diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index a1bf9a28a4c..363f8cbd714 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -96,6 +96,7 @@ unsupported output format "unknown" - must be one of: table, vertical, json, mar [TestRun/Empty_cyclonedx_1.4_output - 2] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml --- @@ -114,6 +115,7 @@ Scanned /fixtures/locks-many/composer.lock file and found 1 package [TestRun/Empty_cyclonedx_1.5_output - 2] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml --- @@ -124,6 +126,7 @@ Scanned /fixtures/locks-many/composer.lock file and found 1 package [TestRun/Empty_gh-annotations_output - 2] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml --- @@ -151,6 +154,7 @@ Scanned /fixtures/locks-many/composer.lock file and found 1 package [TestRun/Empty_sarif_output - 2] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml --- @@ -515,6 +519,7 @@ invalid verbosity level "unknown" - must be one of: error, warn, info, verbose [TestRun/json_output_1 - 2] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml --- @@ -534,6 +539,7 @@ Scanned /fixtures/locks-many/composer.lock file and found 1 package [TestRun/json_output_2 - 2] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml --- @@ -552,6 +558,7 @@ No issues found [TestRun/one_specific_supported_lockfile - 1] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml No issues found --- @@ -612,6 +619,7 @@ No issues found [TestRun/verbosity_level_=_info - 1] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml No issues found --- @@ -1174,6 +1182,7 @@ Scanned /fixtures/locks-many/package-lock.json file and found 1 package [TestRun_LocalDatabases/#00 - 1] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip No issues found @@ -1186,6 +1195,7 @@ No issues found [TestRun_LocalDatabases/#00 - 3] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip No issues found @@ -1390,11 +1400,11 @@ Scanned /fixtures/locks-many/alpine.cdx.xml as CycloneDX SBOM and found Scanned /fixtures/locks-many/composer.lock file and found 1 package Scanned /fixtures/locks-many/package-lock.json file and found 1 package Scanned /fixtures/locks-many/yarn.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml Loaded RubyGems local db from /osv-scanner/RubyGems/all.zip Loaded Alpine local db from /osv-scanner/Alpine/all.zip Loaded Packagist local db from /osv-scanner/Packagist/all.zip Loaded npm local db from /osv-scanner/npm/all.zip -Loaded filter from: /fixtures/locks-many/osv-scanner.toml GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file Filtered 1 vulnerability from output No issues found @@ -1412,11 +1422,11 @@ Scanned /fixtures/locks-many/alpine.cdx.xml as CycloneDX SBOM and found Scanned /fixtures/locks-many/composer.lock file and found 1 package Scanned /fixtures/locks-many/package-lock.json file and found 1 package Scanned /fixtures/locks-many/yarn.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml Loaded RubyGems local db from /osv-scanner/RubyGems/all.zip Loaded Alpine local db from /osv-scanner/Alpine/all.zip Loaded Packagist local db from /osv-scanner/Packagist/all.zip Loaded npm local db from /osv-scanner/npm/all.zip -Loaded filter from: /fixtures/locks-many/osv-scanner.toml GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file Filtered 1 vulnerability from output No issues found @@ -1593,6 +1603,7 @@ No issues found [TestRun_LocalDatabases/#09 - 2] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip --- @@ -1613,6 +1624,7 @@ Loaded Packagist local db from /osv-scanner/Packagist/all.zip [TestRun_LocalDatabases/#09 - 4] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip --- @@ -1633,6 +1645,7 @@ Loaded Packagist local db from /osv-scanner/Packagist/all.zip [TestRun_LocalDatabases/#10 - 2] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip --- @@ -1653,6 +1666,7 @@ Loaded Packagist local db from /osv-scanner/Packagist/all.zip [TestRun_LocalDatabases/#10 - 4] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip --- @@ -1660,6 +1674,7 @@ Loaded Packagist local db from /osv-scanner/Packagist/all.zip [TestRun_LocalDatabases/#11 - 1] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip No issues found @@ -1672,6 +1687,7 @@ No issues found [TestRun_LocalDatabases/#11 - 3] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip No issues found @@ -1710,6 +1726,7 @@ could not determine extractor, requested my-file [TestRun_LockfileWithExplicitParseAs/#01 - 1] Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml No issues found --- @@ -1811,6 +1828,7 @@ Scanned /fixtures/locks-insecure/composer.lock file and found 1 package [TestRun_LockfileWithExplicitParseAs/#09 - 1] Scanned /fixtures/locks-many/installed file as a apk-installed and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml No issues found --- @@ -1821,6 +1839,7 @@ No issues found [TestRun_LockfileWithExplicitParseAs/#10 - 1] Scanned /fixtures/locks-many/status file as a dpkg-status and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml No issues found --- @@ -2033,6 +2052,7 @@ Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the [TestRun_SubCommands/with_no_subcommand - 1] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml No issues found --- @@ -2044,6 +2064,7 @@ No issues found [TestRun_SubCommands/with_scan_subcommand - 1] Scanning dir ./fixtures/locks-many/composer.lock Scanned /fixtures/locks-many/composer.lock file and found 1 package +Loaded filter from: /fixtures/locks-many/osv-scanner.toml No issues found --- diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index b5b0aadb05f..d681912d2a9 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -683,19 +683,6 @@ func filterResults(r reporter.Reporter, results *models.VulnerabilityResults, co // Filters package-grouped vulnerabilities according to config, preserving ordering. Returns filtered package vulnerabilities. func filterPackageVulns(r reporter.Reporter, pkgVulns models.PackageVulns, configToUse config.Config, unimportantCount *int) models.PackageVulns { - if ignore, ignoreLine := configToUse.ShouldIgnorePackageVersion(pkgVulns.Package.Name, pkgVulns.Package.Version, pkgVulns.Package.Ecosystem); ignore { - pkgString := fmt.Sprintf("%s/%s/%s", pkgVulns.Package.Ecosystem, pkgVulns.Package.Name, pkgVulns.Package.Version) - switch len(pkgVulns.Vulnerabilities) { - case 1: - r.Infof("1 vulnerability for the package %s has been filtered out because: %s\n", pkgString, ignoreLine.Reason) - default: - r.Infof("%d vulnerabilities for the package %s have been filtered out because: %s\n", len(pkgVulns.Vulnerabilities), pkgString, ignoreLine.Reason) - } - pkgVulns.Groups = nil - pkgVulns.Vulnerabilities = nil - - return pkgVulns - } ignoredVulns := map[string]struct{}{} // Ignores all unimportant vulnerabilities. @@ -887,10 +874,16 @@ func DoScan(actions ScannerActions, r reporter.Reporter) (models.VulnerabilityRe return models.VulnerabilityResults{}, NoPackagesFoundErr } - filteredScannedPackages := filterUnscannablePackages(scannedPackages) + filteredScannedPackagesWithoutUnscannable := filterUnscannablePackages(scannedPackages) - if len(filteredScannedPackages) != len(scannedPackages) { - r.Infof("Filtered %d local package/s from the scan.\n", len(scannedPackages)-len(filteredScannedPackages)) + if len(filteredScannedPackagesWithoutUnscannable) != len(scannedPackages) { + r.Infof("Filtered %d local package/s from the scan.\n", len(scannedPackages)-len(filteredScannedPackagesWithoutUnscannable)) + } + + filteredScannedPackages := filterIgnoredPackages(r, filteredScannedPackagesWithoutUnscannable, &configManager) + + if len(filteredScannedPackages) != len(filteredScannedPackagesWithoutUnscannable) { + r.Infof("Filtered %d ignored package/s from the scan.\n", len(filteredScannedPackagesWithoutUnscannable)-len(filteredScannedPackages)) } overrideGoVersion(r, filteredScannedPackages, &configManager) @@ -969,6 +962,23 @@ func filterUnscannablePackages(packages []scannedPackage) []scannedPackage { return out } +// filterIgnoredPackages removes ignore scanned packages according to config. Returns filtered scanned packages. +func filterIgnoredPackages(r reporter.Reporter, packages []scannedPackage, configManager *config.ConfigManager) []scannedPackage { + out := make([]scannedPackage, 0, len(packages)) + for _, p := range packages { + configToUse := configManager.Get(r, p.Source.Path) + if ignore, ignoreLine := configToUse.ShouldIgnorePackageVersion(p.Name, p.Version, string(p.Ecosystem)); ignore { + pkgString := fmt.Sprintf("%s/%s/%s", p.Ecosystem, p.Name, p.Version) + r.Infof("Package %s has been filtered out because: %s\n", pkgString, ignoreLine.Reason) + + continue + } + out = append(out, p) + } + + return out +} + // patchPackageForRequest modifies packages before they are sent to osv.dev to // account for edge cases. func patchPackageForRequest(pkg scannedPackage) scannedPackage {