test: Add test for homebrew scanning

Author: Avgor46

cmd/osv-scanner/scan/source/__snapshots__/command_test.snap

@@ -3256,6 +3256,64 @@ Total 1 package affected by 45 known vulnerabilities (5 Critical, 17 High, 23 Me
 
 ---
 
+[TestCommand_HomebrewWithAnnotators/homebrew_extractor_explicitly_enabled_with_annotator - 1]
+Scanning dir ./testdata/homebrew/Cellar/
+Scanned <rootdir>/testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_RECEIPT.json file and found 1 package
+
+Scanning Result (package view):
+Total 1 package affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 5 Unknown) from 1 ecosystem.
+0 vulnerabilities can be fixed.
+
+
+GIT
++----------------------------------------------------------------------------------------------+
+| Source:os:<rootdir>/testdata/homebrew/Cell |
+| ar/libssh2/1.11.1/INSTALL_RECEIPT.json                                                       |
++----------------+-------------------+------------------+------------+-------------------------+
+| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE    | VULN COUNT | BINARY PACKAGES (COUNT) |
++----------------+-------------------+------------------+------------+-------------------------+
+| libssh2        | 1.11.1            | No fix available |          5 |                         |
++----------------+-------------------+------------------+------------+-------------------------+
+
+For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve <image_name>`.
+You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical <image_name>`.
+
+---
+
+[TestCommand_HomebrewWithAnnotators/homebrew_extractor_explicitly_enabled_with_annotator - 2]
+
+---
+
+[TestCommand_HomebrewWithAnnotators/homebrew_extractor_via_artifact_plugin - 1]
+Scanning dir ./testdata/homebrew/Cellar/
+Scanned <rootdir>/testdata/homebrew/Cellar/libssh2/1.11.1/.brew/libssh2.rb file and found 0 packages
+Scanned <rootdir>/testdata/homebrew/Cellar/libssh2/1.11.1/.brew/libssh2.rb file and found 0 packages
+Scanned <rootdir>/testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_RECEIPT.json file and found 1 package
+
+Scanning Result (package view):
+Total 1 package affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 5 Unknown) from 1 ecosystem.
+0 vulnerabilities can be fixed.
+
+
+GIT
++----------------------------------------------------------------------------------------------+
+| Source:os:<rootdir>/testdata/homebrew/Cell |
+| ar/libssh2/1.11.1/INSTALL_RECEIPT.json                                                       |
++----------------+-------------------+------------------+------------+-------------------------+
+| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE    | VULN COUNT | BINARY PACKAGES (COUNT) |
++----------------+-------------------+------------------+------------+-------------------------+
+| libssh2        | 1.11.1            | No fix available |          5 |                         |
++----------------+-------------------+------------------+------------+-------------------------+
+
+For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve <image_name>`.
+You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical <image_name>`.
+
+---
+
+[TestCommand_HomebrewWithAnnotators/homebrew_extractor_via_artifact_plugin - 2]
+
+---
+
 [TestCommand_HtmlFile - 1]
 Scanning dir ./testdata/locks-many/composer.lock
 Scanned <rootdir>/testdata/locks-many/composer.lock file and found 1 package

cmd/osv-scanner/scan/source/command_test.go

@@ -445,6 +445,38 @@ func TestCommand_JavareachArchive(t *testing.T) {
 	}
 }
 
+func TestCommand_HomebrewWithAnnotators(t *testing.T) {
+	t.Parallel()
+
+	if runtime.GOOS != "darwin" {
+		testutility.Skip(t, "The detector in this test only works on Darwin")
+	}
+
+	client := testcmd.InsertCassette(t)
+
+	tests := []testcmd.Case{
+		{
+			Name: "homebrew_extractor_via_artifact_plugin",
+			Args: []string{"", "source", "-r", "--no-ignore", "--experimental-plugins=artifact", "./testdata/homebrew/Cellar/"},
+			Exit: 1,
+		},
+		{
+			Name: "homebrew_extractor_explicitly_enabled_with_annotator",
+			Args: []string{"", "source", "-r", "--no-ignore", "--experimental-plugins=os/homebrew", "--experimental-plugins=misc/brew-source", "./testdata/homebrew/Cellar/"},
+			Exit: 1,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.Name, func(t *testing.T) {
+			t.Parallel()
+
+			tt.HTTPClient = testcmd.WithTestNameHeader(t, *client)
+
+			testcmd.RunAndMatchSnapshots(t, tt)
+		})
+	}
+}
+
 func TestCommand_ExplicitExtractors_WithDefaults(t *testing.T) {
 	t.Parallel()
 

cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_HomebrewWithAnnotators.yaml

@@ -0,0 +1,139 @@
+---
+version: 2
+interactions:
+  - id: 0
+    request:
+      proto: HTTP/1.1
+      proto_major: 1
+      proto_minor: 1
+      content_length: 170
+      host: api.osv.dev
+      body: |
+        {
+          "queries": [
+            {
+              "package": {
+                "ecosystem": "GIT",
+                "name": "https://github.com/libssh2/libssh2"
+              },
+              "version": "1.11.1"
+            }
+          ]
+        }
+      headers:
+        Content-Type:
+          - application/json
+        X-Test-Name:
+          - TestCommand_HomebrewWithAnnotators/homebrew_extractor_explicitly_enabled_with_annotator
+      url: https://api.osv.dev/v1/querybatch
+      method: POST
+    response:
+      proto: HTTP/2.0
+      proto_major: 2
+      proto_minor: 0
+      content_length: 337
+      body: |
+        {
+          "results": [
+            {
+              "vulns": [
+                {
+                  "id": "OSV-2022-24",
+                  "modified": "2025-02-01T14:16:58.476563Z"
+                },
+                {
+                  "id": "OSV-2024-847",
+                  "modified": "2025-02-01T14:27:03.602163Z"
+                },
+                {
+                  "id": "OSV-2025-433",
+                  "modified": "2025-06-05T00:02:57.200566Z"
+                },
+                {
+                  "id": "OSV-2025-90",
+                  "modified": "2025-12-20T14:15:39.033263Z"
+                },
+                {
+                  "id": "OSV-2025-92",
+                  "modified": "2025-12-20T14:25:09.128654Z"
+                }
+              ]
+            }
+          ]
+        }
+      headers:
+        Content-Length:
+          - "337"
+        Content-Type:
+          - application/json
+      status: 200 OK
+      code: 200
+      duration: 0s
+  - id: 1
+    request:
+      proto: HTTP/1.1
+      proto_major: 1
+      proto_minor: 1
+      content_length: 170
+      host: api.osv.dev
+      body: |
+        {
+          "queries": [
+            {
+              "package": {
+                "ecosystem": "GIT",
+                "name": "https://github.com/libssh2/libssh2"
+              },
+              "version": "1.11.1"
+            }
+          ]
+        }
+      headers:
+        Content-Type:
+          - application/json
+        X-Test-Name:
+          - TestCommand_HomebrewWithAnnotators/homebrew_extractor_via_artifact_plugin
+      url: https://api.osv.dev/v1/querybatch
+      method: POST
+    response:
+      proto: HTTP/2.0
+      proto_major: 2
+      proto_minor: 0
+      content_length: 337
+      body: |
+        {
+          "results": [
+            {
+              "vulns": [
+                {
+                  "id": "OSV-2022-24",
+                  "modified": "2025-02-01T14:16:58.476563Z"
+                },
+                {
+                  "id": "OSV-2024-847",
+                  "modified": "2025-02-01T14:27:03.602163Z"
+                },
+                {
+                  "id": "OSV-2025-433",
+                  "modified": "2025-06-05T00:02:57.200566Z"
+                },
+                {
+                  "id": "OSV-2025-90",
+                  "modified": "2025-12-20T14:15:39.033263Z"
+                },
+                {
+                  "id": "OSV-2025-92",
+                  "modified": "2025-12-20T14:25:09.128654Z"
+                }
+              ]
+            }
+          ]
+        }
+      headers:
+        Content-Length:
+          - "337"
+        Content-Type:
+          - application/json
+      status: 200 OK
+      code: 200
+      duration: 0s

cmd/osv-scanner/scan/source/testdata/homebrew/Cellar/libssh2/1.11.1/.brew/libssh2.rb

@@ -0,0 +1,55 @@
+class Libssh2 < Formula
+  desc "C library implementing the SSH2 protocol"
+  homepage "https://libssh2.org/"
+  url "https://libssh2.org/download/libssh2-1.11.1.tar.gz"
+  mirror "https://github.com/libssh2/libssh2/releases/download/libssh2-1.11.1/libssh2-1.11.1.tar.gz"
+  mirror "http://download.openpkg.org/components/cache/libssh2/libssh2-1.11.1.tar.gz"
+  sha256 "d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7"
+  license "BSD-3-Clause"
+
+  livecheck do
+    url "https://libssh2.org/download/"
+    regex(/href=.*?libssh2[._-]v?(\d+(?:\.\d+)+)\./i)
+  end
+
+  head do
+    url "https://github.com/libssh2/libssh2.git", branch: "master"
+
+    depends_on "autoconf" => :build
+    depends_on "automake" => :build
+    depends_on "libtool" => :build
+  end
+
+  depends_on "openssl@3"
+
+  uses_from_macos "zlib"
+
+  def install
+    args = %W[
+      --disable-silent-rules
+      --disable-examples-build
+      --with-openssl
+      --with-libz
+      --with-libssl-prefix=#{Formula["openssl@3"].opt_prefix}
+    ]
+
+    system "./buildconf" if build.head?
+    system "./configure", *std_configure_args, *args
+    system "make", "install"
+  end
+
+  test do
+    (testpath/"test.c").write <<~EOS
+      #include <libssh2.h>
+
+      int main(void)
+      {
+      libssh2_exit();
+      return 0;
+      }
+    EOS
+
+    system ENV.cc, "test.c", "-L#{lib}", "-lssh2", "-o", "test"
+    system "./test"
+  end
+end

cmd/osv-scanner/scan/source/testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_RECEIPT.json

@@ -0,0 +1,57 @@
+{
+  "homebrew_version": "4.4.1-34-gaf958b2",
+  "used_options": [],
+  "unused_options": [],
+  "built_as_bottle": true,
+  "poured_from_bottle": true,
+  "loaded_from_api": true,
+  "installed_as_dependency": true,
+  "installed_on_request": false,
+  "changed_files": [
+    "NEWS",
+    "lib/pkgconfig/libssh2.pc"
+  ],
+  "time": 1765466145,
+  "source_modified_time": 1729065801,
+  "compiler": "clang",
+  "aliases": [],
+  "runtime_dependencies": [
+    {
+      "full_name": "ca-certificates",
+      "version": "2025-12-02",
+      "revision": 0,
+      "bottle_rebuild": 0,
+      "pkg_version": "2025-12-02",
+      "declared_directly": false
+    },
+    {
+      "full_name": "openssl@3",
+      "version": "3.6.0",
+      "revision": 0,
+      "bottle_rebuild": 0,
+      "pkg_version": "3.6.0",
+      "declared_directly": true
+    }
+  ],
+  "source": {
+    "spec": "stable",
+    "versions": {
+      "stable": "1.11.1",
+      "head": null,
+      "version_scheme": 0,
+      "compatibility_version": null
+    },
+    "path": "/Users/user/Library/Caches/Homebrew/api/formula.jws.json",
+    "tap_git_head": null,
+    "tap": "homebrew/core"
+  },
+  "arch": "arm64",
+  "built_on": {
+    "os": "Macintosh",
+    "os_version": "macOS 15",
+    "cpu_family": "dunno",
+    "xcode": "16.0",
+    "clt": "16.0.0.0.1.1724870825",
+    "preferred_perl": "5.34"
+  }
+}

internal/scalibrplugin/__snapshots__/resolve_test.snap

@@ -28,8 +28,10 @@ baseimage
 go/binary
 java/archive
 javascript/nodemodules
+misc/brew-source
 os/apk
 os/dpkg
+os/homebrew
 python/wheelegg
 rust/cargoauditable
 vex/os-duplicate/apk