Merge pull request #48 from sonukapoor/codex/bug-osv-cache-query-results

sonukapoor · web-flow · commit 4512009e09d5 · 2026-04-02T17:29:55.000-04:00
fix: cache OSV package query results
diff --git a/src/osv/cache.ts b/src/osv/cache.ts
@@ -3,6 +3,10 @@ import path from "node:path";
 import os from "node:os";
 import type { CacheFile } from "../types.js";
 
+function createEmptyCache(): CacheFile {
+  return { version: 2, createdAt: new Date().toISOString(), entries: {}, queryEntries: {} };
+}
+
 export function getCacheFilePath(cacheDirOverride?: string): string {
   const baseDir = cacheDirOverride
     ? path.resolve(cacheDirOverride)
@@ -15,19 +19,30 @@ export function getCacheFilePath(cacheDirOverride?: string): string {
 export function loadCache(cacheDirOverride?: string): CacheFile {
   const filePath = getCacheFilePath(cacheDirOverride);
   if (!fs.existsSync(filePath)) {
-    return { version: 1, createdAt: new Date().toISOString(), entries: {} };
+    return createEmptyCache();
   }
 
   try {
-    const parsed = JSON.parse(fs.readFileSync(filePath, "utf8")) as CacheFile;
-    if (parsed.version === 1 && parsed.entries) {
-      return parsed;
+    const parsed = JSON.parse(fs.readFileSync(filePath, "utf8")) as Partial<CacheFile> & {
+      version?: number;
+      entries?: Record<string, CacheFile["entries"][string]>;
+      queryEntries?: Record<string, string[]>;
+      createdAt?: string;
+    };
+
+    if (parsed.entries && typeof parsed.entries === "object") {
+      return {
+        version: 2,
+        createdAt: parsed.createdAt ?? new Date().toISOString(),
+        entries: parsed.entries,
+        queryEntries: parsed.queryEntries && typeof parsed.queryEntries === "object" ? parsed.queryEntries : {},
+      };
     }
   } catch (_error) {
     // ignore corrupt cache
   }
 
-  return { version: 1, createdAt: new Date().toISOString(), entries: {} };
+  return createEmptyCache();
 }
 
 export function saveCache(cache: CacheFile, cacheDirOverride?: string) {
diff --git a/src/output/formatters.ts b/src/output/formatters.ts
@@ -116,12 +116,13 @@ export function printCacheSummary(cacheDirOverride?: string, options?: { json?:
   const cache = loadCache(cacheDirOverride);
   const advisoryCount = Object.entries(cache.entries).filter(([, value]) => Boolean(value)).length;
   const emptyCount = Object.entries(cache.entries).filter(([, value]) => value === null).length;
+  const packageQueryCount = Object.keys(cache.queryEntries).length;
   const totalCount = advisoryCount + emptyCount;
 
-  if (totalCount === 0) return;
+  if (totalCount === 0 && packageQueryCount === 0) return;
 
   console.log(
-    chalk.gray(`Cache: ${advisoryCount} advisory detail record${advisoryCount === 1 ? "" : "s"}`) +
+    chalk.gray(`Cache: ${packageQueryCount} package match record${packageQueryCount === 1 ? "" : "s"}, ${advisoryCount} advisory detail record${advisoryCount === 1 ? "" : "s"}`) +
       (emptyCount > 0
         ? chalk.gray(`, ${emptyCount} empty lookup${emptyCount === 1 ? "" : "s"}`)
         : ""),
@@ -144,4 +145,4 @@ export function sortFindingsForOutput(findings: Finding[]): Finding[] {
     if (sevDelta !== 0) return sevDelta;
     return a.pkg.name.localeCompare(b.pkg.name);
   });
-}
+}
diff --git a/src/scanner.ts b/src/scanner.ts
@@ -12,6 +12,10 @@ export function createAdvisorySource(options?: { osvUrl?: string }): AdvisorySou
   return new OsvAdvisorySource(options?.osvUrl);
 }
 
+function getPackageCacheKey(pkg: PackageRef): string {
+  return `${pkg.ecosystem}:${pkg.name}@${pkg.version}`;
+}
+
 export async function scanPackages(
   packages: PackageRef[],
   batchSize: number,
@@ -22,12 +26,27 @@ export async function scanPackages(
 
   const spinner = createSpinner("Scanning dependencies against OSV...", options);
   const advisorySource = createAdvisorySource({ osvUrl: options.osvUrl });
+  const cache = loadCache(cacheDirOverride);
 
   try {
-    const chunks = chunk(packages, batchSize);
     const results: Array<{ pkg: PackageRef; vulnIds: string[] }> = [];
+    const uncachedPackages: PackageRef[] = [];
 
     if (!offline) {
+      for (const pkg of packages) {
+        const cacheKey = getPackageCacheKey(pkg);
+        if (cacheKey in cache.queryEntries) {
+          const vulnIds = cache.queryEntries[cacheKey] ?? [];
+          if (vulnIds.length > 0) {
+            results.push({ pkg, vulnIds });
+          }
+          continue;
+        }
+
+        uncachedPackages.push(pkg);
+      }
+
+      const chunks = chunk(uncachedPackages, batchSize);
       for (let i = 0; i < chunks.length; i++) {
         spinner.update(`Scanning OSV batch ${i + 1}/${chunks.length}...`);
         const chunkItems = chunks[i];
@@ -38,18 +57,22 @@ export async function scanPackages(
           const pkg = chunkItems[j];
           const row = rows[j];
           const vulnIds = (row?.vulnerabilities ?? []).map(v => v.id).filter(Boolean);
+          cache.queryEntries[getPackageCacheKey(pkg)] = vulnIds;
           if (vulnIds.length > 0) {
             results.push({ pkg, vulnIds });
           }
         }
       }
 
-      spinner.succeed(`Queried OSV in ${chunks.length} batch${chunks.length === 1 ? "" : "es"}`);
+      if (chunks.length === 0) {
+        spinner.succeed("Loaded package matches from cache");
+      } else {
+        spinner.succeed(`Queried OSV in ${chunks.length} batch${chunks.length === 1 ? "" : "es"}`);
+      }
     } else {
       spinner.succeed("Offline mode enabled; package matching was skipped");
     }
 
-    const cache = loadCache(cacheDirOverride);
     const idSet = new Set(results.flatMap(r => r.vulnIds));
     const vulnMap = new Map<string, OsvVuln>();
 
@@ -60,9 +83,11 @@ export async function scanPackages(
         for (let i = 0; i < ids.length; i++) {
           const id = ids[i];
           detailSpinner.update(`Fetching vulnerability details ${i + 1}/${ids.length}...`);
-          const cached = cache.entries[id];
-          if (cached) {
-            vulnMap.set(id, cached);
+          if (id in cache.entries) {
+            const cached = cache.entries[id];
+            if (cached) {
+              vulnMap.set(id, cached);
+            }
             continue;
           }
 
diff --git a/src/types.ts b/src/types.ts
@@ -72,9 +72,10 @@ export type Finding = {
 };
 
 export type CacheFile = {
-  version: 1;
+  version: 2;
   createdAt: string;
   entries: Record<string, OsvVuln | null>;
+  queryEntries: Record<string, string[]>;
 };
 
 export type Spinner = {
@@ -97,4 +98,4 @@ export type ParsedOptions = {
   minSeverity?: string;
   help?: boolean;
   osvUrl?: string;
-};
+};
