fix: Support osv-scanner-custom.json as a scannable file type (#2174) (#2177)

Added support for recognizing osv-scanner-custom.json with the -r
option. I wasn’t sure if `"osv-scanner-custom.json":
{osvscannerjson.Name},`
also needs to be added to lockfile.go, since it seems to work without
it. Please review and advise on any improvements. I will update the
snapshots after.
Do I also need to update the webpage that lists supported files?

---------

Co-authored-by: Rex P <106129829+another-rex@users.noreply.github.com>
Co-authored-by: Rex P <rexpan@google.com>

Author: kuscar

cmd/osv-scanner/scan/source/__snapshots__/command_test.snap

@@ -0,0 +1,28 @@
+{
+  "results": [
+    {
+      "source": {},
+      "packages": [
+        {
+          "package": {
+            "name": "stdlib",
+            "version": "1.99.9",
+            "ecosystem": "Go"
+          }
+        }
+      ]
+    },
+    {
+      "source": {},
+      "packages": [
+        {
+          "package": {
+            "name": "toolchain",
+            "version": "1.99.9",
+            "ecosystem": "Go"
+          }
+        }
+      ]
+    }
+  ]
+}

cmd/osv-scanner/scan/source/fixtures/locks-insecure/osv-scanner-custom.json

@@ -135,3 +135,10 @@ Then pass this to `osv-scanner` with this:
 ```
 osv-scanner --lockfile osv-scanner:/path/to/osv-scanner.json
 ```
+
+For automatic scan detection, you can create an `osv-scanner-custom.json` file using the same procedure described above for `osv-scanner.json`.
+Run the command below for detection:
+
+```
+./osv-scanner scan source -r /path/to/folder/you/want/to/scan
+```

docs/supported_languages_and_lockfiles.md

@@ -5,6 +5,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"path/filepath"
 
 	"github.com/google/osv-scalibr/extractor"
 	"github.com/google/osv-scalibr/extractor/filesystem"
@@ -32,9 +33,14 @@ func (e Extractor) Requirements() *plugin.Capabilities {
 	return &plugin.Capabilities{}
 }
 
-// FileRequired never returns true, as this is for the osv-scanner json output.
-func (e Extractor) FileRequired(_ filesystem.FileAPI) bool {
-	return false
+func New() filesystem.Extractor {
+	return Extractor{}
+}
+
+// FileRequired returns true only for osv-scanner-custom.json files,
+// since this is specific to the osv-scanner JSON output
+func (e Extractor) FileRequired(fapi filesystem.FileAPI) bool {
+	return filepath.Base(fapi.Path()) == "osv-scanner-custom.json"
 }
 
 // Extract extracts packages from yarn.lock files passed through the scan input.
@@ -56,6 +62,7 @@ func (e Extractor) Extract(_ context.Context, input *filesystem.ScanInput) (inve
 					Ecosystem:  pkg.Package.Ecosystem,
 					SourceInfo: res.Source,
 				},
+				PURLType:  "placeholder",
 				Locations: []string{input.Path},
 				Plugins:   []string{"osv/osvscannerjson"},
 			}

internal/scalibrextract/language/osv/osvscannerjson/extractor.go

@@ -39,6 +39,7 @@ func TestExtractor_Extract(t *testing.T) {
 					Name:      "activesupport",
 					Version:   "7.0.7",
 					Locations: []string{"testdata/one-package.json"},
+					PURLType:  "placeholder",
 					Plugins:   []string{"osv/osvscannerjson"},
 					Metadata: &osvscannerjson.Metadata{
 						Ecosystem: "RubyGems",
@@ -58,6 +59,7 @@ func TestExtractor_Extract(t *testing.T) {
 			WantPackages: []*extractor.Package{
 				{
 					Locations: []string{"testdata/one-package-commit.json"},
+					PURLType:  "placeholder",
 					Plugins:   []string{"osv/osvscannerjson"},
 					SourceCode: &extractor.SourceCodeIdentifier{
 						Commit: "9a6bd55c9d0722cb101fe85a3b22d89e4ff4fe52",
@@ -81,6 +83,7 @@ func TestExtractor_Extract(t *testing.T) {
 					Name:      "crossbeam-utils",
 					Version:   "0.6.6",
 					Locations: []string{"testdata/multiple-packages-with-vulns.json"},
+					PURLType:  "placeholder",
 					Plugins:   []string{"osv/osvscannerjson"},
 					Metadata: &osvscannerjson.Metadata{
 						Ecosystem: "crates.io",
@@ -94,6 +97,7 @@ func TestExtractor_Extract(t *testing.T) {
 					Name:      "memoffset",
 					Version:   "0.5.6",
 					Locations: []string{"testdata/multiple-packages-with-vulns.json"},
+					PURLType:  "placeholder",
 					Plugins:   []string{"osv/osvscannerjson"},
 					Metadata: &osvscannerjson.Metadata{
 						Ecosystem: "crates.io",
@@ -107,6 +111,7 @@ func TestExtractor_Extract(t *testing.T) {
 					Name:      "smallvec",
 					Version:   "1.6.0",
 					Locations: []string{"testdata/multiple-packages-with-vulns.json"},
+					PURLType:  "placeholder",
 					Plugins:   []string{"osv/osvscannerjson"},
 					Metadata: &osvscannerjson.Metadata{
 						Ecosystem: "crates.io",

internal/scalibrextract/language/osv/osvscannerjson/extractor_test.go

@@ -55,6 +55,7 @@ javascript/bunlock
 javascript/packagelockjson
 javascript/pnpmlock
 javascript/yarnlock
+osv/osvscannerjson
 php/composerlock
 python/pdmlock
 python/pipfilelock

internal/scalibrplugin/__snapshots__/resolve_test.snap

@@ -37,6 +37,7 @@ import (
 	"github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored"
 	"github.com/google/osv-scanner/v2/internal/scalibrextract/language/java/pomxmlenhanceable"
 	"github.com/google/osv-scanner/v2/internal/scalibrextract/language/javascript/nodemodules"
+	"github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson"
 	"github.com/google/osv-scanner/v2/internal/scalibrextract/language/python/requirementsenhancable"
 	"github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo"
 )
@@ -104,6 +105,8 @@ var ExtractorPresets = map[string]extractors.InitMap{
 		// Haskell
 		cabal.Name:     {cabal.NewDefault},
 		stacklock.Name: {stacklock.NewDefault},
+
+		osvscannerjson.Name: {osvscannerjson.New},
 	},
 	"directory": {
 		gitrepo.Name:  {gitrepo.New},

internal/scalibrplugin/presets.go

@@ -10,6 +10,7 @@ import (
 	"github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored"
 	"github.com/google/osv-scanner/v2/internal/scalibrextract/language/java/pomxmlenhanceable"
 	"github.com/google/osv-scanner/v2/internal/scalibrextract/language/javascript/nodemodules"
+	"github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson"
 	"github.com/google/osv-scanner/v2/internal/scalibrextract/language/python/requirementsenhancable"
 	"github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo"
 )
@@ -36,6 +37,8 @@ func resolveFromName(name string) (plugin.Plugin, error) {
 		return vendored.New(), nil
 	case gitrepo.Name:
 		return gitrepo.New(), nil
+	case osvscannerjson.Name:
+		return osvscannerjson.New(), nil
 	default:
 		return nil, fmt.Errorf("not an exact name for a plugin: %q", name)
 	}