Updating docs branch for the release. #689
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://github.com/github/codeql-action) | action | patch | `v2.22.3` -> `v2.22.4` | | [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | action | patch | `v2.3.0` -> `v2.3.1` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.4`](https://github.com/github/codeql-action/compare/v2.22.3...v2.22.4) [Compare Source](https://github.com/github/codeql-action/compare/v2.22.3...v2.22.4) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.1`](https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1) [Compare Source](https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xOS4yIiwidXBkYXRlZEluVmVyIjoiMzcuMzEuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [jekyll-feed](https://github.com/jekyll/jekyll-feed) | `0.15.1` -> `0.17.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>jekyll/jekyll-feed (jekyll-feed)</summary> ### [`v0.17.0`](https://github.com/jekyll/jekyll-feed/blob/HEAD/History.markdown#0170--2022-10-14) [Compare Source](https://github.com/jekyll/jekyll-feed/compare/v0.16.0...v0.17.0) ##### Documentation - Update CI status badge ([#​363](https://github.com/jekyll/jekyll-feed/issues/363)) ##### Development Fixes - Add Ruby 3.1 to the CI matrix ([#​365](https://github.com/jekyll/jekyll-feed/issues/365)) ##### Minor Enhancements - Allow disabling of jekyll-feed while in development ([#​370](https://github.com/jekyll/jekyll-feed/issues/370)) ### [`v0.16.0`](https://github.com/jekyll/jekyll-feed/blob/HEAD/History.markdown#0160--2022-01-03) [Compare Source](https://github.com/jekyll/jekyll-feed/compare/v0.15.1...v0.16.0) ##### Minor Enhancements - Add support for `page.description` in front matter to become entry `<summary>` ([#​297](https://github.com/jekyll/jekyll-feed/issues/297)) ##### Bug Fixes - Fold private methods into the `:render` method as local variables ([#​327](https://github.com/jekyll/jekyll-feed/issues/327)) - Check `post.categories` instead of `post.category` ([#​357](https://github.com/jekyll/jekyll-feed/issues/357)) - Switched xml_escape for `<![CDATA[]]>` for post content ([#​332](https://github.com/jekyll/jekyll-feed/issues/332)) ##### Development Fixes - Add Ruby 3.0 to CI ([#​337](https://github.com/jekyll/jekyll-feed/issues/337)) - Lock RuboCop to v1.18.x ([#​348](https://github.com/jekyll/jekyll-feed/issues/348)) - Add workflow to release gem via GH Action ([#​355](https://github.com/jekyll/jekyll-feed/issues/355)) ##### Documentation - Use `.atom` extension in documented examples since we write an Atom feed ([#​359](https://github.com/jekyll/jekyll-feed/issues/359)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xOS4yIiwidXBkYXRlZEluVmVyIjoiMzcuMzEuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://github.com/github/codeql-action) | action | patch | `v2.22.4` -> `v2.22.5` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.5`](https://github.com/github/codeql-action/compare/v2.22.4...v2.22.5) [Compare Source](https://github.com/github/codeql-action/compare/v2.22.4...v2.22.5) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMS41IiwidXBkYXRlZEluVmVyIjoiMzcuMzEuNSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | require | minor | `v5.9.0` -> `v5.10.0` | | [github.com/ianlancetaylor/demangle](https://github.com/ianlancetaylor/demangle) | require | digest | `eabc099` -> `e2daf7b` | | [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty) | require | patch | `v6.4.8` -> `v6.4.9` | --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.10.0`](https://github.com/go-git/go-git/releases/tag/v5.10.0) [Compare Source](https://github.com/go-git/go-git/compare/v5.9.0...v5.10.0) #### What's Changed - PlainInitOptions.Bare and allow using InitOptions with PlainInitWithOptions by [@​ThinkChaos](https://github.com/ThinkChaos) in [https://github.com/go-git/go-git/pull/782](https://github.com/go-git/go-git/pull/782) - Worktree, apply ProxyOption on Pull by [@​nodivbyzero](https://github.com/nodivbyzero) in [https://github.com/go-git/go-git/pull/840](https://github.com/go-git/go-git/pull/840) - Repository: add clone --shared feature by [@​enverbisevac](https://github.com/enverbisevac) in [https://github.com/go-git/go-git/pull/860](https://github.com/go-git/go-git/pull/860) - build: Add github workflow to check commit message format by [@​pjbgf](https://github.com/pjbgf) in [https://github.com/go-git/go-git/pull/867](https://github.com/go-git/go-git/pull/867) - Improve handling of remote errors by [@​makkes](https://github.com/makkes) in [https://github.com/go-git/go-git/pull/866](https://github.com/go-git/go-git/pull/866) - build(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/go-git/go-git/pull/873](https://github.com/go-git/go-git/pull/873) - plumbing: commitgraph, Add generation v2 support by [@​zeripath](https://github.com/zeripath) in [https://github.com/go-git/go-git/pull/869](https://github.com/go-git/go-git/pull/869) - plumbing: protocol/packp, Add validation for decodeLine by [@​pjbgf](https://github.com/pjbgf) in [https://github.com/go-git/go-git/pull/868](https://github.com/go-git/go-git/pull/868) - plumbing: parse the encoding header of the commit object by [@​liwenqiu](https://github.com/liwenqiu) in [https://github.com/go-git/go-git/pull/761](https://github.com/go-git/go-git/pull/761) - plumbing: commitgraph, allow SHA256 commit-graphs by [@​zeripath](https://github.com/zeripath) in [https://github.com/go-git/go-git/pull/853](https://github.com/go-git/go-git/pull/853) - plumbing: commitgraph, Allow reading commit-graph chains by [@​zeripath](https://github.com/zeripath) in [https://github.com/go-git/go-git/pull/854](https://github.com/go-git/go-git/pull/854) - plumbing/object: Support mergetag in merge commits by [@​adityasaky](https://github.com/adityasaky) in [https://github.com/go-git/go-git/pull/847](https://github.com/go-git/go-git/pull/847) #### New Contributors - [@​nodivbyzero](https://github.com/nodivbyzero) made their first contribution in [https://github.com/go-git/go-git/pull/840](https://github.com/go-git/go-git/pull/840) - [@​adityasaky](https://github.com/adityasaky) made their first contribution in [https://github.com/go-git/go-git/pull/847](https://github.com/go-git/go-git/pull/847) - [@​hezhizhen](https://github.com/hezhizhen) made their first contribution in [https://github.com/go-git/go-git/pull/836](https://github.com/go-git/go-git/pull/836) - [@​0x34d](https://github.com/0x34d) made their first contribution in [https://github.com/go-git/go-git/pull/855](https://github.com/go-git/go-git/pull/855) - [@​liwenqiu](https://github.com/liwenqiu) made their first contribution in [https://github.com/go-git/go-git/pull/761](https://github.com/go-git/go-git/pull/761) - [@​enverbisevac](https://github.com/enverbisevac) made their first contribution in [https://github.com/go-git/go-git/pull/860](https://github.com/go-git/go-git/pull/860) - [@​makkes](https://github.com/makkes) made their first contribution in [https://github.com/go-git/go-git/pull/866](https://github.com/go-git/go-git/pull/866) **Full Changelog**: go-git/go-git@v5.9.0...v5.10.0 </details> <details> <summary>jedib0t/go-pretty (github.com/jedib0t/go-pretty/v6)</summary> ### [`v6.4.9`](https://github.com/jedib0t/go-pretty/releases/tag/v6.4.9) [Compare Source](https://github.com/jedib0t/go-pretty/compare/v6.4.8...v6.4.9) ### Bug-Fixes - **table** - do not merge content cells with empty ones ([#​280](https://github.com/jedib0t/go-pretty/issues/280)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMS41IiwidXBkYXRlZEluVmVyIjoiMzcuMzEuNSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Using https://github.com/charlesneimog/pd-server (at cf3f15a) as the example: With submodules not initialized: ``` $ go run ./cmd/osv-scanner -r ../pd-server/ Scanning dir ../pd-server/ Scanning /home/apollock/pd-server/ at commit cf3f15a841ca21b53c6de654c9981a30ae0b590c Scanning submodule src/cpp-httplib at commit 227d2c20509f85a394133e2be6d0b0fc1fda54b2 Scanning submodule pd-lib-builder at commit 5c2e137f7a7a03f4007494954ccb3e23753e7807 Scanning submodule src/json at commit 4c6cde72e533158e044252718c013a48bcff346c Scanning submodule src/websocketpp at commit 1b11fd301531e6df35a6107c1e8665b1e77a2d8e ╭────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬──────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼──────────────────────────────┤ │ https://osv.dev/CVE-2023-26130 │ 8.8 │ GIT │ 227d2c20509f85a394133e2be6d0b0fc1fda54b2 │ ../pd-server/src/cpp-httplib │ ╰────────────────────────────────┴──────┴───────────┴───────────────────────────────────────────┴──────────────────────────────╯ exit status 1 ``` With submodules initialized: ``` $ go run ./cmd/osv-scanner -r ../pd-server/ Scanning dir ../pd-server/ Scanning /home/apollock/pd-server/ at commit cf3f15a841ca21b53c6de654c9981a30ae0b590c Scanning submodule src/cpp-httplib at commit 227d2c20509f85a394133e2be6d0b0fc1fda54b2 Scanning submodule pd-lib-builder at commit 5c2e137f7a7a03f4007494954ccb3e23753e7807 Scanning submodule src/json at commit 4c6cde72e533158e044252718c013a48bcff346c Scanning submodule src/websocketpp at commit 1b11fd301531e6df35a6107c1e8665b1e77a2d8e Scanned /home/apollock/pd-server/src/json/docs/mkdocs/requirements.txt file and found 49 packages Scanned /home/apollock/pd-server/src/json/tools/serve_header/requirements.txt file and found 2 packages ╭─────────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬────────────────────────────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├─────────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼────────────────────────────────────────────────────┤ │ https://osv.dev/CVE-2023-26130 │ 8.8 │ GIT │ 227d2c20509f85a394133e2be6d0b0fc1fda54b2 │ ../pd-server/src/cpp-httplib │ │ https://osv.dev/GHSA-xqr8-7jwr-rhp7 │ 7.5 │ PyPI │ certifi │ 2022.12.7 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-135 │ │ │ │ │ │ │ https://osv.dev/GHSA-v3c5-jqr6-7qm8 │ 7.5 │ PyPI │ future │ 0.18.2 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2022-42991 │ │ │ │ │ │ │ https://osv.dev/GHSA-cwvm-v4w8-q58c │ 6.5 │ PyPI │ gitpython │ 3.1.29 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-165 │ │ │ │ │ │ │ https://osv.dev/GHSA-hcpj-qp55-gfph │ 8.1 │ PyPI │ gitpython │ 3.1.29 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2022-42992 │ │ │ │ │ │ │ https://osv.dev/GHSA-pr76-5cm5-w9cj │ 9.8 │ PyPI │ gitpython │ 3.1.29 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-137 │ │ │ │ │ │ │ https://osv.dev/GHSA-wfm5-v35h-vwf4 │ 7.8 │ PyPI │ gitpython │ 3.1.29 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-161 │ │ │ │ │ │ │ https://osv.dev/GHSA-mrwq-x4v8-fh7p │ 5.5 │ PyPI │ pygments │ 2.13.0 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-117 │ │ │ │ │ │ │ https://osv.dev/GHSA-jh85-wwv9-24hv │ 7.5 │ PyPI │ pymdown-extensions │ 9.9 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/GHSA-j8r2-6x86-q33q │ 6.1 │ PyPI │ requests │ 2.28.1 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-74 │ │ │ │ │ │ │ https://osv.dev/GHSA-hj3f-6gcp-jg8j │ 6.1 │ PyPI │ tornado │ 6.2 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-75 │ │ │ │ │ │ │ https://osv.dev/GHSA-qppv-j76h-2rpx │ │ PyPI │ tornado │ 6.2 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/GHSA-g4mx-q9vg-27p4 │ 4.2 │ PyPI │ urllib3 │ 1.26.13 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-212 │ │ │ │ │ │ │ https://osv.dev/GHSA-v845-jxx5-vc9f │ 8.1 │ PyPI │ urllib3 │ 1.26.13 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-192 │ │ │ │ │ │ ╰─────────────────────────────────────┴──────┴───────────┴─────────────────────┴─────────────────────┴────────────────────────────────────────────────────╯ exit status 1 ```
as it's very likely to be found in a lot of circumstances (e.g. running in CI). See #620 for more context.
Was representing the relative root of the repo as `./.` which, if the .gitignore file matched `.*`, caused the whole directory to be ignored.
Fix permissions in Github actions PR example.
this is in preparation for the license scanning feature. the queries are structured around making requests to the osv API, we also will want to make requests to the deps.dev api. #501
Fixes #612. Tested on https://github.com/opencv/opencv We need to set up an e2e test for this as well (maybe add some submodules + vendored libs to https://github.com/ossf-tests/scorecard-check-osv-e2e). ``` Scanning dir /tmp/opencv Scanning /tmp/opencv/ at commit e9e6b1e22c1a966a81aca1217b16a51fe7311b3b Scanning directory for vendored libs: /tmp/opencv/3rdparty Scanning potential vendored dir: /tmp/opencv/3rdparty/carotene Scanning potential vendored dir: /tmp/opencv/3rdparty/cpufeatures Scanning potential vendored dir: /tmp/opencv/3rdparty/ffmpeg Scanning potential vendored dir: /tmp/opencv/3rdparty/flatbuffers Scanning potential vendored dir: /tmp/opencv/3rdparty/include Scanning potential vendored dir: /tmp/opencv/3rdparty/ippicv Scanning potential vendored dir: /tmp/opencv/3rdparty/ittnotify Scanning potential vendored dir: /tmp/opencv/3rdparty/libjasper Scanning potential vendored dir: /tmp/opencv/3rdparty/libjpeg Identified /tmp/opencv/3rdparty/libjpeg as https://github.com/libjpeg-turbo/libjpeg-turbo at 9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf. Scanning potential vendored dir: /tmp/opencv/3rdparty/libjpeg-turbo Identified /tmp/opencv/3rdparty/libjpeg-turbo as https://github.com/libjpeg-turbo/libjpeg-turbo at c5f269eb9665435271c05fbcaf8721fa58e9eafa. Scanning potential vendored dir: /tmp/opencv/3rdparty/libpng Identified /tmp/opencv/3rdparty/libpng as https://github.com/gemini-testing/png-img at 4a9d62598d369566680300c96ec0a22f1dec48c3. Scanning potential vendored dir: /tmp/opencv/3rdparty/libspng Scanning potential vendored dir: /tmp/opencv/3rdparty/libtiff Identified /tmp/opencv/3rdparty/libtiff as https://gitlab.com/libtiff/libtiff at 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99. Scanning potential vendored dir: /tmp/opencv/3rdparty/libtim-vx Scanning potential vendored dir: /tmp/opencv/3rdparty/libwebp Identified /tmp/opencv/3rdparty/libwebp as https://chromium.googlesource.com/webm/libwebp at fd7bb21c0cb56e8a82e9bfa376164b842f433f3b. Scanning potential vendored dir: /tmp/opencv/3rdparty/openexr Identified /tmp/opencv/3rdparty/openexr as https://github.com/AcademySoftwareFoundation/openexr at 0ac2ea34c8f3134148a5df4052e40f155b76f6fb. Scanning potential vendored dir: /tmp/opencv/3rdparty/openjpeg Identified /tmp/opencv/3rdparty/openjpeg as https://github.com/uclouvain/openjpeg at a5891555eb49ed7cc26b2901ea680acda136d811. Scanning potential vendored dir: /tmp/opencv/3rdparty/openvx Scanning potential vendored dir: /tmp/opencv/3rdparty/protobuf Identified /tmp/opencv/3rdparty/protobuf as https://github.com/protocolbuffers/protobuf at 7c40b2df1fdf6f414c1c18c789715a9c948a0725. Scanning potential vendored dir: /tmp/opencv/3rdparty/quirc Scanning potential vendored dir: /tmp/opencv/3rdparty/tbb Scanning potential vendored dir: /tmp/opencv/3rdparty/zlib Identified /tmp/opencv/3rdparty/zlib as https://github.com/madler/zlib at 04f42ceca40f73e2978b50e93806c2a18c1281fc. Scanning directory for vendored libs: /tmp/opencv/modules/core/3rdparty Scanning potential vendored dir: /tmp/opencv/modules/core/3rdparty/SoftFloat Scanning directory for vendored libs: /tmp/opencv/modules/features2d/3rdparty Scanning potential vendored dir: /tmp/opencv/modules/features2d/3rdparty/mscr Scanned /tmp/opencv/platforms/maven/opencv/pom.xml file and found 0 packages Failed to resolve version of org.ops4j.pax.exam:pax-exam-container-karaf: property "pax.exam.version" could not be found for "org.opencv:opencv-it" Failed to resolve version of org.ops4j.pax.exam:pax-exam-junit4: property "pax.exam.version" could not be found for "org.opencv:opencv-it" Failed to resolve version of ${project.groupId}:opencv: property "project.version" could not be found for "org.opencv:opencv-it" Scanned /tmp/opencv/platforms/maven/opencv-it/pom.xml file and found 12 packages Scanned /tmp/opencv/platforms/maven/pom.xml file and found 0 packages Scanned /tmp/opencv/samples/dnn/dnn_model_runner/dnn_conversion/requirements.txt file and found 11 packages ╭─────────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬───────────────────────────────────────────────────────────────────────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├─────────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼───────────────────────────────────────────────────────────────────────────────── ≈ │ https://osv.dev/OSV-2022-394 │ │ GIT │ e9e6b1e22c1a966a81aca1217b16a51fe7311b3b │ ../../../../../../tmp/opencv ≈ │ https://osv.dev/OSV-2023-444 │ │ GIT │ e9e6b1e22c1a966a81aca1217b16a51fe7311b3b │ ../../../../../../tmp/opencv ≈ │ https://osv.dev/CVE-2021-29390 │ 7.1 │ GIT │ 9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf │ ../../../../../../tmp/opencv/3rdparty/libjpeg ≈ │ https://osv.dev/CVE-2021-46822 │ 5.5 │ GIT │ 9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf │ ../../../../../../tmp/opencv/3rdparty/libjpeg ≈ │ https://osv.dev/CVE-2022-1056 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-1210 │ 6.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-1354 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-1355 │ 6.1 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-1622 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-1623 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-3970 │ 8.8 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-40090 │ 6.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-1916 │ 6.1 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-25433 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-25434 │ 8.8 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-25435 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-26965 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-26966 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-2731 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-2908 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-30775 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-3576 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-3618 │ 6.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-40745 │ 6.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-41175 │ 6.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-4863 │ 8.8 │ GIT │ fd7bb21c0cb56e8a82e9bfa376164b842f433f3b │ ../../../../../../tmp/opencv/3rdparty/libwebp ≈ │ https://osv.dev/CVE-2018-18443 │ 4.3 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2018-18444 │ 8.8 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11758 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11759 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11760 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11761 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11762 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11763 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11764 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11765 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-15304 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-15305 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-15306 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-16587 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-16588 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-16589 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20298 │ 7.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20299 │ 7.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20300 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20302 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20303 │ 6.1 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20304 │ 7.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-23169 │ 8.8 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-23215 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-26260 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-26945 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-3598 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-3605 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-3933 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-3941 │ 6.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/OSV-2022-416 │ │ GIT │ a5891555eb49ed7cc26b2901ea680acda136d811 │ ../../../../../../tmp/opencv/3rdparty/openjpeg ≈ │ https://osv.dev/CVE-2021-22569 │ 5.5 │ GIT │ 7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ ../../../../../../tmp/opencv/3rdparty/protobuf ≈ │ https://osv.dev/CVE-2022-3509 │ 7.5 │ GIT │ 7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ ../../../../../../tmp/opencv/3rdparty/protobuf ≈ │ https://osv.dev/CVE-2022-3510 │ 7.5 │ GIT │ 7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ ../../../../../../tmp/opencv/3rdparty/protobuf ≈ │ https://osv.dev/CVE-2023-45853 │ 9.8 │ GIT │ 04f42ceca40f73e2978b50e93806c2a18c1281fc │ ../../../../../../tmp/opencv/3rdparty/zlib ``` --------- Co-authored-by: Rex P <[email protected]>
Cherry-picked from #553 --- It's required for testing against Windows because it has a different error message, but it's also just a good overall change and landing it separately removes ~25 files from the main PR 😅
I want to use errors.Join in the following PR: - License checker feature #501 It is a method added in go 1.20.
This experimental feature calls the deps.dev API for licenses on each package. If an allowlist is specified, it reports on packages with violating licenses. An --all-packages flag is also added, which causes all packages to be included in the json even if it doesn't have any issues (vulns or license violations).
Filter local packages from scanning, and report the filtering happened. Fixes #639 Also added a test for this case in main_test.go Added another rust test of package on a local path, we currently have no way to differentiate local rust packages and ones from the repository. Perhaps something to consider in the future.
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [deps.dev/api/v3alpha](https://github.com/google/deps.dev) | require | digest | `667b62c` -> `a2ccd03` | | golang.org/x/mod | require | minor | `v0.13.0` -> `v0.14.0` | | golang.org/x/sync | require | minor | `v0.4.0` -> `v0.5.0` | | [google.golang.org/grpc](https://github.com/grpc/grpc-go) | require | minor | `v1.58.3` -> `v1.59.0` | --- ### Release Notes <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.59.0`](https://github.com/grpc/grpc-go/releases/tag/v1.59.0): Release 1.59.0 [Compare Source](https://github.com/grpc/grpc-go/compare/v1.58.3...v1.59.0) ### Behavior Changes - balancer: grpc will switch to case-sensitive balancer names soon; log a warning if a capital letter is encountered in an LB policy name ([#​6647](https://github.com/grpc/grpc-go/issues/6647)) - server: allow applications to send arbitrary data in the `grpc-status-details-bin` trailer ([#​6662](https://github.com/grpc/grpc-go/issues/6662)) - client: validate `grpc-status-details-bin` trailer and pass through the trailer to the application directly ([#​6662](https://github.com/grpc/grpc-go/issues/6662)) ### New Features - tap (experimental): Add Header metadata to tap handler ([#​6652](https://github.com/grpc/grpc-go/issues/6652)) - Special Thanks: [@​pstibrany](https://github.com/pstibrany) - grpc: channel idleness enabled by default with an `idle_timeout` of `30m` ([#​6585](https://github.com/grpc/grpc-go/issues/6585)) ### Documentation - examples: add an example of flow control behavior ([#​6648](https://github.com/grpc/grpc-go/issues/6648)) ### Bug Fixes - xds: fix hash policy header to skip "-bin" headers and read content-type header as expected ([#​6609](https://github.com/grpc/grpc-go/issues/6609)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMS41IiwidXBkYXRlZEluVmVyIjoiMzcuMzEuNSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
I'm honestly sure CodeCov isn't bugged (or that somehow we're uploading results from a branch...), but removing this file/ignore increases coverage a little so why not 🤷
Turns out that file -> url translation on Windows is busted, and that this is a hard problem that Go has an internal util for that has not yet been made public - I've done what apparently a number of other packages have done which is copying that helper into here and hoping one day it actually becomes public 😢 Note that until #646 is landed, there is no way to actually verify this is fixing the problem - #553 shows the result of both PRs being merged.
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang | stage | digest | `926f7f7` -> `110b07a` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMS41IiwidXBkYXRlZEluVmVyIjoiMzcuNDYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Upgrading `jekyll-feed` broke the ability to preview the docs locally. I rolled back the version of `jekyll-feed` and updated the Gemfile.lock. [Preview](https://hayleycd.github.io/osv-scanner/) Signed-off-by: Hayley Denbraver <[email protected]>
Both vulnerabilities have aliases and this should be reflected in the test output.
I am open to feedback! Updated pages preview: - [Supported languages and lockfiles](https://hayleycd.github.io/osv-scanner/supported-languages-and-lockfiles/) - [Usage](https://hayleycd.github.io/osv-scanner/usage/) --------- Signed-off-by: Hayley Denbraver <[email protected]> Co-authored-by: Andrew Pollock <[email protected]> Co-authored-by: Gareth Jones <[email protected]> Co-authored-by: Oliver Chang <[email protected]>
) I did this as a bit of an exercise in how to configure linting a bit more - while not critical, might as well have it and should help with external contributors e.g. it'll flag #658
We're previously agreed that in these situations we should be erroring since the native package manager does not support them but cannot make that change until v2 as it's technical breaking. In the meantime we've currently got tests that cover these situations but unlike panics we cannot suppress the warnings because of how Go works resulting in a very noisy time when _any_ test fails; it's gotten to the point that I've decided to actually make this PR 😅 Since in theory these could actually still be useful especially for folks like Scorecard as part of helping confirm the parsers are handling edge-cases, I'm happy to alternatively gate these behind an env variable that is disabled by default but I don't have strong opinions on this.
I'm going to update to v1.55 shortly but this can be landed as-is - I was initially on the fence about `tagalign` mainly because it has to be done manually, but it wasn't that much work and I think might actually be nice so I vote we live with it for a while and revisit if it ends up being too annoying.
Part of #642 See G-Rath/osv-detector#235 for the journey I went on with R for this
Unsurprisingly this has required a bunch of tests to be updated to handle slightly different variations in file path handling - this eventually resulted in me implementing an actual internal snapshot testing package but I've not included that in here since its sizable on its own; so please keep that in mind when reviewing . (see https://github.com/G-Rath/osv-scanner/commit/1273da79e2e26a18d663da482dc5f09258e15c51 for a sneakpeek on what the snapshot-based testing looks like) ~Note that is failing because file -> url path translation is actually busted; I've opened #645 to fix this and you can see the passing CI when both of these changes are merged in #553~ Resolves #603 Resolves #553
this just makes it easier for our users to use.
Note that the `SBOMReader` refactor wasn't required for this, but my IDE flagged it so I just included it here 🤷
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [deps.dev/api/v3alpha](https://github.com/google/deps.dev) | require | digest | `a2ccd03` -> `e40c4d5` | | golang.org/x/exp | require | digest | `7918f67` -> `9a3e603` | | golang.org/x/term | require | minor | `v0.13.0` -> `v0.14.0` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40Ni4wIiwidXBkYXRlZEluVmVyIjoiMzcuNDYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Fixes #634 The actual change is just adding an `Aliases` field to the Group output, that combines all the IDs and aliases together. A lot of fixtures had to be updated though. Added an additional test for this in `main_test`, and also modified a test in `osvscanner_internal_tests.go` Also added `omitempty` tag to `PackageInfo.commit` which it should have contained in the first place.
Fix issue #513 - Replace `experimental-call-analysis` with `call-analysis`. (`--call-analysis=all`, `--call-analysis=rust`) - Adding a `--no-call-analysis` to disable call analysis. (`--no-call-analysis=all`, `--no-call-analysis=go`). This overrides `call-analysis`. - Delete `call-analysis` from `experimental-config` in result report. - Call analysis for non-experimental languages (e.g. go) is auto enabled.
Setup a manual release pipeline and convert the old pipeline back to listening on tag pushes. Fixes #632. This pipeline allows us to manually run all the pre-release checks before we manually push the tags.
Previous PR #665 updated '--experimental-call-analysis' to '--call-analysis' and '--no-call-analysis'. Updating docs to reflect the changes. --------- Co-authored-by: Hayley Denbraver <[email protected]>
[Preview here](https://hayleycd.github.io/osv-scanner/experimental/) --------- Signed-off-by: Hayley Denbraver <[email protected]>
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | gaurav-nelson/github-action-markdown-link-check | action | digest | `a996638` -> `0f074c8` | | [github/codeql-action](https://github.com/github/codeql-action) | action | patch | `v2.22.5` -> `v2.22.8` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.8`](https://github.com/github/codeql-action/compare/v2.22.7...v2.22.8) [Compare Source](https://github.com/github/codeql-action/compare/v2.22.7...v2.22.8) ### [`v2.22.7`](https://github.com/github/codeql-action/compare/v2.22.6...v2.22.7) [Compare Source](https://github.com/github/codeql-action/compare/v2.22.6...v2.22.7) ### [`v2.22.6`](https://github.com/github/codeql-action/compare/v2.22.5...v2.22.6) [Compare Source](https://github.com/github/codeql-action/compare/v2.22.5...v2.22.6) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy41OS44IiwidXBkYXRlZEluVmVyIjoiMzcuNTkuOCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
…h the specifications (#651) ## Why this PR [CVSS v4.0](https://www.first.org/cvss/v4-0/) has been released lately, and the OSV will most probably add its support (the first CVSS v4.0 vector known to the FIRST.ORG SIG CVSS has been published [by Palo Alto Networks for the CVE-2023-3282](https://security.paloaltonetworks.com/CVE-2023-3282)). As a FIRST.ORG SIG CVSS member and [Go CVSS implementation](https://github.com/pandatix/go-cvss) maintainer, I'm looking forward to improve its adoption and understanding in the Open-Source Ecosystem. Moreover, there exist issues with the currently used CVSS implementation, such as [invalid scoring computation](goark/go-cvss#33), and [CVSS v4.0 is currently not planned for support](goark/go-cvss#37 (comment)). ## What it brings With the current PR, I provide multiple direct improvements: - proper CVSS v2.0 scoring computation (only affect the environmental score computation, but has been an unresolved issue for months) - add support of CVSS v4.0 in the OSV schema - performance improvements according to [benchmarks](https://github.com/pandatix/go-cvss#comparison) Given ossf/osv-schema#166 the CVSS v4.0 key will most likely be `CVSS_V4` to align with the previous CVSS versions support. ## Is it breaking ? For the code, no, but for the Go version, yes 🎉
Now that there are multiple files under `cmd/osv-scanner/` in addition to `main.go` we need to specify the entire package rather than just the main.go file when releasing.
This change exposes a pre-commit hook for people to use that would run osv-scanner when commiting code to their codebase. Resolves #60. I manually tested this change by modifying the `.pre-commit-config.yaml` file from the [pipdeptree](https://github.com/tox-dev/pipdeptree) project to the following: ```yml repos: - repo: https://github.com/kemzeb/osv-scanner rev: 321d06b hooks: - id: osv-scanner args: ["-r", "."] ``` ...where I ran pre-commit locally by doing the following: Install the pre-commit script: ```console pre-commit install ``` Run while using all the files in the pipdeptree repo, while also providing verbose output produced by osv-scanner (I truncated the output but wanted to make aware that the `-v` option is available): ``` console pre-commit run -av osv-scanner..............................................................Passed - hook id: osv-scanner - duration: 0.47s .... // verbose output here ``` Let me know if there is an interest in using any of the other pre-commit hook [configurations ](https://pre-commit.com/#creating-new-hooks)
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | require | patch | `v5.10.0` -> `v5.10.1` | | [github.com/urfave/cli/v2](https://github.com/urfave/cli) | require | minor | `v2.25.7` -> `v2.26.0` | | golang.org/x/exp | require | digest | `9a3e603` -> `6522937` | | golang.org/x/term | require | minor | `v0.14.0` -> `v0.15.0` | --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.10.1`](https://github.com/go-git/go-git/releases/tag/v5.10.1) [Compare Source](https://github.com/go-git/go-git/compare/v5.10.0...v5.10.1) #### What's Changed - Worktree, ignore ModeSocket files by [@​steiler](https://github.com/steiler) in [https://github.com/go-git/go-git/pull/930](https://github.com/go-git/go-git/pull/930) - git: add tracer package by [@​aymanbagabas](https://github.com/aymanbagabas) in [https://github.com/go-git/go-git/pull/916](https://github.com/go-git/go-git/pull/916) - remote: Flip clause for fast-forward only check by [@​adityasaky](https://github.com/adityasaky) in [https://github.com/go-git/go-git/pull/875](https://github.com/go-git/go-git/pull/875) - plumbing: transport/ssh, Fix nil pointer dereference caused when an unreachable proxy server is set. Fixes [#​900](https://github.com/go-git/go-git/issues/900) by [@​anandf](https://github.com/anandf) in [https://github.com/go-git/go-git/pull/901](https://github.com/go-git/go-git/pull/901) - plumbing: uppload-server-info, implement upload-server-info by [@​aymanbagabas](https://github.com/aymanbagabas) in [https://github.com/go-git/go-git/pull/896](https://github.com/go-git/go-git/pull/896) - plumbing: optimise memory consumption for filesystem storage by [@​pjbgf](https://github.com/pjbgf) in [https://github.com/go-git/go-git/pull/799](https://github.com/go-git/go-git/pull/799) - plumbing: format/packfile, Refactor patch delta by [@​pjbgf](https://github.com/pjbgf) in [https://github.com/go-git/go-git/pull/908](https://github.com/go-git/go-git/pull/908) - plumbing: fix empty uploadpack request error by [@​aymanbagabas](https://github.com/aymanbagabas) in [https://github.com/go-git/go-git/pull/932](https://github.com/go-git/go-git/pull/932) - plumbing: transport/git, Improve tests error message by [@​pjbgf](https://github.com/pjbgf) in [https://github.com/go-git/go-git/pull/752](https://github.com/go-git/go-git/pull/752) - plumbing: format/pktline, Respect pktline error-line errors by [@​aymanbagabas](https://github.com/aymanbagabas) in [https://github.com/go-git/go-git/pull/936](https://github.com/go-git/go-git/pull/936) - utils: remove ioutil.Pipe and use std library io.Pipe by [@​aymanbagabas](https://github.com/aymanbagabas) in [https://github.com/go-git/go-git/pull/922](https://github.com/go-git/go-git/pull/922) - utils: move trace to utils by [@​aymanbagabas](https://github.com/aymanbagabas) in [https://github.com/go-git/go-git/pull/931](https://github.com/go-git/go-git/pull/931) - cli: separate go module for cli by [@​aymanbagabas](https://github.com/aymanbagabas) in [https://github.com/go-git/go-git/pull/914](https://github.com/go-git/go-git/pull/914) - build: bump github.com/google/go-cmp from 0.5.9 to 0.6.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/go-git/go-git/pull/887](https://github.com/go-git/go-git/pull/887) - build: bump actions/setup-go from 3 to 4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/go-git/go-git/pull/891](https://github.com/go-git/go-git/pull/891) - build: bump github.com/skeema/knownhosts from 1.2.0 to 1.2.1 by [@​dependabot](https://github.com/dependabot) in [https://github.com/go-git/go-git/pull/888](https://github.com/go-git/go-git/pull/888) - build: bump actions/checkout from 3 to 4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/go-git/go-git/pull/890](https://github.com/go-git/go-git/pull/890) - build: bump golang.org/x/sys from 0.13.0 to 0.14.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/go-git/go-git/pull/907](https://github.com/go-git/go-git/pull/907) - build: bump golang.org/x/text from 0.13.0 to 0.14.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/go-git/go-git/pull/906](https://github.com/go-git/go-git/pull/906) - build: bump golang.org/x/crypto from 0.14.0 to 0.15.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/go-git/go-git/pull/917](https://github.com/go-git/go-git/pull/917) - build: bump golang.org/x/net from 0.17.0 to 0.18.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/go-git/go-git/pull/918](https://github.com/go-git/go-git/pull/918) #### New Contributors - [@​anandf](https://github.com/anandf) made their first contribution in [https://github.com/go-git/go-git/pull/901](https://github.com/go-git/go-git/pull/901) - [@​steiler](https://github.com/steiler) made their first contribution in [https://github.com/go-git/go-git/pull/930](https://github.com/go-git/go-git/pull/930) **Full Changelog**: go-git/go-git@v5.10.0...v5.10.1 </details> <details> <summary>urfave/cli (github.com/urfave/cli/v2)</summary> ### [`v2.26.0`](https://github.com/urfave/cli/releases/tag/v2.26.0) [Compare Source](https://github.com/urfave/cli/compare/v2.25.7...v2.26.0) #### What's Changed - Bash completion nits by [@​meatballhat](https://github.com/meatballhat) in [https://github.com/urfave/cli/pull/1762](https://github.com/urfave/cli/pull/1762) - Chore: Rename mkdocs requirements file name by [@​dearchap](https://github.com/dearchap) in [https://github.com/urfave/cli/pull/1776](https://github.com/urfave/cli/pull/1776) - Fix:(issue\_1787) Add fix for commands not listed when hide help comma… by [@​dearchap](https://github.com/dearchap) in [https://github.com/urfave/cli/pull/1788](https://github.com/urfave/cli/pull/1788) - Fix nil HelpFlag panic (v2) by [@​wxiaoguang](https://github.com/wxiaoguang) in [https://github.com/urfave/cli/pull/1795](https://github.com/urfave/cli/pull/1795) - Always get 0 for a nested int64 value in v2.25.7 by [@​stephenfire](https://github.com/stephenfire) in [https://github.com/urfave/cli/pull/1799](https://github.com/urfave/cli/pull/1799) - Helper messages for documenting build process by [@​abitrolly](https://github.com/abitrolly) in [https://github.com/urfave/cli/pull/1800](https://github.com/urfave/cli/pull/1800) - fix: check duplicated sub command name and alias by [@​linrl3](https://github.com/linrl3) in [https://github.com/urfave/cli/pull/1805](https://github.com/urfave/cli/pull/1805) - Fix:(issue\_1689) Have consistent behavior for default text in man and… by [@​dearchap](https://github.com/dearchap) in [https://github.com/urfave/cli/pull/1825](https://github.com/urfave/cli/pull/1825) - Fix linting issues by [@​skelouse](https://github.com/skelouse) in [https://github.com/urfave/cli/pull/1696](https://github.com/urfave/cli/pull/1696) #### New Contributors - [@​stephenfire](https://github.com/stephenfire) made their first contribution in [https://github.com/urfave/cli/pull/1799](https://github.com/urfave/cli/pull/1799) - [@​linrl3](https://github.com/linrl3) made their first contribution in [https://github.com/urfave/cli/pull/1805](https://github.com/urfave/cli/pull/1805) **Full Changelog**: urfave/cli@v2.25.7...v2.26.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44MS4zIiwidXBkYXRlZEluVmVyIjoiMzcuODEuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | alpine | final | digest | `eece025` -> `34871e7` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44MS4zIiwidXBkYXRlZEluVmVyIjoiMzcuODEuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang | stage | digest | `110b07a` -> `70afe55` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44MS4zIiwidXBkYXRlZEluVmVyIjoiMzcuODEuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Works towards #570.
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
1 similar comment
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| permissions: | ||
| contents: read # to fetch code (actions/checkout) | ||
| # Require writing security events to upload SARIF file to security tab | ||
| security-events: write |
Check failure
Code scanning / Scorecard
Token-Permissions High
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
updating our docs branch for the 1.5.0 release.