ -2433,7 +2590,7 @@ interactions: "ecosystem": "PyPI", "name": "werkzeug" }, - "version": "3.1.7" + "version": "3.1.8" } ] } @@ -2441,14 +2598,14 @@ interactions: Content-Type: - application/json X-Test-Name: - - TestCommand_Transitive/requirements.txt_transitive_native_source + - TestCommand_Transitive/requirements.txt_transitive_default url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 2083 + content_length: 2153 body: | { "results": [ @@ -2463,7 +2620,7 @@ interactions: }, { "id": "GHSA-6w2r-r2m5-xq5w", - "modified": "2026-02-04T04:00:06.061990Z" + "modified": "2026-04-21T08:11:06.082206Z" }, { "id": "GHSA-7xr5-9hcq-chf9", @@ -2475,11 +2632,11 @@ interactions: }, { "id": "GHSA-frmv-pr5f-9mcr", - "modified": "2025-11-27T09:10:30.649595Z" + "modified": "2026-04-21T08:11:22.119438Z" }, { "id": "GHSA-qw25-v68c-qjf3", - "modified": "2026-02-04T04:08:30.303132Z" + "modified": "2026-04-21T08:11:06.009868Z" }, { "id": "GHSA-rrqc-c2jx-6jgv", @@ -2533,6 +2690,10 @@ interactions: "id": "GHSA-9wx4-h78v-vm56", "modified": "2026-02-04T02:43:42.271895Z" }, + { + "id": "GHSA-gc5v-m9x4-r6x2", + "modified": "2026-03-27T22:17:33.595885Z" + }, { "id": "GHSA-j8r2-6x86-q33q", "modified": "2026-02-04T03:34:13.807518Z" @@ -2600,7 +2761,7 @@ interactions: } headers: Content-Length: - - "2083" + - "2153" Content-Type: - application/json status: 200 OK @@ -2634,7 +2795,7 @@ interactions: "ecosystem": "PyPI", "name": "click" }, - "version": "8.3.2" + "version": "8.3.1" }, { "package": { @@ -2704,7 +2865,7 @@ interactions: "ecosystem": "PyPI", "name": "werkzeug" }, - "version": "3.1.8" + "version": "3.1.7" } ] } @@ -2719,7 +2880,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 2153 + content_length: 2083 body: | { "results": [ @@ -2794,6 +2955,552 @@ interactions: {}, {}, {}, + { + "vulns": [ + { + "id": "GHSA-9hjg-9r4m-mvj7", + "modified": "2026-02-04T03:44:00.676479Z" + }, + { + "id": "GHSA-9wx4-h78v-vm56", + "modified": "2026-02-04T02:43:42.271895Z" + }, + { + "id": "GHSA-j8r2-6x86-q33q", + "modified": "2026-02-04T03:34:13.807518Z" + }, + { + "id": "PYSEC-2023-74", + "modified": "2023-11-08T04:12:35.436175Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2xpw-w6gg-jr37", + "modified": "2026-02-04T02:36:12.983430Z" + }, + { + "id": "GHSA-34jh-p97f-mpxf", + "modified": "2026-02-04T03:37:44.850742Z" + }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "2026-02-04T03:51:36.162029Z" + }, + { + "id": "GHSA-g4mx-q9vg-27p4", + "modified": "2026-02-04T03:30:16.767903Z" + }, + { + "id": "GHSA-gm62-xv2j-4w53", + "modified": "2026-02-04T03:37:15.919661Z" + }, + { + "id": "GHSA-pq67-6m6q-mj2v", + "modified": "2026-02-04T04:38:01.163387Z" + }, + { + "id": "GHSA-v845-jxx5-vc9f", + "modified": "2026-02-04T02:58:30.152562Z" + }, + { + "id": "GHSA-wqvq-5m8c-6g24", + "modified": "2024-11-18T22:47:07.792720Z" + }, + { + "id": "PYSEC-2020-148", + "modified": "2023-11-08T04:03:14.251187Z" + }, + { + "id": "PYSEC-2021-108", + "modified": "2023-11-08T04:06:04.829992Z" + }, + { + "id": "PYSEC-2023-192", + "modified": "2023-11-08T04:13:33.452167Z" + }, + { + "id": "PYSEC-2023-212", + "modified": "2023-11-08T04:13:39.165450Z" + } + ] + }, + {} + ] + } + headers: + Content-Length: + - "2083" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1604 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "PyPI", + "name": "certifi" + }, + "version": "2026.2.25" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "chardet" + }, + "version": "3.0.4" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "click" + }, + "version": "8.3.2" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django" + }, + "version": "1.11.29" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "flask" + }, + "version": "1.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "idna" + }, + "version": "2.7" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "itsdangerous" + }, + "version": "2.2.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "jinja2" + }, + "version": "3.1.6" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "markupsafe" + }, + "version": "3.0.3" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "pytz" + }, + "version": "2026.1.post1" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "requests" + }, + "version": "2.20.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "urllib3" + }, + "version": "1.24.3" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug" + }, + "version": "3.1.8" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_Transitive/requirements.txt_transitive_native_source + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 2153 + body: | + { + "results": [ + {}, + {}, + {}, + { + "vulns": [ + { + "id": "GHSA-68w8-qjq3-2gfm", + "modified": "2024-09-20T15:46:52.557962Z" + }, + { + "id": "GHSA-6w2r-r2m5-xq5w", + "modified": "2026-02-04T04:00:06.061990Z" + }, + { + "id": "GHSA-7xr5-9hcq-chf9", + "modified": "2026-02-04T03:48:05.224740Z" + }, + { + "id": "GHSA-8x94-hmjh-97hq", + "modified": "2026-02-04T02:45:55.690257Z" + }, + { + "id": "GHSA-frmv-pr5f-9mcr", + "modified": "2025-11-27T09:10:30.649595Z" + }, + { + "id": "GHSA-qw25-v68c-qjf3", + "modified": "2026-02-04T04:08:30.303132Z" + }, + { + "id": "GHSA-rrqc-c2jx-6jgv", + "modified": "2024-10-30T19:23:59.139649Z" + }, + { + "id": "PYSEC-2021-98", + "modified": "2023-12-06T01:01:16.755410Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-68rp-wp8r-4726", + "modified": "2026-02-23T23:43:45.778179Z" + }, + { + "id": "GHSA-m2qf-hxjv-5gpq", + "modified": "2025-02-21T05:42:17.337040Z" + }, + { + "id": "PYSEC-2023-62", + "modified": "2023-11-08T04:12:28.231927Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-jjg7-2v4v-x38h", + "modified": "2026-02-04T03:49:45.087439Z" + }, + { + "id": "PYSEC-2024-60", + "modified": "2024-07-11T17:42:33.704488Z" + } + ] + }, + {}, + {}, + {}, + {}, + { + "vulns": [ + { + "id": "GHSA-9hjg-9r4m-mvj7", + "modified": "2026-02-04T03:44:00.676479Z" + }, + { + "id": "GHSA-9wx4-h78v-vm56", + "modified": "2026-02-04T02:43:42.271895Z" + }, + { + "id": "GHSA-gc5v-m9x4-r6x2", + "modified": "2026-03-27T22:17:33.595885Z" + }, + { + "id": "GHSA-j8r2-6x86-q33q", + "modified": "2026-02-04T03:34:13.807518Z" + }, + { + "id": "PYSEC-2023-74", + "modified": "2023-11-08T04:12:35.436175Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-2xpw-w6gg-jr37", + "modified": "2026-02-04T02:36:12.983430Z" + }, + { + "id": "GHSA-34jh-p97f-mpxf", + "modified": "2026-02-04T03:37:44.850742Z" + }, + { + "id": "GHSA-38jv-5279-wg99", + "modified": "2026-02-04T03:51:36.162029Z" + }, + { + "id": "GHSA-g4mx-q9vg-27p4", + "modified": "2026-02-04T03:30:16.767903Z" + }, + { + "id": "GHSA-gm62-xv2j-4w53", + "modified": "2026-02-04T03:37:15.919661Z" + }, + { + "id": "GHSA-pq67-6m6q-mj2v", + "modified": "2026-02-04T04:38:01.163387Z" + }, + { + "id": "GHSA-v845-jxx5-vc9f", + "modified": "2026-02-04T02:58:30.152562Z" + }, + { + "id": "GHSA-wqvq-5m8c-6g24", + "modified": "2024-11-18T22:47:07.792720Z" + }, + { + "id": "PYSEC-2020-148", + "modified": "2023-11-08T04:03:14.251187Z" + }, + { + "id": "PYSEC-2021-108", + "modified": "2023-11-08T04:06:04.829992Z" + }, + { + "id": "PYSEC-2023-192", + "modified": "2023-11-08T04:13:33.452167Z" + }, + { + "id": "PYSEC-2023-212", + "modified": "2023-11-08T04:13:39.165450Z" + } + ] + }, + {} + ] + } + headers: + Content-Length: + - "2153" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1604 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "PyPI", + "name": "certifi" + }, + "version": "2026.4.22" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "chardet" + }, + "version": "3.0.4" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "click" + }, + "version": "8.3.3" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django" + }, + "version": "1.11.29" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "flask" + }, + "version": "1.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "idna" + }, + "version": "2.7" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "itsdangerous" + }, + "version": "2.2.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "jinja2" + }, + "version": "3.1.6" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "markupsafe" + }, + "version": "3.0.3" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "pytz" + }, + "version": "2026.1.post1" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "requests" + }, + "version": "2.20.0" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "urllib3" + }, + "version": "1.24.3" + }, + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug" + }, + "version": "3.1.8" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_Transitive/requirements.txt_transitive_native_source + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 2153 + body: | + { + "results": [ + {}, + {}, + {}, + { + "vulns": [ + { + "id": "GHSA-68w8-qjq3-2gfm", + "modified": "2024-09-20T15:46:52.557962Z" + }, + { + "id": "GHSA-6w2r-r2m5-xq5w", + "modified": "2026-04-21T08:11:06.082206Z" + }, + { + "id": "GHSA-7xr5-9hcq-chf9", + "modified": "2026-02-04T03:48:05.224740Z" + }, + { + "id": "GHSA-8x94-hmjh-97hq", + "modified": "2026-02-04T02:45:55.690257Z" + }, + { + "id": "GHSA-frmv-pr5f-9mcr", + "modified": "2026-04-21T08:11:22.119438Z" + }, + { + "id": "GHSA-qw25-v68c-qjf3", + "modified": "2026-04-21T08:11:06.009868Z" + }, + { + "id": "GHSA-rrqc-c2jx-6jgv", + "modified": "2024-10-30T19:23:59.139649Z" + }, + { + "id": "PYSEC-2021-98", + "modified": "2023-12-06T01:01:16.755410Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-68rp-wp8r-4726", + "modified": "2026-02-23T23:43:45.778179Z" + }, + { + "id": "GHSA-m2qf-hxjv-5gpq", + "modified": "2025-02-21T05:42:17.337040Z" + }, + { + "id": "PYSEC-2023-62", + "modified": "2023-11-08T04:12:28.231927Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-jjg7-2v4v-x38h", + "modified": "2026-02-04T03:49:45.087439Z" + }, + { + "id": "PYSEC-2024-60", + "modified": "2024-07-11T17:42:33.704488Z" + } + ] + }, + {}, + {}, + {}, + {}, { "vulns": [ { diff --git a/go.mod b/go.mod index 5558b0b9b9b..5d76705b9cc 100644 --- a/go.mod +++ b/go.mod @@ -240,4 +240,5 @@ require ( // github.com/containerd/containerd v1.7.x is incompatible with runtime-spec v1.3.0. // https://github.com/google/osv-scanner/pull/2705#issuecomment-4212012410 -replace github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.3.0 +// So this needs to be kept at v1.2.1 +replace github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.2.1 diff --git a/go.sum b/go.sum index d76e4272f99..1b9fe32219f 100644 --- a/go.sum +++ b/go.sum @@ -375,8 +375,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= -github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5diQ8ibYCRkxg= -github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww= +github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.13.1 h1:A8nNeceYngH9Ow++M+VVEwJVpdFmrlxsN22F+ISDCJE= github.com/opencontainers/selinux v1.13.1/go.mod h1:S10WXZ/osk2kWOYKy1x2f/eXF5ZHJoUs8UU/2caNRbg= github.com/ossf/osv-schema/bindings/go v0.0.0-20260304051245-ec3272c283e4 h1:4zC49SlXs2waAuZJFEP1lAGf9Bgjg8SQww6y8C9znJ0= From 44dfaf3f2c7c5f8059c02ec7739b27420f6ac21f Mon Sep 17 00:00:00 2001 From: Rex P Date: Fri, 24 Apr 2026 16:27:07 +1000 Subject: [PATCH 3/3] Update snaps --- .../source/__snapshots__/command_test.snap | 30 +++++++------------ 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index a3b8bd9c18e..dd458dba50f 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -2599,7 +2599,6 @@ Total 24 packages affected by 185 known vulnerabilities (19 Critical, 76 High, 5 --- [TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_default - 1] -Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- @@ -5636,15 +5635,13 @@ No package sources found, --help for usage information. [TestCommand_Transitive/pom.xml_multiple_registries - 1] Scanned /testdata/maven-transitive/registry.xml file and found 2 packages -Total 2 packages affected by 8 known vulnerabilities (2 Critical, 1 High, 5 Medium, 0 Low, 0 Unknown) from 1 ecosystem. -8 vulnerabilities can be fixed. +Total 2 packages affected by 6 known vulnerabilities (2 Critical, 1 High, 3 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +6 vulnerabilities can be fixed. +-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+ | https://osv.dev/GHSA-cm6r-892j-jv2g | 6.1 | Maven | com.google.android.gms:play-services-basement | 10.0.0 | 18.0.2 | testdata/maven-transitive/registry.xml | -| https://osv.dev/GHSA-3pxv-7cmr-fjr4 | 6.9 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.25.4 | testdata/maven-transitive/registry.xml | -| https://osv.dev/GHSA-6hg6-v5c8-fphq | 6.3 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.25.4 | testdata/maven-transitive/registry.xml | | https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.16.0 | testdata/maven-transitive/registry.xml | | https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.1 | testdata/maven-transitive/registry.xml | | https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.15.0 | testdata/maven-transitive/registry.xml | @@ -5705,14 +5702,12 @@ No issues found Scanning dir ./testdata/maven-transitive/pom.xml Scanned /testdata/maven-transitive/pom.xml file and found 1 package -Total 1 package affected by 7 known vulnerabilities (2 Critical, 1 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystem. -7 vulnerabilities can be fixed. +Total 1 package affected by 5 known vulnerabilities (2 Critical, 1 High, 2 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +5 vulnerabilities can be fixed. +-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+ -| https://osv.dev/GHSA-3pxv-7cmr-fjr4 | 6.9 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.25.4 | testdata/maven-transitive/pom.xml | -| https://osv.dev/GHSA-6hg6-v5c8-fphq | 6.3 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.25.4 | testdata/maven-transitive/pom.xml | | https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.16.0 | testdata/maven-transitive/pom.xml | | https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.1 | testdata/maven-transitive/pom.xml | | https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.15.0 | testdata/maven-transitive/pom.xml | @@ -5729,14 +5724,12 @@ Total 1 package affected by 7 known vulnerabilities (2 Critical, 1 High, 4 Mediu [TestCommand_Transitive/pom.xml_transitive_explicit_lockfile - 1] Scanned /testdata/maven-transitive/abc.xml file and found 1 package -Total 1 package affected by 7 known vulnerabilities (2 Critical, 1 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystem. -7 vulnerabilities can be fixed. +Total 1 package affected by 5 known vulnerabilities (2 Critical, 1 High, 2 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +5 vulnerabilities can be fixed. +-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+ -| https://osv.dev/GHSA-3pxv-7cmr-fjr4 | 6.9 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.25.4 | testdata/maven-transitive/abc.xml | -| https://osv.dev/GHSA-6hg6-v5c8-fphq | 6.3 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.25.4 | testdata/maven-transitive/abc.xml | | https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.16.0 | testdata/maven-transitive/abc.xml | | https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.1 | testdata/maven-transitive/abc.xml | | https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.15.0 | testdata/maven-transitive/abc.xml | @@ -5753,15 +5746,13 @@ Total 1 package affected by 7 known vulnerabilities (2 Critical, 1 High, 4 Mediu [TestCommand_Transitive/pom.xml_transitive_native_source - 1] Scanned /testdata/maven-transitive/registry.xml file and found 2 packages -Total 2 packages affected by 8 known vulnerabilities (2 Critical, 1 High, 5 Medium, 0 Low, 0 Unknown) from 1 ecosystem. -8 vulnerabilities can be fixed. +Total 2 packages affected by 6 known vulnerabilities (2 Critical, 1 High, 3 Medium, 0 Low, 0 Unknown) from 1 ecosystem. +6 vulnerabilities can be fixed. +-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+ | https://osv.dev/GHSA-cm6r-892j-jv2g | 6.1 | Maven | com.google.android.gms:play-services-basement | 10.0.0 | 18.0.2 | testdata/maven-transitive/registry.xml | -| https://osv.dev/GHSA-3pxv-7cmr-fjr4 | 6.9 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.25.4 | testdata/maven-transitive/registry.xml | -| https://osv.dev/GHSA-6hg6-v5c8-fphq | 6.3 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.25.4 | testdata/maven-transitive/registry.xml | | https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.16.0 | testdata/maven-transitive/registry.xml | | https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.1 | testdata/maven-transitive/registry.xml | | https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.15.0 | testdata/maven-transitive/registry.xml | @@ -5789,8 +5780,8 @@ No package sources found, --help for usage information. Scanning dir ./testdata/locks-requirements/requirements.txt Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages -Total 3 packages affected by 13 known vulnerabilities (1 Critical, 4 High, 7 Medium, 1 Low, 0 Unknown) from 1 ecosystem. -13 vulnerabilities can be fixed. +Total 3 packages affected by 12 known vulnerabilities (1 Critical, 4 High, 6 Medium, 1 Low, 0 Unknown) from 1 ecosystem. +12 vulnerabilities can be fixed. +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | @@ -5810,7 +5801,6 @@ Total 3 packages affected by 13 known vulnerabilities (1 Critical, 4 High, 7 Med | https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | | | https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt | -| https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4 | PyPI | requests | 2.20.0 | 2.33.0 | testdata/locks-requirements/requirements.txt | +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ ---