refactor: Switch to use public osvdev client (#1804)

And delete the osvdev package in this repository.

Author: another-rex

cmd/osv-scanner/fix/command.go

@@ -16,7 +16,6 @@ import (
 	"github.com/google/osv-scanner/v2/internal/cmdlogger"
 	"github.com/google/osv-scanner/v2/internal/depsdev"
 	"github.com/google/osv-scanner/v2/internal/imodels/ecosystem"
-	"github.com/google/osv-scanner/v2/internal/osvdev"
 	"github.com/google/osv-scanner/v2/internal/remediation"
 	"github.com/google/osv-scanner/v2/internal/remediation/upgrade"
 	"github.com/google/osv-scanner/v2/internal/resolution"
@@ -27,6 +26,7 @@ import (
 	"github.com/google/osv-scanner/v2/internal/version"
 	"github.com/urfave/cli/v2"
 	"golang.org/x/term"
+	"osv.dev/bindings/go/osvdev"
 )
 
 type strategy string

go.mod

@@ -22,7 +22,7 @@ require (
 	github.com/jedib0t/go-pretty/v6 v6.6.7
 	github.com/muesli/reflow v0.3.0
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/ossf/osv-schema/bindings/go v0.0.0-20250318011049-e4c58d9a4a9e
+	github.com/ossf/osv-schema/bindings/go v0.0.0-20250401015358-964c89294a70
 	github.com/owenrumney/go-sarif/v2 v2.3.3
 	github.com/package-url/packageurl-go v0.1.3
 	github.com/pandatix/go-cvss v0.6.2
@@ -31,13 +31,14 @@ require (
 	github.com/tidwall/sjson v1.2.5
 	github.com/urfave/cli/v2 v2.27.6
 	golang.org/x/net v0.38.0
-	golang.org/x/sync v0.12.0
+	golang.org/x/sync v0.13.0
 	golang.org/x/term v0.30.0
 	golang.org/x/vuln v1.1.3
 	google.golang.org/grpc v1.71.0
 	google.golang.org/protobuf v1.36.6
 	gopkg.in/ini.v1 v1.67.0
 	gopkg.in/yaml.v3 v3.0.1
+	osv.dev/bindings/go v0.0.0-20250411041304-d50b498021fc
 )
 
 require (

go.sum

@@ -276,8 +276,8 @@ github.com/opencontainers/runtime-spec v1.1.0 h1:HHUyrt9mwHUjtasSbXSMvs4cyFxh+Bl
 github.com/opencontainers/runtime-spec v1.1.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
 github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
-github.com/ossf/osv-schema/bindings/go v0.0.0-20250318011049-e4c58d9a4a9e h1:v/bSQI7UNOcg2i6iEtVKSQNSckOxutSrt8aYEHQobLU=
-github.com/ossf/osv-schema/bindings/go v0.0.0-20250318011049-e4c58d9a4a9e/go.mod h1:lILztSxHU7VsdlYqCnwgxSDBhbXMf7iEQWtldJCDXPo=
+github.com/ossf/osv-schema/bindings/go v0.0.0-20250401015358-964c89294a70 h1:uIRWzcJre+A+QgI7YWPsHraSD77LXVHUnsYZawjhqas=
+github.com/ossf/osv-schema/bindings/go v0.0.0-20250401015358-964c89294a70/go.mod h1:lILztSxHU7VsdlYqCnwgxSDBhbXMf7iEQWtldJCDXPo=
 github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U=
 github.com/owenrumney/go-sarif/v2 v2.3.3 h1:ubWDJcF5i3L/EIOER+ZyQ03IfplbSU1BLOE26uKQIIU=
 github.com/owenrumney/go-sarif/v2 v2.3.3/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w=
@@ -442,8 +442,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -554,6 +554,8 @@ modernc.org/memory v1.5.0 h1:N+/8c5rE6EqugZwHii4IFsaJ7MUhoWX07J5tC/iI5Ds=
 modernc.org/memory v1.5.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
 modernc.org/sqlite v1.20.3 h1:SqGJMMxjj1PHusLxdYxeQSodg7Jxn9WWkaAQjKrntZs=
 modernc.org/sqlite v1.20.3/go.mod h1:zKcGyrICaxNTMEHSr1HQ2GUraP0j+845GYw37+EyT6A=
+osv.dev/bindings/go v0.0.0-20250411041304-d50b498021fc h1:Gu06XS+AvIwpePuOhkZ2Wgbd23M45k1JrtNtNXFf9YQ=
+osv.dev/bindings/go v0.0.0-20250411041304-d50b498021fc/go.mod h1:svwlXlXiK7mfdhDO0SXkM36wgXxT+0d71ncYc2oBlQ8=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
 www.velocidex.com/golang/regparser v0.0.0-20240404115756-2169ac0e3c09 h1:G1RWYBXP2lSzxKcrAU1YhiUlBetZ7hGIzIiWuuazvfo=

internal/clients/clientimpl/osvmatcher/cachedosvmatcher.go

@@ -11,9 +11,10 @@ import (
 	"github.com/google/osv-scalibr/extractor"
 	"github.com/google/osv-scanner/v2/internal/clients/clientimpl/localmatcher"
 	"github.com/google/osv-scanner/v2/internal/imodels"
-	"github.com/google/osv-scanner/v2/internal/osvdev"
 	"github.com/ossf/osv-schema/bindings/go/osvschema"
 	"golang.org/x/sync/errgroup"
+	"osv.dev/bindings/go/osvdev"
+	"osv.dev/bindings/go/osvdevexperimental"
 )
 
 // CachedOSVMatcher implements the VulnerabilityMatcher interface with a osv.dev client.
@@ -94,10 +95,10 @@ func (matcher *CachedOSVMatcher) doQueries(ctx context.Context, invs []*extracto
 	// If there is a timeout for the initial query, set an additional context deadline here.
 	if matcher.InitialQueryTimeout > 0 {
 		batchQueryCtx, cancelFunc := context.WithDeadline(ctx, time.Now().Add(matcher.InitialQueryTimeout))
-		batchResp, err = queryForBatchWithPaging(batchQueryCtx, &matcher.Client, queries)
+		batchResp, err = osvdevexperimental.BatchQueryPaging(batchQueryCtx, &matcher.Client, queries)
 		cancelFunc()
 	} else {
-		batchResp, err = queryForBatchWithPaging(ctx, &matcher.Client, queries)
+		batchResp, err = osvdevexperimental.BatchQueryPaging(ctx, &matcher.Client, queries)
 	}
 
 	if err != nil {

internal/clients/clientimpl/osvmatcher/errors.go

@@ -8,9 +8,10 @@ import (
 	"github.com/google/osv-scalibr/extractor"
 	"github.com/google/osv-scalibr/log"
 	"github.com/google/osv-scanner/v2/internal/imodels"
-	"github.com/google/osv-scanner/v2/internal/osvdev"
 	"github.com/ossf/osv-schema/bindings/go/osvschema"
 	"golang.org/x/sync/errgroup"
+	"osv.dev/bindings/go/osvdev"
+	"osv.dev/bindings/go/osvdevexperimental"
 )
 
 const (
@@ -39,10 +40,10 @@ func (matcher *OSVMatcher) MatchVulnerabilities(ctx context.Context, pkgs []*ext
 		// If there is a timeout for the initial query, set an additional context deadline here.
 		if matcher.InitialQueryTimeout > 0 {
 			batchQueryCtx, cancelFunc := context.WithDeadline(ctx, time.Now().Add(matcher.InitialQueryTimeout))
-			batchResp, err = queryForBatchWithPaging(batchQueryCtx, &matcher.Client, queries)
+			batchResp, err = osvdevexperimental.BatchQueryPaging(batchQueryCtx, &matcher.Client, queries)
 			cancelFunc()
 		} else {
-			batchResp, err = queryForBatchWithPaging(ctx, &matcher.Client, queries)
+			batchResp, err = osvdevexperimental.BatchQueryPaging(ctx, &matcher.Client, queries)
 		}
 
 		if err != nil {
@@ -92,65 +93,6 @@ func (matcher *OSVMatcher) MatchVulnerabilities(ctx context.Context, pkgs []*ext
 	return vulnerabilities, nil
 }
 
-func queryForBatchWithPaging(ctx context.Context, c *osvdev.OSVClient, queries []*osvdev.Query) (*osvdev.BatchedResponse, error) {
-	batchResp, err := c.QueryBatch(ctx, queries)
-
-	if err != nil {
-		return nil, err
-	}
-	// --- Paging logic ---
-	var errToReturn error
-	nextPageQueries := []*osvdev.Query{}
-	nextPageIndexMap := []int{}
-	for i, res := range batchResp.Results {
-		if res.NextPageToken == "" {
-			continue
-		}
-
-		query := *queries[i]
-		query.PageToken = res.NextPageToken
-		nextPageQueries = append(nextPageQueries, &query)
-		nextPageIndexMap = append(nextPageIndexMap, i)
-	}
-
-	if len(nextPageQueries) > 0 {
-		// If context is cancelled or deadline exceeded, return now
-		if ctx.Err() != nil {
-			return batchResp, &DuringPagingError{
-				PageDepth: 1,
-				Inner:     ctx.Err(),
-			}
-		}
-
-		nextPageResp, err := queryForBatchWithPaging(ctx, c, nextPageQueries)
-		if err != nil {
-			var dpr *DuringPagingError
-			if ok := errors.As(err, &dpr); ok {
-				dpr.PageDepth += 1
-				errToReturn = dpr
-			} else {
-				errToReturn = &DuringPagingError{
-					PageDepth: 1,
-					Inner:     err,
-				}
-			}
-		}
-
-		// Whether there is an error or not, if there is any data,
-		// we want to save and return what we got.
-		if nextPageResp != nil {
-			for i, res := range nextPageResp.Results {
-				batchResp.Results[nextPageIndexMap[i]].Vulns = append(batchResp.Results[nextPageIndexMap[i]].Vulns, res.Vulns...)
-				// Set next page token so caller knows whether this is all the results
-				// even if it is being cancelled.
-				batchResp.Results[nextPageIndexMap[i]].NextPageToken = res.NextPageToken
-			}
-		}
-	}
-
-	return batchResp, errToReturn
-}
-
 func pkgToQuery(pkg imodels.PackageInfo) *osvdev.Query {
 	if pkg.Name() != "" && !pkg.Ecosystem().IsEmpty() && pkg.Version() != "" {
 		return &osvdev.Query{