diff --git a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap index b21702c53d3..d5c8491a160 100755 --- a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap @@ -619,8 +619,8 @@ Scanning local image tarball "./testdata/test-java-full.tar" Container Scanning Result (Alpine Linux v3.21) (Based on "eclipse-temurin" image): -Total 30 packages affected by 109 known vulnerabilities (6 Critical, 50 High, 46 Medium, 6 Low, 1 Unknown) from 2 ecosystems. -109 vulnerabilities can be fixed. +Total 30 packages affected by 110 known vulnerabilities (6 Critical, 51 High, 46 Medium, 6 Low, 1 Unknown) from 2 ecosystems. +110 vulnerabilities can be fixed. Maven @@ -659,7 +659,7 @@ Alpine:v3.21 | busybox | 1.37.0-r9 | Fix Available | 2 | busybox... (3) | # 0 Layer | alpine | | expat | 2.6.4-r0 | Fix Available | 7 | libexpat | # 5 Layer | eclipse-temurin | | gnupg | 2.4.7-r0 | Fix Available | 2 | gnupg... (11) | # 5 Layer | eclipse-temurin | -| gnutls | 3.8.8-r0 | Fix Available | 14 | gnutls | # 5 Layer | eclipse-temurin | +| gnutls | 3.8.8-r0 | Fix Available | 15 | gnutls | # 5 Layer | eclipse-temurin | | libpng | 1.6.44-r0 | Fix Available | 11 | libpng | # 5 Layer | eclipse-temurin | | libtasn1 | 4.19.0-r2 | Fix Available | 2 | libtasn1 | # 5 Layer | eclipse-temurin | | musl | 1.2.5-r8 | Fix Available | 3 | musl, musl-utils | # 0 Layer | alpine | @@ -754,8 +754,8 @@ Scanning local image tarball "./testdata/test-python-full.tar" Container Scanning Result (Debian GNU/Linux 10 (buster)) (Based on "python" image): -Total 21 packages affected by 59 known vulnerabilities (1 Critical, 19 High, 21 Medium, 3 Low, 15 Unknown) from 2 ecosystems. -57 vulnerabilities can be fixed. +Total 21 packages affected by 60 known vulnerabilities (1 Critical, 19 High, 22 Medium, 3 Low, 15 Unknown) from 2 ecosystems. +58 vulnerabilities can be fixed. PyPI @@ -792,7 +792,7 @@ PyPI +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ -| idna | 2.7 | Fix Available | 1 | # 17 Layer | -- | +| idna | 2.7 | Fix Available | 2 | # 17 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +-------------------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | @@ -1044,6 +1044,76 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne --- +[TestCommand_OCIImage/scanning_insecure_chiseled_ubuntu_image - 1] +Scanning local image tarball "./testdata/test-chisel.tar" + + +Container Scanning Result (Ubuntu 26.04 LTS): +Total 7 packages affected by 103 known vulnerabilities (0 Critical, 0 High, 1 Medium, 0 Low, 102 Unknown) from 2 ecosystems. +102 vulnerabilities can be fixed. + + +Go ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/bin/go | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/bin/gofmt | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/pkg/tool/linux_amd64/asm | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/pkg/tool/linux_amd64/compile | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/pkg/tool/linux_amd64/link | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/pkg/tool/linux_amd64/vet | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ +Ubuntu:26.04 ++-------------------------------------------------------------------------------------------------------------------------------------------+ +| Source:os:/var/lib/chisel/manifest.wall | ++----------------+-----------------------------+------------------+------------+-------------------------+------------------+---------------+ +| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | ++----------------+-----------------------------+------------------+------------+-------------------------+------------------+---------------+ +| coreutils | 9.5-1ubuntu2+0.0.0~ubuntu25 | No fix available | 1 | coreutils | # 0 Layer | -- | ++----------------+-----------------------------+------------------+------------+-------------------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestCommand_OCIImage/scanning_insecure_chiseled_ubuntu_image - 2] + +--- + [TestCommand_OCIImage/scanning_node_modules_using_npm_with_no_packages - 1] Scanning local image tarball "./testdata/test-node_modules-npm-empty.tar" @@ -1377,9 +1447,10 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne "index": 17 } }, - "groups": 1, + "groups": 2, "vulnerabilities": [ "PYSEC-2024-60", + "GHSA-65pc-fj4g-8rjx", "GHSA-jjg7-2v4v-x38h" ] } @@ -2917,6 +2988,290 @@ Scanning local image tarball "./testdata/test-alpine-etcshadow.tar" --- +[TestCommand_OCIImage_JSONFormat/scanning_insecure_chiseled_ubuntu_image - 1] +{ + "results": [ + { + "source": { + "path": "/usr/lib/go-1.25/bin/go", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/usr/lib/go-1.25/bin/gofmt", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/usr/lib/go-1.25/pkg/tool/linux_amd64/asm", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/usr/lib/go-1.25/pkg/tool/linux_amd64/compile", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/usr/lib/go-1.25/pkg/tool/linux_amd64/link", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/usr/lib/go-1.25/pkg/tool/linux_amd64/vet", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/var/lib/chisel/manifest.wall", + "type": "os" + }, + "packages": [ + { + "package": { + "name": "coreutils", + "os_package_name": "coreutils", + "version": "9.5-1ubuntu2+0.0.0~ubuntu25", + "ecosystem": "Ubuntu:26.04", + "image_origin_details": { + "index": 0 + } + }, + "groups": 1, + "vulnerabilities": [ + "UBUNTU-CVE-2025-5278" + ] + } + ] + } + ], + "experimental_config": { + "licenses": { + "summary": false, + "allowlist": null + } + }, + "image_metadata": { + "os": "Ubuntu 26.04 LTS", + "layer_metadata": [ + { + "diff_id": "sha256:...", + "command": "COPY /rootfs/ / # buildkit", + "is_empty": false, + "base_image_index": 0 + } + ], + "base_images": [ + {} + ] + } +} + +--- + +[TestCommand_OCIImage_JSONFormat/scanning_insecure_chiseled_ubuntu_image - 2] +Scanning local image tarball "./testdata/test-chisel.tar" + +--- + [TestCommand_OCIImage_JSONFormat/scanning_node_modules_using_npm_with_some_packages - 1] { "results": [ diff --git a/cmd/osv-scanner/scan/image/command_test.go b/cmd/osv-scanner/scan/image/command_test.go index 1a75a044c0c..07b8c895ddb 100644 --- a/cmd/osv-scanner/scan/image/command_test.go +++ b/cmd/osv-scanner/scan/image/command_test.go @@ -363,6 +363,14 @@ func TestCommand_OCIImage(t *testing.T) { }, Exit: 1, }, + { + Name: "scanning_insecure_chiseled_ubuntu_image", + Args: []string{ + "", "image", + "--archive", "./testdata/test-chisel.tar", + }, + Exit: 1, + }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { @@ -499,6 +507,20 @@ func TestCommand_OCIImage_JSONFormat(t *testing.T) { testutility.AnyDiffID, }, }, + { + Name: "scanning_insecure_chiseled_ubuntu_image", + Args: []string{ + "", "image", "--format=json", + "--archive", "./testdata/test-chisel.tar", + }, + Exit: 1, + ReplaceRules: []testutility.JSONReplaceRule{ + testutility.GroupsAsArrayLen, + testutility.OnlyIDVulnsRule, + testutility.OnlyFirstBaseImage, + testutility.AnyDiffID, + }, + }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { diff --git a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml index 3fab67cedfd..8f5246c1872 100644 --- a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml +++ b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml @@ -6638,7 +6638,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -6650,7 +6650,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -6662,7 +6662,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -9298,7 +9298,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 13745 + content_length: 13817 body: | { "results": [ @@ -9544,6 +9544,10 @@ interactions: "id": "ALPINE-CVE-2026-3833", "modified": "2026-05-11T15:31:04.173991Z" }, + { + "id": "ALPINE-CVE-2026-42009", + "modified": "2026-05-19T09:30:34.884543Z" + }, { "id": "ALPINE-CVE-2026-42010", "modified": "2026-05-14T09:31:40.053539Z" @@ -10270,7 +10274,7 @@ interactions: "vulns": [ { "id": "GHSA-355h-qmc2-wpwf", - "modified": "2026-04-17T00:30:15.516948Z" + "modified": "2026-05-20T00:45:32.367357Z" }, { "id": "GHSA-qh8g-58pp-2wxh", @@ -10357,7 +10361,7 @@ interactions: } headers: Content-Length: - - "13745" + - "13817" Content-Type: - application/json status: 200 OK @@ -12282,7 +12286,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 6660 + content_length: 6730 body: | { "results": [ @@ -12409,6 +12413,10 @@ interactions: {}, { "vulns": [ + { + "id": "GHSA-65pc-fj4g-8rjx", + "modified": "2026-05-19T14:45:16.378872Z" + }, { "id": "GHSA-jjg7-2v4v-x38h", "modified": "2026-02-04T03:49:45.087439Z" @@ -12867,7 +12875,7 @@ interactions: } headers: Content-Length: - - "6660" + - "6730" Content-Type: - application/json status: 200 OK @@ -13294,7 +13302,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -13306,7 +13314,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -13318,7 +13326,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -13486,7 +13494,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -13498,7 +13506,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -13510,7 +13518,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -13678,7 +13686,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -13690,7 +13698,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -13702,7 +13710,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -13870,7 +13878,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -13882,7 +13890,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -13894,7 +13902,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -14062,7 +14070,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -14074,7 +14082,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -14086,7 +14094,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -14254,7 +14262,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -14266,7 +14274,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -14278,7 +14286,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -15203,6 +15211,731 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 4381 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "base-files" + }, + "version": "14ubuntu6" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "bash" + }, + "version": "5.3-2ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "coreutils" + }, + "version": "9.5-1ubuntu2+0.0.0~ubuntu25" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "coreutils-from-gnu" + }, + "version": "0.0.0~ubuntu25" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "gcc-14-base" + }, + "version": "14.3.0-14ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "gnu-coreutils" + }, + "version": "9.7-3ubuntu2" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-1.25-go" + }, + "version": "1.25.7-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-1.25-src" + }, + "version": "1.25.7-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-go" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-src" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libacl1" + }, + "version": "2.3.2-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libattr1" + }, + "version": "1:2.5.2-4" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libc6" + }, + "version": "2.43-2ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libcap2" + }, + "version": "1:2.75-10ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libgcc-s1" + }, + "version": "16-20260322-1ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libgmp10" + }, + "version": "2:6.3.0+dfsg-5ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libpcre2-8-0" + }, + "version": "10.46-1build1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libselinux1" + }, + "version": "3.9-4build1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libssl3t64" + }, + "version": "3.5.5-1ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libsystemd0" + }, + "version": "259.5-0ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libtinfo6" + }, + "version": "6.6+20251231-1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libzstd1" + }, + "version": "1.5.7+dfsg-3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "make" + }, + "version": "4.4.1-3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "openssl-provider-legacy" + }, + "version": "3.5.5-1ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "zlib1g" + }, + "version": "1:1.3.dfsg+really1.3.1-1ubuntu3" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_OCIImage/scanning_insecure_chiseled_ubuntu_image + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 6669 + body: | + { + "results": [ + {}, + {}, + { + "vulns": [ + { + "id": "UBUNTU-CVE-2025-5278", + "modified": "2026-04-27T18:53:24.878093Z" + } + ] + }, + {}, + {}, + {}, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-19T10:29:18.989085Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-19T10:29:19.060466Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-19T10:29:18.889608Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-19T10:29:18.989085Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-19T10:29:19.060466Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-19T10:29:18.889608Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-19T10:29:18.989085Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-19T10:29:19.060466Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-19T10:29:18.889608Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-19T10:29:18.989085Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-19T10:29:19.060466Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-19T10:29:18.889608Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-19T10:29:18.989085Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-19T10:29:19.060466Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-19T10:29:18.889608Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-19T10:29:18.989085Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-19T10:29:19.060466Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-19T10:29:18.889608Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {} + ] + } + headers: + Content-Length: + - "6669" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s - request: proto: HTTP/1.1 proto_major: 1 diff --git a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml index cdcea4672e7..3b9fc8197a4 100644 --- a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml +++ b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml @@ -800,7 +800,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 6660 + content_length: 6730 body: | { "results": [ @@ -927,6 +927,10 @@ interactions: {}, { "vulns": [ + { + "id": "GHSA-65pc-fj4g-8rjx", + "modified": "2026-05-19T14:45:16.378872Z" + }, { "id": "GHSA-jjg7-2v4v-x38h", "modified": "2026-02-04T03:49:45.087439Z" @@ -1385,7 +1389,7 @@ interactions: } headers: Content-Length: - - "6660" + - "6730" Content-Type: - application/json status: 200 OK @@ -1854,7 +1858,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-2673", - "modified": "2026-05-14T09:30:41.007180Z" + "modified": "2026-05-19T09:30:35.023887Z" }, { "id": "ALPINE-CVE-2026-28387", @@ -1934,7 +1938,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-2673", - "modified": "2026-05-14T09:30:41.007180Z" + "modified": "2026-05-19T09:30:35.023887Z" }, { "id": "ALPINE-CVE-2026-28387", @@ -2354,7 +2358,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -2366,7 +2370,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -2378,7 +2382,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -2988,6 +2992,731 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 4381 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "base-files" + }, + "version": "14ubuntu6" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "bash" + }, + "version": "5.3-2ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "coreutils" + }, + "version": "9.5-1ubuntu2+0.0.0~ubuntu25" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "coreutils-from-gnu" + }, + "version": "0.0.0~ubuntu25" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "gcc-14-base" + }, + "version": "14.3.0-14ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "gnu-coreutils" + }, + "version": "9.7-3ubuntu2" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-1.25-go" + }, + "version": "1.25.7-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-1.25-src" + }, + "version": "1.25.7-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-go" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-src" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libacl1" + }, + "version": "2.3.2-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libattr1" + }, + "version": "1:2.5.2-4" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libc6" + }, + "version": "2.43-2ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libcap2" + }, + "version": "1:2.75-10ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libgcc-s1" + }, + "version": "16-20260322-1ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libgmp10" + }, + "version": "2:6.3.0+dfsg-5ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libpcre2-8-0" + }, + "version": "10.46-1build1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libselinux1" + }, + "version": "3.9-4build1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libssl3t64" + }, + "version": "3.5.5-1ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libsystemd0" + }, + "version": "259.5-0ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libtinfo6" + }, + "version": "6.6+20251231-1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libzstd1" + }, + "version": "1.5.7+dfsg-3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "make" + }, + "version": "4.4.1-3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "openssl-provider-legacy" + }, + "version": "3.5.5-1ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "zlib1g" + }, + "version": "1:1.3.dfsg+really1.3.1-1ubuntu3" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_OCIImage_JSONFormat/scanning_insecure_chiseled_ubuntu_image + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 6669 + body: | + { + "results": [ + {}, + {}, + { + "vulns": [ + { + "id": "UBUNTU-CVE-2025-5278", + "modified": "2026-04-27T18:53:24.878093Z" + } + ] + }, + {}, + {}, + {}, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-19T10:29:18.989085Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-19T10:29:19.060466Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-19T10:29:18.889608Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-19T10:29:18.989085Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-19T10:29:19.060466Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-19T10:29:18.889608Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-19T10:29:18.989085Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-19T10:29:19.060466Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-19T10:29:18.889608Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-19T10:29:18.989085Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-19T10:29:19.060466Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-19T10:29:18.889608Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-19T10:29:18.989085Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-19T10:29:19.060466Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-19T10:29:18.889608Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-19T10:29:18.989085Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-19T10:29:19.060466Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-19T10:29:18.889608Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {} + ] + } + headers: + Content-Length: + - "6669" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s - request: proto: HTTP/1.1 proto_major: 1 @@ -6458,7 +7187,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -6470,7 +7199,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -6482,7 +7211,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", diff --git a/cmd/osv-scanner/scan/image/testdata/test-chisel.Dockerfile b/cmd/osv-scanner/scan/image/testdata/test-chisel.Dockerfile new file mode 100644 index 00000000000..bc51c043a54 --- /dev/null +++ b/cmd/osv-scanner/scan/image/testdata/test-chisel.Dockerfile @@ -0,0 +1,26 @@ +FROM ubuntu:26.04@sha256:f3d28607ddd78734bb7f71f117f3c6706c666b8b76cbff7c9ff6e5718d46ff64 AS builder + +RUN apt install --update -y curl wget git + +# Deb arch to GOARCH +RUN arch="$(dpkg --print-architecture | sed -e 's/armhf/arm/g' -e 's/ppc64el/ppc64le/g')" && \ + curl -s https://api.github.com/repos/canonical/chisel/releases/latest \ + | awk "/browser_download_url/ && /chisel_v/ && /_$arch\./" \ + | cut -d : -f 2,3 \ + | tr -d \" \ + | xargs wget + +RUN sha384sum -c chisel_v*sha384 +RUN tar -xf chisel_v*tar.gz -C /usr/local/bin +RUN git clone --depth 1 --branch ubuntu-26.04 https://github.com/canonical/chisel-releases.git chisel-releases +# Remove the `resolute-security` and `resolute-updates` suites from `chisel.yaml` to force pull from a frozen pocket +RUN sed -i 's/suites: \[resolute, resolute-security, resolute-updates\]/suites: \[resolute\]/g' chisel-releases/chisel.yaml +RUN mkdir /rootfs && \ + chisel cut --release ./chisel-releases --root /rootfs \ + base-files_base \ + base-files_chisel \ + base-files_release-info \ + golang_core + +FROM scratch +COPY --from=builder /rootfs/ / diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 4c7d587fcad..a6cf4e6cb7e 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -911,7 +911,7 @@ Scanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages Filtered 10 local/unscannable package/s from the scan. -Total 27 packages affected by 200 known vulnerabilities (22 Critical, 87 High, 64 Medium, 4 Low, 23 Unknown) from 4 ecosystems. +Total 27 packages affected by 200 known vulnerabilities (22 Critical, 86 High, 65 Medium, 4 Low, 23 Unknown) from 4 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ @@ -1082,7 +1082,7 @@ Total 27 packages affected by 200 known vulnerabilities (22 Critical, 87 High, 6 | https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-2673 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28386 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28387 | 8.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28388 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2168,7 +2168,7 @@ Filtered 8 vulnerabilities from output testdata/osv-scanner-partial-ignores-config.toml has unused ignores: - CVE-2019-5188 -Total 27 packages affected by 194 known vulnerabilities (22 Critical, 82 High, 63 Medium, 4 Low, 23 Unknown) from 4 ecosystems. +Total 27 packages affected by 194 known vulnerabilities (22 Critical, 81 High, 64 Medium, 4 Low, 23 Unknown) from 4 ecosystems. 10 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ @@ -2331,7 +2331,7 @@ Total 27 packages affected by 194 known vulnerabilities (22 Critical, 82 High, 6 | https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-2673 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28386 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28387 | 8.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28388 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2417,7 +2417,7 @@ Filtered 6 vulnerabilities from output testdata/osv-scanner-partial-ignores-config.toml has unused ignores: - CVE-2019-5188 -Total 24 packages affected by 186 known vulnerabilities (20 Critical, 79 High, 60 Medium, 4 Low, 23 Unknown) from 3 ecosystems. +Total 24 packages affected by 186 known vulnerabilities (20 Critical, 78 High, 61 Medium, 4 Low, 23 Unknown) from 3 ecosystems. 10 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -2572,7 +2572,7 @@ Total 24 packages affected by 186 known vulnerabilities (20 Critical, 79 High, 6 | https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-2673 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28386 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28387 | 8.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28388 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -3644,7 +3644,7 @@ Total 4 packages affected by 56 known vulnerabilities (18 Critical, 30 High, 6 M | https://osv.dev/GHSA-w3f4-3q6j-rh82 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-wh8g-3j2c-rqj5 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-j288-q9x7-2f5v | 6.5 | Maven | org.apache.commons:commons-lang3 | 3.12.0 | 3.18.0 | testdata/artifact/javareach_test.jar | -| https://osv.dev/GHSA-355h-qmc2-wpwf | 7.4 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.60 | testdata/artifact/javareach_test.jar | +| https://osv.dev/GHSA-355h-qmc2-wpwf | 7.4 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.33 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cj7v-27pg-wf7q | 2.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.47 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-hmr7-m48g-48f6 | 5.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-qh8g-58pp-2wxh | 6.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.12 | testdata/artifact/javareach_test.jar | @@ -3729,7 +3729,7 @@ Total 8 packages affected by 62 known vulnerabilities (18 Critical, 32 High, 9 M | https://osv.dev/GHSA-wh8g-3j2c-rqj5 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-j288-q9x7-2f5v | 6.5 | Maven | org.apache.commons:commons-lang3 | 3.12.0 | 3.18.0 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-7r82-7xv7-xcpj | 5.3 | Maven | org.apache.httpcomponents:httpclient | 4.5.5 | 4.5.13 | testdata/artifact/javareach_test.jar | -| https://osv.dev/GHSA-355h-qmc2-wpwf | 7.4 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.60 | testdata/artifact/javareach_test.jar | +| https://osv.dev/GHSA-355h-qmc2-wpwf | 7.4 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.33 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cj7v-27pg-wf7q | 2.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.47 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-hmr7-m48g-48f6 | 5.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-qh8g-58pp-2wxh | 6.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.12 | testdata/artifact/javareach_test.jar | @@ -3809,7 +3809,7 @@ Total 8 packages affected by 62 known vulnerabilities (18 Critical, 32 High, 9 M | https://osv.dev/GHSA-wh8g-3j2c-rqj5 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-j288-q9x7-2f5v | 6.5 | Maven | org.apache.commons:commons-lang3 | 3.12.0 | 3.18.0 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-7r82-7xv7-xcpj | 5.3 | Maven | org.apache.httpcomponents:httpclient | 4.5.5 | 4.5.13 | testdata/artifact/javareach_test.jar | -| https://osv.dev/GHSA-355h-qmc2-wpwf | 7.4 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.60 | testdata/artifact/javareach_test.jar | +| https://osv.dev/GHSA-355h-qmc2-wpwf | 7.4 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.33 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cj7v-27pg-wf7q | 2.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.47 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-hmr7-m48g-48f6 | 5.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-qh8g-58pp-2wxh | 6.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.12 | testdata/artifact/javareach_test.jar | @@ -4749,7 +4749,7 @@ Filtered 1 local/unscannable package/s from the scan. Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded Go local db from /osv-scanner/Go/all.zip -Total 22 packages affected by 183 known vulnerabilities (19 Critical, 78 High, 59 Medium, 4 Low, 23 Unknown) from 2 ecosystems. +Total 22 packages affected by 183 known vulnerabilities (19 Critical, 77 High, 60 Medium, 4 Low, 23 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -4903,7 +4903,7 @@ Total 22 packages affected by 183 known vulnerabilities (19 Critical, 78 High, 5 | https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-2673 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28386 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28387 | 8.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28388 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -4982,7 +4982,7 @@ Filtered 1 local/unscannable package/s from the scan. Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded Go local db from /osv-scanner/Go/all.zip -Total 22 packages affected by 183 known vulnerabilities (19 Critical, 78 High, 59 Medium, 4 Low, 23 Unknown) from 2 ecosystems. +Total 22 packages affected by 183 known vulnerabilities (19 Critical, 77 High, 60 Medium, 4 Low, 23 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -5136,7 +5136,7 @@ Total 22 packages affected by 183 known vulnerabilities (19 Critical, 78 High, 5 | https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-2673 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28386 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28387 | 8.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28388 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -5956,6 +5956,11 @@ Total 3 packages affected by 13 known vulnerabilities (1 Critical, 4 High, 7 Med Scanning dir ./testdata/locks-requirements/requirements.txt Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages Loaded PyPI local db from /osv-scanner/PyPI/all.zip +PYSEC-2011-28 does not have any ranges or versions - this is probably a mistake! +PYSEC-2011-29 does not have any ranges or versions - this is probably a mistake! +PYSEC-2011-30 does not have any ranges or versions - this is probably a mistake! +PYSEC-2011-31 does not have any ranges or versions - this is probably a mistake! +PYSEC-2020-345 does not have any ranges or versions - this is probably a mistake! Total 3 packages affected by 13 known vulnerabilities (1 Critical, 4 High, 7 Medium, 1 Low, 0 Unknown) from 1 ecosystem. 13 vulnerabilities can be fixed. @@ -6019,8 +6024,8 @@ Total 3 packages affected by 9 known vulnerabilities (0 Critical, 3 High, 4 Medi [TestCommand_Transitive/requirements.txt_transitive_default - 1] Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages -Total 5 packages affected by 24 known vulnerabilities (1 Critical, 10 High, 11 Medium, 1 Low, 1 Unknown) from 1 ecosystem. -24 vulnerabilities can be fixed. +Total 5 packages affected by 25 known vulnerabilities (1 Critical, 10 High, 12 Medium, 1 Low, 1 Unknown) from 1 ecosystem. +25 vulnerabilities can be fixed. +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | @@ -6043,6 +6048,7 @@ Total 5 packages affected by 24 known vulnerabilities (1 Critical, 10 High, 11 M | https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4 | PyPI | requests | 2.20.0 | 2.33.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2024-60 | 7.5 | PyPI | idna | 2.7.0 | 3.7 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-jjg7-2v4v-x38h | | | | | | | +| https://osv.dev/GHSA-65pc-fj4g-8rjx | 6.9 | PyPI | idna | 2.7.0 | 3.15 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2020-148 | 6.9 | PyPI | urllib3 | 1.24.3 | 1.25.9 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-wqvq-5m8c-6g24 | | | | | | | | https://osv.dev/PYSEC-2021-108 | | PyPI | urllib3 | 1.24.3 | 1.26.5 | testdata/locks-requirements/requirements.txt | @@ -6067,8 +6073,8 @@ Total 5 packages affected by 24 known vulnerabilities (1 Critical, 10 High, 11 M [TestCommand_Transitive/requirements.txt_transitive_native_source - 1] Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages -Total 5 packages affected by 24 known vulnerabilities (1 Critical, 10 High, 11 Medium, 1 Low, 1 Unknown) from 1 ecosystem. -24 vulnerabilities can be fixed. +Total 5 packages affected by 25 known vulnerabilities (1 Critical, 10 High, 12 Medium, 1 Low, 1 Unknown) from 1 ecosystem. +25 vulnerabilities can be fixed. +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | @@ -6091,6 +6097,7 @@ Total 5 packages affected by 24 known vulnerabilities (1 Critical, 10 High, 11 M | https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4 | PyPI | requests | 2.20.0 | 2.33.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2024-60 | 7.5 | PyPI | idna | 2.7 | 3.7 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-jjg7-2v4v-x38h | | | | | | | +| https://osv.dev/GHSA-65pc-fj4g-8rjx | 6.9 | PyPI | idna | 2.7 | 3.15 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2020-148 | 6.9 | PyPI | urllib3 | 1.24.3 | 1.25.9 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-wqvq-5m8c-6g24 | | | | | | | | https://osv.dev/PYSEC-2021-108 | | PyPI | urllib3 | 1.24.3 | 1.26.5 | testdata/locks-requirements/requirements.txt | diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml index f81ca5af1df..1dbddeb3795 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml @@ -474,7 +474,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -486,7 +486,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -498,7 +498,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -748,7 +748,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -760,7 +760,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -772,7 +772,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -972,7 +972,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -984,7 +984,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -996,7 +996,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -1239,7 +1239,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -1251,7 +1251,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -1263,7 +1263,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -4317,7 +4317,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-41989", - "modified": "2026-04-28T20:31:52.784484Z" + "modified": "2026-05-18T21:00:35.644624Z" }, { "id": "DEBIAN-CVE-2026-41990", @@ -4998,7 +4998,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-2673", - "modified": "2026-05-14T09:00:11.435092Z" + "modified": "2026-05-19T09:00:10.116381Z" }, { "id": "DEBIAN-CVE-2026-28386", @@ -5712,7 +5712,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -5724,7 +5724,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -5736,7 +5736,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -7745,7 +7745,7 @@ interactions: }, { "id": "GHSA-hxwh-jpp2-84pm", - "modified": "2026-02-04T02:15:39.891834Z" + "modified": "2026-05-19T20:30:23.753027Z" }, { "id": "GHSA-xc3p-ff3m-f46v", @@ -7757,7 +7757,7 @@ interactions: }, { "id": "PYSEC-2024-71", - "modified": "2025-10-09T08:27:44.186589Z" + "modified": "2026-05-19T05:26:16.591908Z" } ] }, diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml index 2ecd54a3e33..349f9b0fe29 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml @@ -132,7 +132,7 @@ interactions: }, { "id": "OSV-2024-340", - "modified": "2026-05-17T14:28:07.764086Z" + "modified": "2026-05-19T14:28:33.772959Z" } ] }, diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml index bb40655067f..012b3eabe6f 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml @@ -1803,7 +1803,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-41989", - "modified": "2026-04-28T20:31:52.784484Z" + "modified": "2026-05-18T21:00:35.644624Z" }, { "id": "DEBIAN-CVE-2026-41990", @@ -2484,7 +2484,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-2673", - "modified": "2026-05-14T09:00:11.435092Z" + "modified": "2026-05-19T09:00:10.116381Z" }, { "id": "DEBIAN-CVE-2026-28386", @@ -4439,7 +4439,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-41989", - "modified": "2026-04-28T20:31:52.784484Z" + "modified": "2026-05-18T21:00:35.644624Z" }, { "id": "DEBIAN-CVE-2026-41990", @@ -5120,7 +5120,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-2673", - "modified": "2026-05-14T09:00:11.435092Z" + "modified": "2026-05-19T09:00:10.116381Z" }, { "id": "DEBIAN-CVE-2026-28386", diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_JavareachArchive.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_JavareachArchive.yaml index 8c889437013..fa63f26e631 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_JavareachArchive.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_JavareachArchive.yaml @@ -421,7 +421,7 @@ interactions: "vulns": [ { "id": "GHSA-355h-qmc2-wpwf", - "modified": "2026-04-17T00:30:15.516948Z" + "modified": "2026-05-20T00:45:32.367357Z" }, { "id": "GHSA-cj7v-27pg-wf7q", @@ -897,7 +897,7 @@ interactions: "vulns": [ { "id": "GHSA-355h-qmc2-wpwf", - "modified": "2026-04-17T00:30:15.516948Z" + "modified": "2026-05-20T00:45:32.367357Z" }, { "id": "GHSA-cj7v-27pg-wf7q", @@ -1373,7 +1373,7 @@ interactions: "vulns": [ { "id": "GHSA-355h-qmc2-wpwf", - "modified": "2026-04-17T00:30:15.516948Z" + "modified": "2026-05-20T00:45:32.367357Z" }, { "id": "GHSA-cj7v-27pg-wf7q", diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml index baf94fb0feb..fb25ec6de43 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml @@ -1630,7 +1630,7 @@ interactions: }, { "id": "GHSA-hxwh-jpp2-84pm", - "modified": "2026-02-04T02:15:39.891834Z" + "modified": "2026-05-19T20:30:23.753027Z" }, { "id": "GHSA-xc3p-ff3m-f46v", @@ -1642,7 +1642,7 @@ interactions: }, { "id": "PYSEC-2024-71", - "modified": "2025-10-09T08:27:44.186589Z" + "modified": "2026-05-19T05:26:16.591908Z" } ] }, @@ -1781,7 +1781,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 2223 + content_length: 2293 body: | { "results": [ @@ -1842,6 +1842,10 @@ interactions: }, { "vulns": [ + { + "id": "GHSA-65pc-fj4g-8rjx", + "modified": "2026-05-19T14:45:16.378872Z" + }, { "id": "GHSA-jjg7-2v4v-x38h", "modified": "2026-02-04T03:49:45.087439Z" @@ -1941,7 +1945,7 @@ interactions: } headers: Content-Length: - - "2223" + - "2293" Content-Type: - application/json status: 200 OK @@ -2060,7 +2064,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 2223 + content_length: 2293 body: | { "results": [ @@ -2121,6 +2125,10 @@ interactions: }, { "vulns": [ + { + "id": "GHSA-65pc-fj4g-8rjx", + "modified": "2026-05-19T14:45:16.378872Z" + }, { "id": "GHSA-jjg7-2v4v-x38h", "modified": "2026-02-04T03:49:45.087439Z" @@ -2220,7 +2228,7 @@ interactions: } headers: Content-Length: - - "2223" + - "2293" Content-Type: - application/json status: 200 OK diff --git a/docs/supported_languages_and_lockfiles.md b/docs/supported_languages_and_lockfiles.md index bf6ef3ca36a..f543c3f6e80 100644 --- a/docs/supported_languages_and_lockfiles.md +++ b/docs/supported_languages_and_lockfiles.md @@ -33,6 +33,7 @@ When scanning container images (`osv-scanner scan image ...`), OSV-Scanner autom | ------------------------------------ | ---------------------------------- | | Alpine APK packages | `/lib/apk/db/installed` | | Debian/Ubuntu dpkg/apt packages | `/var/lib/dpkg/status` | +| Ubuntu chiseled packages | `/var/lib/chisel/manifest.wall` | | | | | Go Binaries | `main-go` | | Rust Binaries (with cargo-auditable) | `main-rust-built-with-auditable` | diff --git a/internal/scalibrplugin/__snapshots__/resolve_test.snap b/internal/scalibrplugin/__snapshots__/resolve_test.snap index 298186fdbc8..fe2f748353b 100755 --- a/internal/scalibrplugin/__snapshots__/resolve_test.snap +++ b/internal/scalibrplugin/__snapshots__/resolve_test.snap @@ -34,6 +34,7 @@ javascript/yarnlock license/depsdev misc/brew-source os/apk +os/chisel os/dpkg os/homebrew osv/osvscannerjson @@ -72,6 +73,7 @@ java/archive javascript/nodemodules misc/brew-source os/apk +os/chisel os/dpkg os/homebrew python/wheelegg @@ -111,6 +113,7 @@ java/archive javascript/nodemodules misc/brew-source os/apk +os/chisel os/dpkg os/homebrew python/wheelegg @@ -139,6 +142,7 @@ java/archive javascript/nodemodules misc/brew-source os/apk +os/chisel os/dpkg os/homebrew python/wheelegg diff --git a/internal/scalibrplugin/presets.go b/internal/scalibrplugin/presets.go index cdb21ecaa36..67c2b611603 100644 --- a/internal/scalibrplugin/presets.go +++ b/internal/scalibrplugin/presets.go @@ -49,6 +49,7 @@ import ( "github.com/google/osv-scalibr/extractor/filesystem/language/swift/packageresolved" extractors "github.com/google/osv-scalibr/extractor/filesystem/list" "github.com/google/osv-scalibr/extractor/filesystem/os/apk" + "github.com/google/osv-scalibr/extractor/filesystem/os/chisel" "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" "github.com/google/osv-scalibr/extractor/filesystem/os/homebrew" "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx" @@ -161,6 +162,8 @@ var ExtractorPresets = map[string]extractors.InitMap{ apk.Name: {apk.New}, // Debian dpkg.Name: {dpkg.New}, + // Chisel + chisel.Name: {chisel.New}, // Homebrew homebrew.Name: {homebrew.New}, }, diff --git a/internal/scalibrplugin/resolve_test.go b/internal/scalibrplugin/resolve_test.go index 169b9b83150..78e276e80b6 100644 --- a/internal/scalibrplugin/resolve_test.go +++ b/internal/scalibrplugin/resolve_test.go @@ -29,6 +29,7 @@ import ( "github.com/google/osv-scalibr/extractor/filesystem/language/rust/cargoauditable" chromeextensions "github.com/google/osv-scalibr/extractor/filesystem/misc/chrome/extensions" "github.com/google/osv-scalibr/extractor/filesystem/os/apk" + "github.com/google/osv-scalibr/extractor/filesystem/os/chisel" "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" "github.com/google/osv-scalibr/extractor/filesystem/os/homebrew" "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx" @@ -518,6 +519,7 @@ func TestResolve_Extractors(t *testing.T) { baseimage.Name, cargoauditable.Name, dpkg.Name, + chisel.Name, homebrew.Name, gobinary.Name, nodemodules.Name, @@ -539,6 +541,7 @@ func TestResolve_Extractors(t *testing.T) { baseimage.Name, cargoauditable.Name, dpkg.Name, + chisel.Name, homebrew.Name, gobinary.Name, nodemodules.Name, @@ -566,6 +569,7 @@ func TestResolve_Extractors(t *testing.T) { apk.Name, baseimage.Name, dpkg.Name, + chisel.Name, gobinary.Name, homebrew.Name, nodemodules.Name, @@ -587,6 +591,7 @@ func TestResolve_Extractors(t *testing.T) { baseimage.Name, cargoauditable.Name, dpkg.Name, + chisel.Name, homebrew.Name, gitrepo.Name, gobinary.Name,