Merge branch 'main' into verbosity-levels

.github/workflows/codeql-analysis.yml

@@ -41,7 +41,11 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
+      # Update go to the latest version to support minor go versions is go.mod file
+      - name: Install Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: go.mod
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8

.github/workflows/osv-scanner-reusable-pr.yml

@@ -37,6 +37,10 @@ on:
         type: boolean
         required: false
         default: true
+      fail-on-vuln:
+        description: "Whether to fail the action on vulnerability found"
+        type: boolean
+        default: true
 
 jobs:
   scan-pr:
@@ -74,6 +78,7 @@ jobs:
             --old=old-results.json
             --new=new-results.json
             --gh-annotations=true
+            --fail-on-vuln=${{ inputs.fail-on-vuln }}
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"

.github/workflows/osv-scanner-reusable.yml

@@ -42,6 +42,10 @@ on:
         type: boolean
         required: false
         default: true
+      fail-on-vuln:
+        description: "Whether to fail the action on vulnerability found"
+        type: boolean
+        default: true
 
 jobs:
   osv-scan:
@@ -71,6 +75,7 @@ jobs:
             --output=${{ inputs.results-file-name }}
             --new=results.json
             --gh-annotations=false
+            --fail-on-vuln=${{ inputs.fail-on-vuln }}
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"

cmd/osv-reporter/main.go

@@ -76,6 +76,11 @@ func run(args []string, stdout, stderr io.Writer) int {
 				Name:  "gh-annotations",
 				Usage: "prints github action annotations",
 			},
+			&cli.BoolFlag{
+				Name:        "fail-on-vuln",
+				Usage:       "whether to return 1 when vulnerabilities are found",
+				DefaultText: "true",
+			},
 		},
 		Action: func(context *cli.Context) error {
 			var termWidth int
@@ -160,9 +165,11 @@ func run(args []string, stdout, stderr io.Writer) int {
 				}
 			}
 
+			// Default to true, only false when explicitly set to false
+			failOnVuln := !context.IsSet("fail-on-vuln") || context.Bool("fail-on-vuln")
+
 			// if vulnerability exists it should return error
-			if len(diffVulns.Results) > 0 {
-				// Otherwise return OnlyUncalledVulnerabilitiesFoundErr
+			if len(diffVulns.Results) > 0 && failOnVuln {
 				return osvscanner.VulnerabilitiesFoundErr
 			}
 

cmd/osv-scanner/main_test.go

@@ -671,12 +671,13 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) {
 			wantStdout: `
 				Scanned <rootdir>/fixtures/locks-insecure/my-package-lock.json file as a package-lock.json and found 1 package
 				Scanning dir ./fixtures/locks-insecure
-				Scanned <rootdir>/fixtures/locks-insecure/composer.lock file and found 0 packages
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
-				| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE   | VERSION | SOURCE                                       |
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
-				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | fixtures/locks-insecure/my-package-lock.json |
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
+				Scanned <rootdir>/fixtures/locks-insecure/composer.lock file and found 1 package
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
+				| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE          | VERSION | SOURCE                                       |
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
+				| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8  | Packagist | league/flysystem | 1.0.8   | fixtures/locks-insecure/composer.lock        |
+				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html        | 0.0.1   | fixtures/locks-insecure/my-package-lock.json |
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
 			`,
 			wantStderr: "",
 		},
@@ -694,13 +695,14 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) {
 				Scanned <rootdir>/fixtures/locks-insecure/my-package-lock.json file as a package-lock.json and found 1 package
 				Scanned <rootdir>/fixtures/locks-insecure/my-yarn.lock file as a yarn.lock and found 1 package
 				Scanning dir ./fixtures/locks-insecure
-				Scanned <rootdir>/fixtures/locks-insecure/composer.lock file and found 0 packages
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
-				| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE   | VERSION | SOURCE                                       |
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
-				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | fixtures/locks-insecure/my-package-lock.json |
-				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | fixtures/locks-insecure/my-yarn.lock         |
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
+				Scanned <rootdir>/fixtures/locks-insecure/composer.lock file and found 1 package
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
+				| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE          | VERSION | SOURCE                                       |
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
+				| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8  | Packagist | league/flysystem | 1.0.8   | fixtures/locks-insecure/composer.lock        |
+				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html        | 0.0.1   | fixtures/locks-insecure/my-package-lock.json |
+				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html        | 0.0.1   | fixtures/locks-insecure/my-yarn.lock         |
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
 			`,
 			wantStderr: "",
 		},
@@ -717,13 +719,14 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) {
 				Scanned <rootdir>/fixtures/locks-insecure/my-yarn.lock file as a yarn.lock and found 1 package
 				Scanned <rootdir>/fixtures/locks-insecure/my-package-lock.json file as a package-lock.json and found 1 package
 				Scanning dir ./fixtures/locks-insecure
-				Scanned <rootdir>/fixtures/locks-insecure/composer.lock file and found 0 packages
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
-				| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE   | VERSION | SOURCE                                       |
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
-				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | fixtures/locks-insecure/my-package-lock.json |
-				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | fixtures/locks-insecure/my-yarn.lock         |
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
+				Scanned <rootdir>/fixtures/locks-insecure/composer.lock file and found 1 package
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
+				| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE          | VERSION | SOURCE                                       |
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
+				| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8  | Packagist | league/flysystem | 1.0.8   | fixtures/locks-insecure/composer.lock        |
+				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html        | 0.0.1   | fixtures/locks-insecure/my-package-lock.json |
+				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html        | 0.0.1   | fixtures/locks-insecure/my-yarn.lock         |
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
 			`,
 			wantStderr: "",
 		},

docs/installation.md

@@ -61,7 +61,7 @@ Alternatively, you can install this from source by running:
 go install github.com/google/osv-scanner/cmd/osv-scanner@v1
 ```
 
-This requires Go 1.21+ to be installed.
+This requires Go 1.21.4+ to be installed.
 
 ## Build from source
 

go.mod

@@ -1,6 +1,6 @@
 module github.com/google/osv-scanner
 
-go 1.21
+go 1.21.5
 
 require (
 	deps.dev/api/v3alpha v0.0.0-20231114023923-e40c4d5c34e5
@@ -32,7 +32,7 @@ require (
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect
-	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
@@ -50,7 +50,7 @@ require (
 	github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
-	golang.org/x/crypto v0.16.0 // indirect
+	golang.org/x/crypto v0.17.0 // indirect
 	golang.org/x/net v0.19.0 // indirect
 	golang.org/x/sys v0.15.0 // indirect
 	golang.org/x/text v0.14.0 // indirect

go.sum

@@ -22,8 +22,9 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
 github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
 github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
+github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
@@ -144,8 +145,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
-golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa h1:FRnLl4eNAQl8hwxVVC17teOw8kdjVDVAiFMtgUdTSRQ=
 golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=

pkg/osvscanner/vulnerability_result.go

@@ -29,25 +29,28 @@ func buildVulnerabilityResults(
 	for i, rawPkg := range packages {
 		includePackage := actions.ShowAllPackages
 		var pkg models.PackageVulns
+
 		if rawPkg.Commit != "" {
 			pkg.Package.Commit = rawPkg.Commit
 			pkg.Package.Name = rawPkg.Name
-			// pkg.Package.Ecosystem = "GIT"
 		} else if rawPkg.PURL != "" {
 			var err error
 			pkg.Package, err = models.PURLToPackage(rawPkg.PURL)
+
 			if err != nil {
 				r.Errorf("Failed to parse purl: %s, with error: %s", rawPkg.PURL, err)
-
 				continue
 			}
-		} else {
+		}
+
+		if rawPkg.Version != "" && rawPkg.Ecosystem != "" {
 			pkg.Package = models.PackageInfo{
 				Name:      rawPkg.Name,
 				Version:   rawPkg.Version,
 				Ecosystem: string(rawPkg.Ecosystem),
 			}
 		}
+
 		pkg.DepGroups = rawPkg.DepGroups
 
 		if len(vulnsResp.Results[i].Vulns) > 0 {