feat: enable swift/packageresolved plugin to detect SwiftURL vulnerabilities

cmd/osv-scanner/scan/source/__snapshots__/command_test.snap

@@ -5591,12 +5591,32 @@ Total 2 packages affected by 2 known vulnerabilities (1 Critical, 1 High, 0 Medi
 
 ---
 
-[TestCommand_MoreLockfiles/Package.resolved_-_Unsupported_ecosystem,_should_not_be_scanned - 1]
-
----
-
-[TestCommand_MoreLockfiles/Package.resolved_-_Unsupported_ecosystem,_should_not_be_scanned - 2]
-could not determine extractor suitable to this file: "<rootdir>/testdata/locks-scalibr/Package.resolved"
+[TestCommand_MoreLockfiles/Package.resolved_-_SwiftURL_ecosystem_vulnerabilities_detected - 1]
+Scanned <rootdir>/testdata/locks-scalibr/Package.resolved file and found 2 packages
+
+Total 2 packages affected by 12 known vulnerabilities (5 Critical, 5 High, 2 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
+12 vulnerabilities can be fixed.
+
++-------------------------------------+------+-----------+----------------------------------+---------+---------------+-----------------------------------------+
+| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE                          | VERSION | FIXED VERSION | SOURCE                                  |
++-------------------------------------+------+-----------+----------------------------------+---------+---------------+-----------------------------------------+
+| https://osv.dev/GHSA-ccw9-q5h2-8c2w | 7.5  | SwiftURL  | github.com/apple/swift-nio-http2 | 1.19.1  | 1.19.2        | testdata/locks-scalibr/Package.resolved |
+| https://osv.dev/GHSA-pgfx-g6rc-8cjv | 7.5  | SwiftURL  | github.com/apple/swift-nio-http2 | 1.19.1  | 1.19.2        | testdata/locks-scalibr/Package.resolved |
+| https://osv.dev/GHSA-q36x-r5x4-h4q6 | 7.5  | SwiftURL  | github.com/apple/swift-nio-http2 | 1.19.1  | 1.20          | testdata/locks-scalibr/Package.resolved |
+| https://osv.dev/GHSA-qppj-fm5r-hxr3 | 6.9  | SwiftURL  | github.com/apple/swift-nio-http2 | 1.19.1  | 1.28.0        | testdata/locks-scalibr/Package.resolved |
+| https://osv.dev/GHSA-w3f6-pc54-gfw7 | 7.5  | SwiftURL  | github.com/apple/swift-nio-http2 | 1.19.1  | 1.19.2        | testdata/locks-scalibr/Package.resolved |
+| https://osv.dev/GHSA-xvr7-p2c6-j83w | 6.3  | SwiftURL  | github.com/apple/swift-nio-http2 | 1.19.1  | 1.38.0        | testdata/locks-scalibr/Package.resolved |
+| https://osv.dev/GHSA-84m3-f99p-cqx5 | 9.8  | SwiftURL  | github.com/pytorch/executorch    | 0.6.0   | 0.7.0         | testdata/locks-scalibr/Package.resolved |
+| https://osv.dev/GHSA-9m39-3mf3-xwch | 9.8  | SwiftURL  | github.com/pytorch/executorch    | 0.6.0   | 0.7.0         | testdata/locks-scalibr/Package.resolved |
+| https://osv.dev/GHSA-f9hx-c6jf-3qxm | 9.8  | SwiftURL  | github.com/pytorch/executorch    | 0.6.0   | 0.7.0         | testdata/locks-scalibr/Package.resolved |
+| https://osv.dev/GHSA-h952-963h-rv99 | 8.1  | SwiftURL  | github.com/pytorch/executorch    | 0.6.0   | 0.7.0-rc1     | testdata/locks-scalibr/Package.resolved |
+| https://osv.dev/GHSA-hj95-mhgf-jxc4 | 9.8  | SwiftURL  | github.com/pytorch/executorch    | 0.6.0   | 0.7.0         | testdata/locks-scalibr/Package.resolved |
+| https://osv.dev/GHSA-xc7w-r669-48pf | 9.8  | SwiftURL  | github.com/pytorch/executorch    | 0.6.0   | 0.7.0         | testdata/locks-scalibr/Package.resolved |
++-------------------------------------+------+-----------+----------------------------------+---------+---------------+-----------------------------------------+
+
+---
+
+[TestCommand_MoreLockfiles/Package.resolved_-_SwiftURL_ecosystem_vulnerabilities_detected - 2]
 
 ---
 

cmd/osv-scanner/scan/source/command_test.go

@@ -1448,9 +1448,9 @@ func TestCommand_MoreLockfiles(t *testing.T) {
 			Exit: 127,
 		},
 		{
-			Name: "Package.resolved_-_Unsupported_ecosystem,_should_not_be_scanned",
+			Name: "Package.resolved_-_SwiftURL_ecosystem_vulnerabilities_detected",
 			Args: []string{"", "source", "-L", "./testdata/locks-scalibr/Package.resolved"},
-			Exit: 127,
+			Exit: 1,
 		},
 	}
 

cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_MoreLockfiles.yaml

@@ -1,6 +1,112 @@
 ---
 version: 2
 interactions:
+  - request:
+      proto: HTTP/1.1
+      proto_major: 1
+      proto_minor: 1
+      content_length: 320
+      host: api.osv.dev
+      body: |
+        {
+          "queries": [
+            {
+              "package": {
+                "ecosystem": "SwiftURL",
+                "name": "github.com/apple/swift-nio-http2"
+              },
+              "version": "1.19.1"
+            },
+            {
+              "package": {
+                "ecosystem": "SwiftURL",
+                "name": "github.com/pytorch/executorch"
+              },
+              "version": "0.6.0"
+            }
+          ]
+        }
+      headers:
+        Content-Type:
+          - application/json
+        X-Test-Name:
+          - TestCommand_MoreLockfiles/Package.resolved_-_SwiftURL_ecosystem_vulnerabilities_detected
+      url: https://api.osv.dev/v1/querybatch
+      method: POST
+    response:
+      proto: HTTP/2.0
+      proto_major: 2
+      proto_minor: 0
+      content_length: 870
+      body: |
+        {
+          "results": [
+            {
+              "vulns": [
+                {
+                  "id": "GHSA-ccw9-q5h2-8c2w",
+                  "modified": "2026-03-13T22:16:05.730538Z"
+                },
+                {
+                  "id": "GHSA-pgfx-g6rc-8cjv",
+                  "modified": "2026-03-13T22:15:43.660704Z"
+                },
+                {
+                  "id": "GHSA-q36x-r5x4-h4q6",
+                  "modified": "2026-03-13T22:00:55.841732Z"
+                },
+                {
+                  "id": "GHSA-qppj-fm5r-hxr3",
+                  "modified": "2026-02-04T04:29:21.661957Z"
+                },
+                {
+                  "id": "GHSA-w3f6-pc54-gfw7",
+                  "modified": "2026-03-13T22:00:49.815336Z"
+                },
+                {
+                  "id": "GHSA-xvr7-p2c6-j83w",
+                  "modified": "2025-08-13T23:54:02Z"
+                }
+              ]
+            },
+            {
+              "vulns": [
+                {
+                  "id": "GHSA-84m3-f99p-cqx5",
+                  "modified": "2026-05-07T13:32:58.196893Z"
+                },
+                {
+                  "id": "GHSA-9m39-3mf3-xwch",
+                  "modified": "2026-05-07T13:33:50.860315Z"
+                },
+                {
+                  "id": "GHSA-f9hx-c6jf-3qxm",
+                  "modified": "2026-05-07T13:36:00.634274Z"
+                },
+                {
+                  "id": "GHSA-h952-963h-rv99",
+                  "modified": "2026-05-07T13:33:30.863102Z"
+                },
+                {
+                  "id": "GHSA-hj95-mhgf-jxc4",
+                  "modified": "2026-05-07T13:47:26.126428Z"
+                },
+                {
+                  "id": "GHSA-xc7w-r669-48pf",
+                  "modified": "2026-05-07T13:48:33.005089Z"
+                }
+              ]
+            }
+          ]
+        }
+      headers:
+        Content-Length:
+          - "870"
+        Content-Type:
+          - application/json
+      status: 200 OK
+      code: 200
+      duration: 0s
   - request:
       proto: HTTP/1.1
       proto_major: 1

cmd/osv-scanner/scan/source/testdata/go-project/main.go

@@ -0,0 +1,4 @@
+// Package main is a minimal Go package for govulncheck testdata.
+package main
+
+func main() {}

cmd/osv-scanner/scan/source/testdata/go-project/nested/main.go

@@ -0,0 +1,4 @@
+// Package main is a minimal Go package for govulncheck testdata.
+package main
+
+func main() {}