chore: add osv-scanner.toml files to make Scorecard ignore vulnerab…

…ilities in our test fixtures (#1202)

Scorecard is currently giving us a 0 for our Vulnerabilities score,
because the lockfiles in our test fixtures are intentionally vulnerable.

I think currently to only way to ignore them in Scorecard is by [using
our own `osv-scanner.toml`
file](https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities)
for each lockfile. We have some of these already from #329, but they
seem to be a bit out of date, and I didn't make any new ones when I
added the tests for guided remediation.

There are a lot of vulnerabilities in these files and we'd want to make
sure newly discovered vulns are also ignored. #1155 would definitely
make this nicer.

CONTRIBUTING.md

@@ -94,6 +94,8 @@ You can regenerate snapshots by setting `UPDATE_SNAPS=true` when running tests:
 UPDATE_SNAPS=true ./scripts/run_tests.sh
 ```
 
+If adding a lockfile with known vulnerabilities for test data, also add an [`osv-scanner.toml`](https://google.github.io/osv-scanner/configuration/) config file to exclude those vulnerabilities from scans of the repository.
+
 ### Linting
 
 To lint your code, run

cmd/osv-scanner/__snapshots__/main_test.snap

@@ -157,7 +157,6 @@ Scanned <rootdir>/fixtures/locks-many/composer.lock file and found 1 package
 [TestRun/Go_project_with_an_overridden_go_version - 1]
 Scanning dir ./fixtures/go-project
 Scanned <rootdir>/fixtures/go-project/go.mod file and found 1 package
-Loaded filter from: <rootdir>/fixtures/go-project/osv-scanner.toml
 +------------------------------+------+-----------+---------+---------+----------------------------+
 | OSV URL                      | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE                     |
 +------------------------------+------+-----------+---------+---------+----------------------------+
@@ -183,13 +182,11 @@ Loaded filter from: <rootdir>/fixtures/go-project/osv-scanner.toml
 [TestRun/PURL_SBOM_case_sensitivity_(api) - 1]
 Scanning dir ./fixtures/sbom-insecure/alpine.cdx.xml
 Scanned <rootdir>/fixtures/sbom-insecure/alpine.cdx.xml as CycloneDX SBOM and found 14 packages
-Loaded filter from: <rootdir>/fixtures/sbom-insecure/osv-scanner.toml
-CVE-2022-37434 has been filtered out because: This is a intentionally vulnerable test sbom
-Filtered 1 vulnerability from output
 +--------------------------------+------+-----------+---------+-----------+---------------------------------------+
 | OSV URL                        | CVSS | ECOSYSTEM | PACKAGE | VERSION   | SOURCE                                |
 +--------------------------------+------+-----------+---------+-----------+---------------------------------------+
 | https://osv.dev/CVE-2018-25032 | 7.5  | Alpine    | zlib    | 1.2.10-r0 | fixtures/sbom-insecure/alpine.cdx.xml |
+| https://osv.dev/CVE-2022-37434 | 9.8  | Alpine    | zlib    | 1.2.10-r0 | fixtures/sbom-insecure/alpine.cdx.xml |
 +--------------------------------+------+-----------+---------+-----------+---------------------------------------+
 
 ---
@@ -202,9 +199,6 @@ Filtered 1 vulnerability from output
 Scanning dir ./fixtures/sbom-insecure/alpine.cdx.xml
 Scanned <rootdir>/fixtures/sbom-insecure/alpine.cdx.xml as CycloneDX SBOM and found 14 packages
 Loaded Alpine local db from <tempdir>/osv-scanner/Alpine/all.zip
-Loaded filter from: <rootdir>/fixtures/sbom-insecure/osv-scanner.toml
-CVE-2022-37434 has been filtered out because: This is a intentionally vulnerable test sbom
-Filtered 1 vulnerability from output
 +--------------------------------+------+-----------+---------+-----------+---------------------------------------+
 | OSV URL                        | CVSS | ECOSYSTEM | PACKAGE | VERSION   | SOURCE                                |
 +--------------------------------+------+-----------+---------+-----------+---------------------------------------+
@@ -213,6 +207,7 @@ Filtered 1 vulnerability from output
 | https://osv.dev/CVE-2016-9842  | 8.8  | Alpine    | zlib    | 1.2.10-r0 | fixtures/sbom-insecure/alpine.cdx.xml |
 | https://osv.dev/CVE-2016-9843  | 9.8  | Alpine    | zlib    | 1.2.10-r0 | fixtures/sbom-insecure/alpine.cdx.xml |
 | https://osv.dev/CVE-2018-25032 | 7.5  | Alpine    | zlib    | 1.2.10-r0 | fixtures/sbom-insecure/alpine.cdx.xml |
+| https://osv.dev/CVE-2022-37434 | 9.8  | Alpine    | zlib    | 1.2.10-r0 | fixtures/sbom-insecure/alpine.cdx.xml |
 +--------------------------------+------+-----------+---------+-----------+---------------------------------------+
 
 ---

cmd/osv-scanner/fix/fixtures/in-place-npm/osv-scanner.toml

@@ -0,0 +1,35 @@
+[[PackageOverrides]]
+name = "chownr"
+ecosystem = "npm"
+ignore = true
+reason = "This is an intentionally vulnerable test project"
+
+[[PackageOverrides]]
+name = "concat-stream"
+ecosystem = "npm"
+ignore = true
+reason = "This is an intentionally vulnerable test project"
+
+[[PackageOverrides]]
+name = "hosted-git-info"
+ecosystem = "npm"
+ignore = true
+reason = "This is an intentionally vulnerable test project"
+
+[[PackageOverrides]]
+name = "request"
+ecosystem = "npm"
+ignore = true
+reason = "This is an intentionally vulnerable test project"
+
+[[PackageOverrides]]
+name = "semver"
+ecosystem = "npm"
+ignore = true
+reason = "This is an intentionally vulnerable test project"
+
+[[PackageOverrides]]
+name = "tough-cookie"
+ecosystem = "npm"
+ignore = true
+reason = "This is an intentionally vulnerable test project"

cmd/osv-scanner/fix/fixtures/override-maven/osv-scanner.toml

@@ -0,0 +1,23 @@
+[[PackageOverrides]]
+name = "commons-io:commons-io"
+ecosystem = "Maven"
+ignore = true
+reason = "This is an intentionally vulnerable test project"
+
+[[PackageOverrides]]
+name = "org.apache.httpcomponents:httpclient"
+ecosystem = "Maven"
+ignore = true
+reason = "This is an intentionally vulnerable test project"
+
+[[PackageOverrides]]
+name = "org.codehaus.plexus:plexus-utils"
+ecosystem = "Maven"
+ignore = true
+reason = "This is an intentionally vulnerable test project"
+
+[[PackageOverrides]]
+name = "org.jsoup:jsoup"
+ecosystem = "Maven"
+ignore = true
+reason = "This is an intentionally vulnerable test project"

cmd/osv-scanner/fixtures/call-analysis-go-project/osv-scanner.toml

@@ -1,24 +1,23 @@
-[[IgnoredVulns]]
-id = "GO-2021-0053"
-# ignoreUntil = n/a
-reason = "This is a intentionally vulnerable test project"
+[[PackageOverrides]]
+name = "stdlib"
+ecosystem = "Go"
+ignore = true
+reason = "This is an intentionally vulnerable test project"
 
-[[IgnoredVulns]]
-id = "GO-2023-1558"
-# ignoreUntil = n/a
-reason = "This is a intentionally vulnerable test project"
+[[PackageOverrides]]
+name = "golang.org/x/image"
+ecosystem = "Go"
+ignore = true
+reason = "This is an intentionally vulnerable test project"
 
-[[IgnoredVulns]]
-id = "GO-2023-1572"
-# ignoreUntil = n/a
-reason = "This is a intentionally vulnerable test project"
+[[PackageOverrides]]
+name = "github.com/ipfs/go-bitfield"
+ecosystem = "Go"
+ignore = true
+reason = "This is an intentionally vulnerable test project"
 
-[[IgnoredVulns]]
-id = "GO-2023-1989"
-# ignoreUntil = n/a
-reason = "This is a intentionally vulnerable test project"
-
-[[IgnoredVulns]]
-id = "GO-2023-1990"
-# ignoreUntil = n/a
-reason = "This is a intentionally vulnerable test project"
+[[PackageOverrides]]
+name = "github.com/gogo/protobuf"
+ecosystem = "Go"
+ignore = true
+reason = "This is an intentionally vulnerable test project"

cmd/osv-scanner/fixtures/go-project/go-version-config.toml

@@ -0,0 +1 @@
+GoVersionOverride = "1.21.7"

cmd/osv-scanner/fixtures/go-project/osv-scanner.toml

@@ -1 +1,5 @@
-GoVersionOverride = "1.21.7"
+[[PackageOverrides]]
+name = "stdlib"
+ecosystem = "Go"
+ignore = true
+reason = "This is an intentionally vulnerable test project"

cmd/osv-scanner/fixtures/locks-insecure/osv-scanner.toml

@@ -0,0 +1,5 @@
+[[PackageOverrides]]
+name = "league/flysystem"
+ecosystem = "Packagist"
+ignore = true
+reason = "This is an intentionally vulnerable test project"

cmd/osv-scanner/fixtures/maven-transitive/osv-scanner.toml

@@ -0,0 +1,5 @@
+[[PackageOverrides]]
+name = "org.apache.logging.log4j:log4j-core"
+ecosystem = "Maven"
+ignore = true
+reason = "This is an intentionally vulnerable test project"

cmd/osv-scanner/fixtures/sbom-insecure/osv-scanner.toml

@@ -1,54 +1,64 @@
 [[IgnoredVulns]]
 id = "GO-2022-0274"
 # ignoreUntil = n/a
-reason = "This is a intentionally vulnerable test sbom"
+reason = "This is an intentionally vulnerable test sbom"
 
 [[IgnoredVulns]]
 id = "GO-2022-0493"
 # ignoreUntil = n/a
-reason = "This is a intentionally vulnerable test sbom"
+reason = "This is an intentionally vulnerable test sbom"
 
 [[IgnoredVulns]]
 id = "GHSA-vpvm-3wq2-2wvm"
 # ignoreUntil = n/a
-reason = "This is a intentionally vulnerable test sbom"
+reason = "This is an intentionally vulnerable test sbom"
 
 [[IgnoredVulns]]
 id = "GHSA-m8cg-xc2p-r3fc"
 # ignoreUntil = n/a
-reason = "This is a intentionally vulnerable test sbom"
+reason = "This is an intentionally vulnerable test sbom"
 
 [[IgnoredVulns]]
 id = "GHSA-g2j6-57v7-gm8c"
 # ignoreUntil = n/a
-reason = "This is a intentionally vulnerable test sbom"
+reason = "This is an intentionally vulnerable test sbom"
 
 [[IgnoredVulns]]
 id = "GHSA-f3fp-gc8g-vw66"
 # ignoreUntil = n/a
-reason = "This is a intentionally vulnerable test sbom"
+reason = "This is an intentionally vulnerable test sbom"
 
 [[IgnoredVulns]]
 id = "DLA-3008-1"
 # ignoreUntil = n/a
-reason = "This is a intentionally vulnerable test sbom"
+reason = "This is an intentionally vulnerable test sbom"
 
 [[IgnoredVulns]]
 id = "DLA-3012-1"
 # ignoreUntil = n/a
-reason = "This is a intentionally vulnerable test sbom"
+reason = "This is an intentionally vulnerable test sbom"
 
 [[IgnoredVulns]]
 id = "DLA-3022-1"
 # ignoreUntil = n/a
-reason = "This is a intentionally vulnerable test sbom"
+reason = "This is an intentionally vulnerable test sbom"
 
 [[IgnoredVulns]]
 id = "DLA-3051-1"
 # ignoreUntil = n/a
-reason = "This is a intentionally vulnerable test sbom"
+reason = "This is an intentionally vulnerable test sbom"
 
 [[IgnoredVulns]]
 id = "CVE-2022-37434"
 # ignoreUntil = n/a
-reason = "This is a intentionally vulnerable test sbom"
+reason = "This is an intentionally vulnerable test sbom"
+
+[[IgnoredVulns]]
+id = "CVE-2018-25032"
+# ignoreUntil = n/a
+reason = "This is an intentionally vulnerable test sbom"
+
+[[IgnoredVulns]]
+id = "GHSA-xr7r-f8xq-vfvv"
+# ignoreUntil = n/a
+reason = "This is an intentionally vulnerable test sbom"

cmd/osv-scanner/main_test.go

@@ -255,7 +255,7 @@ func TestRun(t *testing.T) {
 		},
 		{
 			name: "cyclonedx 1.4 output",
-			args: []string{"", "--format", "cyclonedx-1-4", "--experimental-all-packages", "./fixtures/locks-insecure"},
+			args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "--format", "cyclonedx-1-4", "--experimental-all-packages", "./fixtures/locks-insecure"},
 			exit: 1,
 		},
 		// output format: cyclonedx 1.5
@@ -266,7 +266,7 @@ func TestRun(t *testing.T) {
 		},
 		{
 			name: "cyclonedx 1.5 output",
-			args: []string{"", "--format", "cyclonedx-1-5", "--experimental-all-packages", "./fixtures/locks-insecure"},
+			args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "--format", "cyclonedx-1-5", "--experimental-all-packages", "./fixtures/locks-insecure"},
 			exit: 1,
 		},
 		// output format: unsupported
@@ -298,18 +298,18 @@ func TestRun(t *testing.T) {
 		},
 		{
 			name: "PURL SBOM case sensitivity (api)",
-			args: []string{"", "--format", "table", "./fixtures/sbom-insecure/alpine.cdx.xml"},
+			args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "--format", "table", "./fixtures/sbom-insecure/alpine.cdx.xml"},
 			exit: 1,
 		},
 		{
 			name: "PURL SBOM case sensitivity (local)",
-			args: []string{"", "--experimental-offline", "--experimental-download-offline-databases", "--format", "table", "./fixtures/sbom-insecure/alpine.cdx.xml"},
+			args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "--experimental-offline", "--experimental-download-offline-databases", "--format", "table", "./fixtures/sbom-insecure/alpine.cdx.xml"},
 			exit: 1,
 		},
 		// Go project with an overridden go version
 		{
 			name: "Go project with an overridden go version",
-			args: []string{"", "./fixtures/go-project"},
+			args: []string{"", "--config=./fixtures/go-project/go-version-config.toml", "./fixtures/go-project"},
 			exit: 0,
 		},
 	}
@@ -399,6 +399,7 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) {
 			name: "",
 			args: []string{
 				"",
+				"--config=./fixtures/osv-scanner-empty-config.toml",
 				"-L",
 				"package-lock.json:" + filepath.FromSlash("./fixtures/locks-insecure/my-package-lock.json"),
 				filepath.FromSlash("./fixtures/locks-insecure"),
@@ -410,6 +411,7 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) {
 			name: "",
 			args: []string{
 				"",
+				"--config=./fixtures/osv-scanner-empty-config.toml",
 				"-L", "package-lock.json:" + filepath.FromSlash("./fixtures/locks-insecure/my-package-lock.json"),
 				"-L", "yarn.lock:" + filepath.FromSlash("./fixtures/locks-insecure/my-yarn.lock"),
 				filepath.FromSlash("./fixtures/locks-insecure"),
@@ -420,6 +422,7 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) {
 			name: "",
 			args: []string{
 				"",
+				"--config=./fixtures/osv-scanner-empty-config.toml",
 				"-L", "yarn.lock:" + filepath.FromSlash("./fixtures/locks-insecure/my-yarn.lock"),
 				"-L", "package-lock.json:" + filepath.FromSlash("./fixtures/locks-insecure/my-package-lock.json"),
 				filepath.FromSlash("./fixtures/locks-insecure"),
@@ -486,12 +489,12 @@ func TestRun_GithubActions(t *testing.T) {
 	tests := []cliTestCase{
 		{
 			name: "scanning osv-scanner custom format",
-			args: []string{"", "-L", "osv-scanner:./fixtures/locks-insecure/osv-scanner-flutter-deps.json"},
+			args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "-L", "osv-scanner:./fixtures/locks-insecure/osv-scanner-flutter-deps.json"},
 			exit: 1,
 		},
 		{
 			name: "scanning osv-scanner custom format output json",
-			args: []string{"", "-L", "osv-scanner:./fixtures/locks-insecure/osv-scanner-flutter-deps.json", "--format=sarif"},
+			args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "-L", "osv-scanner:./fixtures/locks-insecure/osv-scanner-flutter-deps.json", "--format=sarif"},
 			exit: 1,
 		},
 	}
@@ -834,18 +837,18 @@ func TestRun_MavenTransitive(t *testing.T) {
 	tests := []cliTestCase{
 		{
 			name: "scans transitive dependencies for pom.xml by default",
-			args: []string{"", "./fixtures/maven-transitive/pom.xml"},
+			args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "./fixtures/maven-transitive/pom.xml"},
 			exit: 1,
 		},
 		{
 			name: "scans transitive dependencies by specifying pom.xml",
-			args: []string{"", "-L", "pom.xml:./fixtures/maven-transitive/abc.xml"},
+			args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "-L", "pom.xml:./fixtures/maven-transitive/abc.xml"},
 			exit: 1,
 		},
 		{
 			// Direct dependencies do not have any vulnerability.
 			name: "does not scan transitive dependencies for pom.xml with offline mode",
-			args: []string{"", "--experimental-offline", "--experimental-download-offline-databases", "./fixtures/maven-transitive/pom.xml"},
+			args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "--experimental-offline", "--experimental-download-offline-databases", "./fixtures/maven-transitive/pom.xml"},
 			exit: 0,
 		},
 	}

internal/image/fixtures/package-tracing-fixture/osv-scanner.toml

@@ -0,0 +1,5 @@
+[[PackageOverrides]]
+name = "stdlib"
+ecosystem = "Go"
+ignore = true
+reason = "This is an intentionally vulnerable test project"

internal/remediation/fixtures/maven-classifier/osv-scanner.toml

@@ -0,0 +1,5 @@
+[[PackageOverrides]]
+name = "org.yaml:snakeyaml"
+ecosystem = "Maven"
+ignore = true
+reason = "This is an intentionally vulnerable test project"