From 0c3031d0b5d2994b50e95215d50f22c7130f3b3c Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Tue, 5 May 2026 23:34:52 +0200 Subject: [PATCH 1/9] feat: add chisel in scalibrplugin --- go.mod | 3 ++- go.sum | 6 ++++-- internal/scalibrplugin/__snapshots__/resolve_test.snap | 4 ++++ internal/scalibrplugin/presets.go | 3 +++ internal/scalibrplugin/resolve_test.go | 5 +++++ 5 files changed, 18 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index e52518e3a4a..2fb53e15e5f 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/go-git/go-git/v5 v5.18.0 github.com/gobwas/glob v0.2.3 github.com/google/go-cmp v0.7.0 - github.com/google/osv-scalibr v0.4.6-0.20260504042738-9293bfa4f86f + github.com/google/osv-scalibr v0.4.6-0.20260505000029-f381f2ced35a github.com/ianlancetaylor/demangle v0.0.0-20251118225945-96ee0021ea0f github.com/jedib0t/go-pretty/v6 v6.7.9 github.com/modelcontextprotocol/go-sdk v1.5.0 @@ -60,6 +60,7 @@ require ( github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect github.com/aymerick/douceur v0.2.0 // indirect github.com/bazelbuild/buildtools v0.0.0-20250826111327-4006b543a694 // indirect + github.com/canonical/chisel-manifest v1.2.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/charmbracelet/bubbles v0.21.0 // indirect github.com/charmbracelet/bubbletea v1.3.5 // indirect diff --git a/go.sum b/go.sum index 868bfe4a5f9..a9ea2070935 100644 --- a/go.sum +++ b/go.sum @@ -77,6 +77,8 @@ github.com/bazelbuild/buildtools v0.0.0-20250826111327-4006b543a694 h1:LiKs9FsSf github.com/bazelbuild/buildtools v0.0.0-20250826111327-4006b543a694/go.mod h1:PLNUetjLa77TCCziPsz0EI8a6CUxgC+1jgmWv0H25tg= github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M= github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0= +github.com/canonical/chisel-manifest v1.2.0 h1:kFB9fBP33CvH+RLbTYLuKtFFICpq2JmH4xtYvBqpj3I= +github.com/canonical/chisel-manifest v1.2.0/go.mod h1:dWUCpU2uSJFbC+p3wEAjZ8uvQdjnHzenJQ1EszkKG4U= github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM= github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -271,8 +273,8 @@ github.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932 h1:5/4TSDzpDnHQ8rKEE github.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932/go.mod h1:cC6EdPbj/17GFCPDK39NRarlMI+kt+O60S12cNB5J9Y= github.com/google/jsonschema-go v0.4.2 h1:tmrUohrwoLZZS/P3x7ex0WAVknEkBZM46iALbcqoRA8= github.com/google/jsonschema-go v0.4.2/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE= -github.com/google/osv-scalibr v0.4.6-0.20260504042738-9293bfa4f86f h1:O5Yj0pu6bi5rWMh/yCqSWsCSpOZ5lR9nDpdsDuvZ7p4= -github.com/google/osv-scalibr v0.4.6-0.20260504042738-9293bfa4f86f/go.mod h1:IYS9akeCLN2b0PjclYosQ7Gn68LXt6rLjRnh9WsJFpE= +github.com/google/osv-scalibr v0.4.6-0.20260505000029-f381f2ced35a h1:mEoC9GuDGQ7EHwNxirydGrNqfIkx0z35MZ343Unu3wg= +github.com/google/osv-scalibr v0.4.6-0.20260505000029-f381f2ced35a/go.mod h1:IYS9akeCLN2b0PjclYosQ7Gn68LXt6rLjRnh9WsJFpE= github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 h1:EEHtgt9IwisQ2AZ4pIsMjahcegHh6rmhqxzIRQIyepY= github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= diff --git a/internal/scalibrplugin/__snapshots__/resolve_test.snap b/internal/scalibrplugin/__snapshots__/resolve_test.snap index 78775b5c3d1..956b9fd877b 100755 --- a/internal/scalibrplugin/__snapshots__/resolve_test.snap +++ b/internal/scalibrplugin/__snapshots__/resolve_test.snap @@ -32,6 +32,7 @@ javascript/yarnlock license/depsdev misc/brew-source os/apk +os/chisel os/dpkg os/homebrew osv/osvscannerjson @@ -69,6 +70,7 @@ java/archive javascript/nodemodules misc/brew-source os/apk +os/chisel os/dpkg os/homebrew python/wheelegg @@ -108,6 +110,7 @@ java/archive javascript/nodemodules misc/brew-source os/apk +os/chisel os/dpkg os/homebrew python/wheelegg @@ -136,6 +139,7 @@ java/archive javascript/nodemodules misc/brew-source os/apk +os/chisel os/dpkg os/homebrew python/wheelegg diff --git a/internal/scalibrplugin/presets.go b/internal/scalibrplugin/presets.go index 26fbbbd6049..ede37c4f1d6 100644 --- a/internal/scalibrplugin/presets.go +++ b/internal/scalibrplugin/presets.go @@ -46,6 +46,7 @@ import ( "github.com/google/osv-scalibr/extractor/filesystem/language/rust/cargolock" extractors "github.com/google/osv-scalibr/extractor/filesystem/list" "github.com/google/osv-scalibr/extractor/filesystem/os/apk" + "github.com/google/osv-scalibr/extractor/filesystem/os/chisel" "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" "github.com/google/osv-scalibr/extractor/filesystem/os/homebrew" "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx" @@ -153,6 +154,8 @@ var ExtractorPresets = map[string]extractors.InitMap{ apk.Name: {apk.New}, // Debian dpkg.Name: {dpkg.New}, + // Chisel + chisel.Name: {chisel.New}, // Homebrew homebrew.Name: {homebrew.New}, }, diff --git a/internal/scalibrplugin/resolve_test.go b/internal/scalibrplugin/resolve_test.go index 169b9b83150..78e276e80b6 100644 --- a/internal/scalibrplugin/resolve_test.go +++ b/internal/scalibrplugin/resolve_test.go @@ -29,6 +29,7 @@ import ( "github.com/google/osv-scalibr/extractor/filesystem/language/rust/cargoauditable" chromeextensions "github.com/google/osv-scalibr/extractor/filesystem/misc/chrome/extensions" "github.com/google/osv-scalibr/extractor/filesystem/os/apk" + "github.com/google/osv-scalibr/extractor/filesystem/os/chisel" "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" "github.com/google/osv-scalibr/extractor/filesystem/os/homebrew" "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx" @@ -518,6 +519,7 @@ func TestResolve_Extractors(t *testing.T) { baseimage.Name, cargoauditable.Name, dpkg.Name, + chisel.Name, homebrew.Name, gobinary.Name, nodemodules.Name, @@ -539,6 +541,7 @@ func TestResolve_Extractors(t *testing.T) { baseimage.Name, cargoauditable.Name, dpkg.Name, + chisel.Name, homebrew.Name, gobinary.Name, nodemodules.Name, @@ -566,6 +569,7 @@ func TestResolve_Extractors(t *testing.T) { apk.Name, baseimage.Name, dpkg.Name, + chisel.Name, gobinary.Name, homebrew.Name, nodemodules.Name, @@ -587,6 +591,7 @@ func TestResolve_Extractors(t *testing.T) { baseimage.Name, cargoauditable.Name, dpkg.Name, + chisel.Name, homebrew.Name, gitrepo.Name, gobinary.Name, From b29f68ca877233ecab5656bc632c37674fec10f5 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Wed, 6 May 2026 00:03:31 +0200 Subject: [PATCH 2/9] doc: add ubuntu chiseled in supported --- docs/supported_languages_and_lockfiles.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/supported_languages_and_lockfiles.md b/docs/supported_languages_and_lockfiles.md index bf6ef3ca36a..f543c3f6e80 100644 --- a/docs/supported_languages_and_lockfiles.md +++ b/docs/supported_languages_and_lockfiles.md @@ -33,6 +33,7 @@ When scanning container images (`osv-scanner scan image ...`), OSV-Scanner autom | ------------------------------------ | ---------------------------------- | | Alpine APK packages | `/lib/apk/db/installed` | | Debian/Ubuntu dpkg/apt packages | `/var/lib/dpkg/status` | +| Ubuntu chiseled packages | `/var/lib/chisel/manifest.wall` | | | | | Go Binaries | `main-go` | | Rust Binaries (with cargo-auditable) | `main-rust-built-with-auditable` | From a30aa1de8606bba2990177d406850521d43d85ec Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Thu, 7 May 2026 21:12:28 +0200 Subject: [PATCH 3/9] test: add e2e os/chisel test --- cmd/osv-scanner/scan/image/command_test.go | 22 ++++++++++++++++++ .../image/testdata/test-chisel.Dockerfile | 23 +++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 cmd/osv-scanner/scan/image/testdata/test-chisel.Dockerfile diff --git a/cmd/osv-scanner/scan/image/command_test.go b/cmd/osv-scanner/scan/image/command_test.go index 1a75a044c0c..07b8c895ddb 100644 --- a/cmd/osv-scanner/scan/image/command_test.go +++ b/cmd/osv-scanner/scan/image/command_test.go @@ -363,6 +363,14 @@ func TestCommand_OCIImage(t *testing.T) { }, Exit: 1, }, + { + Name: "scanning_insecure_chiseled_ubuntu_image", + Args: []string{ + "", "image", + "--archive", "./testdata/test-chisel.tar", + }, + Exit: 1, + }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { @@ -499,6 +507,20 @@ func TestCommand_OCIImage_JSONFormat(t *testing.T) { testutility.AnyDiffID, }, }, + { + Name: "scanning_insecure_chiseled_ubuntu_image", + Args: []string{ + "", "image", "--format=json", + "--archive", "./testdata/test-chisel.tar", + }, + Exit: 1, + ReplaceRules: []testutility.JSONReplaceRule{ + testutility.GroupsAsArrayLen, + testutility.OnlyIDVulnsRule, + testutility.OnlyFirstBaseImage, + testutility.AnyDiffID, + }, + }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { diff --git a/cmd/osv-scanner/scan/image/testdata/test-chisel.Dockerfile b/cmd/osv-scanner/scan/image/testdata/test-chisel.Dockerfile new file mode 100644 index 00000000000..dd4db727a4d --- /dev/null +++ b/cmd/osv-scanner/scan/image/testdata/test-chisel.Dockerfile @@ -0,0 +1,23 @@ +FROM ubuntu:26.04@sha256:f3d28607ddd78734bb7f71f117f3c6706c666b8b76cbff7c9ff6e5718d46ff64 AS builder + +RUN apt install --update -y curl wget + +# Deb arch to GOARCH +RUN arch="$(dpkg --print-architecture | sed -e 's/armhf/arm/g' -e 's/ppc64el/ppc64le/g')" && \ + curl -s https://api.github.com/repos/canonical/chisel/releases/latest \ + | awk "/browser_download_url/ && /chisel_v/ && /_$arch\./" \ + | cut -d : -f 2,3 \ + | tr -d \" \ + | xargs wget + +RUN sha384sum -c chisel_v*sha384 +RUN tar -xf chisel_v*tar.gz -C /usr/local/bin +RUN mkdir /rootfs && \ + chisel cut --root /rootfs \ + base-files_base \ + base-files_chisel \ + base-files_release-info \ + golang_core + +FROM scratch +COPY --from=builder /rootfs/ / From 9168fb5f77da574389fb412adbcdca427498b1ea Mon Sep 17 00:00:00 2001 From: Rex P Date: Fri, 8 May 2026 10:22:21 +1000 Subject: [PATCH 4/9] chore: refresh test snapshots --- .../mcp/__snapshots__/integration_test.snap | 2 +- .../image/__snapshots__/command_test.snap | 431 +++++- .../cassettes/TestCommand_OCIImage.yaml | 1162 ++++++++++++++-- .../TestCommand_OCIImage_JSONFormat.yaml | 1203 ++++++++++++++--- .../source/__snapshots__/command_test.snap | 21 +- .../testdata/cassettes/TestCommand.yaml | 236 +++- .../cassettes/TestCommand_CallAnalysis.yaml | 2 +- .../cassettes/TestCommand_CommitSupport.yaml | 12 +- .../TestCommand_Config_UnusedIgnores.yaml | 4 +- .../cassettes/TestCommand_GithubActions.yaml | 4 +- .../TestCommand_JavareachArchive.yaml | 6 +- .../cassettes/TestCommand_MoreLockfiles.yaml | 16 +- 12 files changed, 2723 insertions(+), 376 deletions(-) diff --git a/cmd/osv-scanner/mcp/__snapshots__/integration_test.snap b/cmd/osv-scanner/mcp/__snapshots__/integration_test.snap index a86e636eb93..e7328c2f0ff 100755 --- a/cmd/osv-scanner/mcp/__snapshots__/integration_test.snap +++ b/cmd/osv-scanner/mcp/__snapshots__/integration_test.snap @@ -24,6 +24,6 @@ lockfile:/testdata/go-project/go.mod: found 1 package with issues Severity: '5.9'; Minimal Fix Version: '1.1.0'; 1 known vulnerability found in lockfile:/testdata/go-project/go.mod -Hiding 15 number of vulnerabilities deemed unimportant, use --all-vulns to show them. +Hiding 23 number of vulnerabilities deemed unimportant, use --all-vulns to show them. --- diff --git a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap index a3975d89cb7..9d05f664fcf 100755 --- a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap @@ -444,7 +444,7 @@ Scanning local image tarball "./testdata/test-ubuntu.tar" Container Scanning Result (Ubuntu 22.04.5 LTS) (Based on "ubuntu" image): -Total 25 packages affected by 84 known vulnerabilities (6 Critical, 21 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem. +Total 25 packages affected by 83 known vulnerabilities (6 Critical, 20 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem. 28 vulnerabilities can be fixed. @@ -455,7 +455,7 @@ Ubuntu:22.04 | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+ | coreutils | 8.32-4.1ubuntu1.2 | No fix available | 2 | coreutils | # 4 Layer | ubuntu | -| dpkg | 1.21.1ubuntu2.3 | Partial fixes Available | 2 | dpkg | # 4 Layer | ubuntu | +| dpkg | 1.21.1ubuntu2.3 | Fix Available | 1 | dpkg | # 4 Layer | ubuntu | | gcc-12 | 12.3.0-1ubuntu1~22.04 | Partial fixes Available | 2 | gcc-12-base... (3) | # 4 Layer | ubuntu | | glibc | 2.35-0ubuntu3.8 | Partial fixes Available | 11 | libc-bin, libc6 | # 4 Layer | ubuntu | | gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 4 | gpgv | # 4 Layer | ubuntu | @@ -496,7 +496,7 @@ Scanning local image tarball "./testdata/test-ubuntu.tar" Container Scanning Result (Ubuntu 22.04.5 LTS) (Based on "ubuntu" image): -Total 25 packages affected by 84 known vulnerabilities (6 Critical, 21 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem. +Total 25 packages affected by 83 known vulnerabilities (6 Critical, 20 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem. 28 vulnerabilities can be fixed. @@ -507,7 +507,7 @@ Ubuntu:22.04 | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+ | coreutils | 8.32-4.1ubuntu1.2 | No fix available | 2 | coreutils | # 4 Layer | ubuntu | -| dpkg | 1.21.1ubuntu2.3 | Partial fixes Available | 2 | dpkg | # 4 Layer | ubuntu | +| dpkg | 1.21.1ubuntu2.3 | Fix Available | 1 | dpkg | # 4 Layer | ubuntu | | gcc-12 | 12.3.0-1ubuntu1~22.04 | Partial fixes Available | 2 | gcc-12-base... (3) | # 4 Layer | ubuntu | | glibc | 2.35-0ubuntu3.8 | Partial fixes Available | 11 | libc-bin, libc6 | # 4 Layer | ubuntu | | gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 4 | gpgv | # 4 Layer | ubuntu | @@ -567,7 +567,7 @@ Scanning local image tarball "./testdata/test-ubuntu-with-packages.tar" Container Scanning Result (Ubuntu 22.04.5 LTS) (Based on "ubuntu" image): -Total 25 packages affected by 84 known vulnerabilities (6 Critical, 21 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem. +Total 25 packages affected by 83 known vulnerabilities (6 Critical, 20 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem. 28 vulnerabilities can be fixed. @@ -578,7 +578,7 @@ Ubuntu:22.04 | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+ | coreutils | 8.32-4.1ubuntu1.2 | No fix available | 2 | coreutils | # 4 Layer | ubuntu | -| dpkg | 1.21.1ubuntu2.3 | Partial fixes Available | 2 | dpkg | # 4 Layer | ubuntu | +| dpkg | 1.21.1ubuntu2.3 | Fix Available | 1 | dpkg | # 4 Layer | ubuntu | | gcc-12 | 12.3.0-1ubuntu1~22.04 | Partial fixes Available | 2 | gcc-12-base... (3) | # 4 Layer | ubuntu | | glibc | 2.35-0ubuntu3.8 | Partial fixes Available | 11 | libc-bin, libc6 | # 4 Layer | ubuntu | | gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 4 | gpgv | # 4 Layer | ubuntu | @@ -619,8 +619,8 @@ Scanning local image tarball "./testdata/test-java-full.tar" Container Scanning Result (Alpine Linux v3.21) (Based on "eclipse-temurin" image): -Total 26 packages affected by 96 known vulnerabilities (5 Critical, 44 High, 41 Medium, 5 Low, 1 Unknown) from 2 ecosystems. -96 vulnerabilities can be fixed. +Total 31 packages affected by 108 known vulnerabilities (5 Critical, 50 High, 46 Medium, 5 Low, 2 Unknown) from 2 ecosystems. +108 vulnerabilities can be fixed. Maven @@ -634,12 +634,17 @@ Maven | com.nimbusds:nimbus-jose-jwt | 9.31 | Fix Available | 2 | # 12 Layer | -- | | commons-beanutils:commons-beanutils | 1.9.4 | Fix Available | 1 | # 12 Layer | -- | | dnsjava:dnsjava | 3.4.0 | Fix Available | 1 | # 12 Layer | -- | -| io.netty:netty-codec | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- | -| io.netty:netty-codec-http | 4.1.100.Final | Fix Available | 5 | # 12 Layer | -- | -| io.netty:netty-codec-http2 | 4.1.100.Final | Fix Available | 2 | # 12 Layer | -- | +| io.netty:netty-codec | 4.1.100.Final | Fix Available | 2 | # 12 Layer | -- | +| io.netty:netty-codec-dns | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- | +| io.netty:netty-codec-http | 4.1.100.Final | Fix Available | 10 | # 12 Layer | -- | +| io.netty:netty-codec-http2 | 4.1.100.Final | Fix Available | 3 | # 12 Layer | -- | +| io.netty:netty-codec-mqtt | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- | +| io.netty:netty-codec-redis | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- | | io.netty:netty-codec-smtp | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- | | io.netty:netty-common | 4.1.100.Final | Fix Available | 2 | # 12 Layer | -- | | io.netty:netty-handler | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- | +| io.netty:netty-handler-proxy | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- | +| io.netty:netty-transport-native-epoll | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- | | org.apache.avro:avro | 1.9.2 | Fix Available | 2 | # 12 Layer | -- | | org.apache.commons:commons-compress | 1.21 | Fix Available | 2 | # 12 Layer | -- | | org.apache.commons:commons-configuration2 | 2.8.0 | Fix Available | 2 | # 12 Layer | -- | @@ -864,8 +869,8 @@ Scanning local image tarball "./testdata/test-package-tracing.tar" Container Scanning Result (Alpine Linux v3.20) (Based on "alpine" image): -Total 10 packages affected by 265 known vulnerabilities (2 Critical, 14 High, 13 Medium, 2 Low, 234 Unknown) from 2 ecosystems. -265 vulnerabilities can be fixed. +Total 10 packages affected by 313 known vulnerabilities (2 Critical, 14 High, 13 Medium, 2 Low, 282 Unknown) from 2 ecosystems. +313 vulnerabilities can be fixed. Go @@ -874,42 +879,42 @@ Go +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ -| stdlib | 1.22.4 | Fix Available | 39 | # 9 Layer | -- | +| stdlib | 1.22.4 | Fix Available | 47 | # 9 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/go/bin/ptf-1.2.0 | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ -| stdlib | 1.22.4 | Fix Available | 39 | # 2 Layer | -- | +| stdlib | 1.22.4 | Fix Available | 47 | # 2 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/go/bin/ptf-1.3.0 | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ -| stdlib | 1.22.4 | Fix Available | 39 | # 4 Layer | -- | +| stdlib | 1.22.4 | Fix Available | 47 | # 4 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/go/bin/ptf-1.3.0-moved | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ -| stdlib | 1.22.4 | Fix Available | 39 | # 3 Layer | -- | +| stdlib | 1.22.4 | Fix Available | 47 | # 3 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/go/bin/ptf-1.4.0 | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ -| stdlib | 1.22.4 | Fix Available | 39 | # 2 Layer | -- | +| stdlib | 1.22.4 | Fix Available | 47 | # 2 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/go/bin/ptf-vulnerable | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ -| stdlib | 1.22.4 | Fix Available | 39 | # 7 Layer | -- | +| stdlib | 1.22.4 | Fix Available | 47 | # 7 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ Alpine:v3.20 +------------------------------------------------------------------------------------------------------------------------------+ @@ -1040,6 +1045,76 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne --- +[TestCommand_OCIImage/scanning_insecure_chiseled_ubuntu_image - 1] +Scanning local image tarball "./testdata/test-chisel.tar" + + +Container Scanning Result (Ubuntu 26.04 LTS): +Total 7 packages affected by 103 known vulnerabilities (0 Critical, 0 High, 1 Medium, 0 Low, 102 Unknown) from 2 ecosystems. +102 vulnerabilities can be fixed. + + +Go ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/bin/go | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/bin/gofmt | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/pkg/tool/linux_amd64/asm | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/pkg/tool/linux_amd64/compile | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/pkg/tool/linux_amd64/link | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/pkg/tool/linux_amd64/vet | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ +Ubuntu:26.04 ++-------------------------------------------------------------------------------------------------------------------------------------------+ +| Source:os:/var/lib/chisel/manifest.wall | ++----------------+-----------------------------+------------------+------------+-------------------------+------------------+---------------+ +| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | ++----------------+-----------------------------+------------------+------------+-------------------------+------------------+---------------+ +| coreutils | 9.5-1ubuntu2+0.0.0~ubuntu25 | No fix available | 1 | coreutils | # 0 Layer | -- | ++----------------+-----------------------------+------------------+------------+-------------------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestCommand_OCIImage/scanning_insecure_chiseled_ubuntu_image - 2] + +--- + [TestCommand_OCIImage/scanning_node_modules_using_npm_with_no_packages - 1] Scanning local image tarball "./testdata/test-node_modules-npm-empty.tar" @@ -2329,7 +2404,7 @@ Scanning local image tarball "./testdata/test-image-with-deprecated.tar" "index": 2 } }, - "groups": 39, + "groups": 47, "vulnerabilities": [ "GO-2024-2963", "GO-2024-3105", @@ -2368,8 +2443,16 @@ Scanning local image tarball "./testdata/test-image-with-deprecated.tar" "GO-2026-4865", "GO-2026-4869", "GO-2026-4870", + "GO-2026-4918", "GO-2026-4946", - "GO-2026-4947" + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" ] }, { @@ -2904,6 +2987,290 @@ Scanning local image tarball "./testdata/test-alpine-etcshadow.tar" --- +[TestCommand_OCIImage_JSONFormat/scanning_insecure_chiseled_ubuntu_image - 1] +{ + "results": [ + { + "source": { + "path": "/usr/lib/go-1.25/bin/go", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/usr/lib/go-1.25/bin/gofmt", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/usr/lib/go-1.25/pkg/tool/linux_amd64/asm", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/usr/lib/go-1.25/pkg/tool/linux_amd64/compile", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/usr/lib/go-1.25/pkg/tool/linux_amd64/link", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/usr/lib/go-1.25/pkg/tool/linux_amd64/vet", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/var/lib/chisel/manifest.wall", + "type": "os" + }, + "packages": [ + { + "package": { + "name": "coreutils", + "os_package_name": "coreutils", + "version": "9.5-1ubuntu2+0.0.0~ubuntu25", + "ecosystem": "Ubuntu:26.04", + "image_origin_details": { + "index": 0 + } + }, + "groups": 1, + "vulnerabilities": [ + "UBUNTU-CVE-2025-5278" + ] + } + ] + } + ], + "experimental_config": { + "licenses": { + "summary": false, + "allowlist": null + } + }, + "image_metadata": { + "os": "Ubuntu 26.04 LTS", + "layer_metadata": [ + { + "diff_id": "sha256:...", + "command": "COPY /rootfs/ / # buildkit", + "is_empty": false, + "base_image_index": 0 + } + ], + "base_images": [ + {} + ] + } +} + +--- + +[TestCommand_OCIImage_JSONFormat/scanning_insecure_chiseled_ubuntu_image - 2] +Scanning local image tarball "./testdata/test-chisel.tar" + +--- + [TestCommand_OCIImage_JSONFormat/scanning_node_modules_using_npm_with_some_packages - 1] { "results": [ @@ -3249,11 +3616,10 @@ Scanning local image tarball "./testdata/test-node_modules-npm-full.tar" "index": 4 } }, - "groups": 2, + "groups": 1, "vulnerabilities": [ "USN-7768-1", - "UBUNTU-CVE-2025-6297", - "UBUNTU-CVE-2026-2219" + "UBUNTU-CVE-2025-6297" ] }, { @@ -4190,7 +4556,7 @@ Scanning local image tarball "./testdata/test-ubuntu.tar" "index": 7 } }, - "groups": 91, + "groups": 99, "vulnerabilities": [ "GO-2022-0477", "GO-2022-0493", @@ -4281,8 +4647,16 @@ Scanning local image tarball "./testdata/test-ubuntu.tar" "GO-2026-4865", "GO-2026-4869", "GO-2026-4870", + "GO-2026-4918", "GO-2026-4946", - "GO-2026-4947" + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" ] } ] @@ -4334,11 +4708,10 @@ Scanning local image tarball "./testdata/test-ubuntu.tar" "index": 4 } }, - "groups": 2, + "groups": 1, "vulnerabilities": [ "USN-7768-1", - "UBUNTU-CVE-2025-6297", - "UBUNTU-CVE-2026-2219" + "UBUNTU-CVE-2025-6297" ] }, { diff --git a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml index f07c1990d8a..5d76bf374c7 100644 --- a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml +++ b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml @@ -2324,7 +2324,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 17441 + content_length: 17370 body: | { "results": [ @@ -2363,10 +2363,6 @@ interactions: "id": "UBUNTU-CVE-2025-6297", "modified": "2026-04-22T16:08:20.375647Z" }, - { - "id": "UBUNTU-CVE-2026-2219", - "modified": "2026-04-22T16:19:25.951290Z" - }, { "id": "USN-7768-1", "modified": "2026-04-27T18:17:26.257929Z" @@ -2693,11 +2689,11 @@ interactions: }, { "id": "UBUNTU-CVE-2026-33845", - "modified": "2026-05-04T10:51:06.069739Z" + "modified": "2026-05-07T14:01:37.973959Z" }, { "id": "UBUNTU-CVE-2026-33846", - "modified": "2026-05-04T10:50:48.214766Z" + "modified": "2026-05-07T14:02:39.915946Z" }, { "id": "UBUNTU-CVE-2026-3832", @@ -3131,7 +3127,7 @@ interactions: }, { "id": "UBUNTU-CVE-2025-15467", - "modified": "2026-05-04T10:20:57.843169Z" + "modified": "2026-05-07T13:33:59.315945Z" }, { "id": "UBUNTU-CVE-2025-27587", @@ -3203,7 +3199,7 @@ interactions: }, { "id": "USN-7980-1", - "modified": "2026-05-04T09:48:08.312378Z" + "modified": "2026-05-07T13:22:13.480432Z" }, { "id": "USN-8155-1", @@ -3539,7 +3535,7 @@ interactions: } headers: Content-Length: - - "17441" + - "17370" Content-Type: - application/json status: 200 OK @@ -4274,7 +4270,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 17441 + content_length: 17370 body: | { "results": [ @@ -4313,10 +4309,6 @@ interactions: "id": "UBUNTU-CVE-2025-6297", "modified": "2026-04-22T16:08:20.375647Z" }, - { - "id": "UBUNTU-CVE-2026-2219", - "modified": "2026-04-22T16:19:25.951290Z" - }, { "id": "USN-7768-1", "modified": "2026-04-27T18:17:26.257929Z" @@ -4643,11 +4635,11 @@ interactions: }, { "id": "UBUNTU-CVE-2026-33845", - "modified": "2026-05-04T10:51:06.069739Z" + "modified": "2026-05-07T14:01:37.973959Z" }, { "id": "UBUNTU-CVE-2026-33846", - "modified": "2026-05-04T10:50:48.214766Z" + "modified": "2026-05-07T14:02:39.915946Z" }, { "id": "UBUNTU-CVE-2026-3832", @@ -5081,7 +5073,7 @@ interactions: }, { "id": "UBUNTU-CVE-2025-15467", - "modified": "2026-05-04T10:20:57.843169Z" + "modified": "2026-05-07T13:33:59.315945Z" }, { "id": "UBUNTU-CVE-2025-27587", @@ -5153,7 +5145,7 @@ interactions: }, { "id": "USN-7980-1", - "modified": "2026-05-04T09:48:08.312378Z" + "modified": "2026-05-07T13:22:13.480432Z" }, { "id": "USN-8155-1", @@ -5489,7 +5481,7 @@ interactions: } headers: Content-Length: - - "17441" + - "17370" Content-Type: - application/json status: 200 OK @@ -6238,7 +6230,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 23070 + content_length: 23503 body: | { "results": [ @@ -6277,10 +6269,6 @@ interactions: "id": "UBUNTU-CVE-2025-6297", "modified": "2026-04-22T16:08:20.375647Z" }, - { - "id": "UBUNTU-CVE-2026-2219", - "modified": "2026-04-22T16:19:25.951290Z" - }, { "id": "USN-7768-1", "modified": "2026-04-27T18:17:26.257929Z" @@ -6638,7 +6626,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-05-05T10:59:19.142380Z" + "modified": "2026-05-06T10:29:20.668884Z" }, { "id": "GO-2026-4602", @@ -6650,7 +6638,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-04-13T08:27:21.641293Z" + "modified": "2026-05-07T10:29:24.131289Z" }, { "id": "GO-2026-4865", @@ -6662,7 +6650,11 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-04-13T08:27:12.657016Z" + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" }, { "id": "GO-2026-4946", @@ -6670,7 +6662,35 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-04-13T08:27:18.817379Z" + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" } ] }, @@ -6976,11 +6996,11 @@ interactions: }, { "id": "UBUNTU-CVE-2026-33845", - "modified": "2026-05-04T10:51:06.069739Z" + "modified": "2026-05-07T14:01:37.973959Z" }, { "id": "UBUNTU-CVE-2026-33846", - "modified": "2026-05-04T10:50:48.214766Z" + "modified": "2026-05-07T14:02:39.915946Z" }, { "id": "UBUNTU-CVE-2026-3832", @@ -7414,7 +7434,7 @@ interactions: }, { "id": "UBUNTU-CVE-2025-15467", - "modified": "2026-05-04T10:20:57.843169Z" + "modified": "2026-05-07T13:33:59.315945Z" }, { "id": "UBUNTU-CVE-2025-27587", @@ -7486,7 +7506,7 @@ interactions: }, { "id": "USN-7980-1", - "modified": "2026-05-04T09:48:08.312378Z" + "modified": "2026-05-07T13:22:13.480432Z" }, { "id": "USN-8155-1", @@ -7822,7 +7842,7 @@ interactions: } headers: Content-Length: - - "23070" + - "23503" Content-Type: - application/json status: 200 OK @@ -9278,7 +9298,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 12795 + content_length: 13680 body: | { "results": [ @@ -9522,7 +9542,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-3833", - "modified": "2026-05-02T08:31:01.233307Z" + "modified": "2026-05-07T09:32:02.594124Z" } ] }, @@ -9594,13 +9614,32 @@ interactions: { "id": "GHSA-3p8m-j85q-pgmj", "modified": "2026-02-04T02:23:33.973208Z" + }, + { + "id": "GHSA-mj4r-2hfc-f8p6", + "modified": "2026-05-07T15:59:20.172901Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-cm33-6792-r9fm", + "modified": "2026-05-07T20:14:23.779431Z" } ] }, - {}, {}, { "vulns": [ + { + "id": "GHSA-38f8-5428-x5cv", + "modified": "2026-05-07T16:59:13.659660Z" + }, + { + "id": "GHSA-57rv-r2g8-2cj3", + "modified": "2026-05-07T15:59:19.355780Z" + }, { "id": "GHSA-5jpm-x58v-624v", "modified": "2026-02-04T02:17:39.757688Z" @@ -9609,22 +9648,38 @@ interactions: "id": "GHSA-84h7-rjj3-6jx4", "modified": "2026-02-04T03:25:14.697311Z" }, + { + "id": "GHSA-f6hv-jmp6-3vwv", + "modified": "2026-05-07T15:59:19.251821Z" + }, { "id": "GHSA-fghv-69vj-qj49", "modified": "2026-02-04T03:04:04.888405Z" }, + { + "id": "GHSA-m4cv-j2px-7723", + "modified": "2026-05-07T15:59:19.977569Z" + }, { "id": "GHSA-pwqr-wmgm-9rr8", "modified": "2026-03-27T22:04:14.372867Z" }, { "id": "GHSA-v8h7-rr48-vmmv", - "modified": "2026-05-05T18:49:42.270754Z" + "modified": "2026-05-06T23:59:12.636141Z" + }, + { + "id": "GHSA-xxqh-mfjm-7mv9", + "modified": "2026-05-07T18:29:22.297578Z" } ] }, { "vulns": [ + { + "id": "GHSA-f6hv-jmp6-3vwv", + "modified": "2026-05-07T15:59:19.251821Z" + }, { "id": "GHSA-prj3-ccx8-p6x4", "modified": "2026-02-04T02:26:22.855609Z" @@ -9636,8 +9691,22 @@ interactions: ] }, {}, - {}, - {}, + { + "vulns": [ + { + "id": "GHSA-jfg9-48mv-9qgx", + "modified": "2026-05-07T05:34:15.798761Z" + } + ] + }, + { + "vulns": [ + { + "id": "GHSA-rgrr-p7gp-5xj7", + "modified": "2026-05-07T00:35:18.585973Z" + } + ] + }, { "vulns": [ { @@ -9669,6 +9738,14 @@ interactions: } ] }, + { + "vulns": [ + { + "id": "GHSA-45q3-82m4-75jr", + "modified": "2026-05-07T21:14:17.100550Z" + } + ] + }, {}, {}, {}, @@ -9677,8 +9754,14 @@ interactions: {}, {}, {}, - {}, - {}, + { + "vulns": [ + { + "id": "GHSA-rwm7-x88c-3g2p", + "modified": "2026-05-07T16:59:13.894118Z" + } + ] + }, {}, {}, {}, @@ -10273,7 +10356,7 @@ interactions: } headers: Content-Length: - - "12795" + - "13680" Content-Type: - application/json status: 200 OK @@ -11261,7 +11344,7 @@ interactions: }, { "id": "GHSA-jp4c-xjxw-mgf9", - "modified": "2026-05-05T22:36:40.408846Z" + "modified": "2026-05-07T16:59:14.079020Z" }, { "id": "GHSA-mq26-g339-26xf", @@ -11289,7 +11372,7 @@ interactions: }, { "id": "GHSA-jp4c-xjxw-mgf9", - "modified": "2026-05-05T22:36:40.408846Z" + "modified": "2026-05-07T16:59:14.079020Z" }, { "id": "GHSA-mq26-g339-26xf", @@ -11307,7 +11390,7 @@ interactions: "vulns": [ { "id": "GHSA-5rjg-fvgr-3xxf", - "modified": "2026-02-05T09:18:37.263234Z" + "modified": "2026-05-07T12:11:19.939111Z" }, { "id": "GHSA-cx63-2mw6-8hw5", @@ -11323,7 +11406,7 @@ interactions: }, { "id": "PYSEC-2025-49", - "modified": "2025-06-13T06:59:23.470501Z" + "modified": "2026-05-07T12:11:19.939111Z" } ] }, @@ -11331,7 +11414,7 @@ interactions: "vulns": [ { "id": "GHSA-5rjg-fvgr-3xxf", - "modified": "2026-02-05T09:18:37.263234Z" + "modified": "2026-05-07T12:11:19.939111Z" }, { "id": "GHSA-cx63-2mw6-8hw5", @@ -11347,7 +11430,7 @@ interactions: }, { "id": "PYSEC-2025-49", - "modified": "2025-06-13T06:59:23.470501Z" + "modified": "2026-05-07T12:11:19.939111Z" } ] }, @@ -12570,7 +12653,7 @@ interactions: }, { "id": "GHSA-jp4c-xjxw-mgf9", - "modified": "2026-05-05T22:36:40.408846Z" + "modified": "2026-05-07T16:59:14.079020Z" }, { "id": "GHSA-mq26-g339-26xf", @@ -12598,7 +12681,7 @@ interactions: }, { "id": "GHSA-jp4c-xjxw-mgf9", - "modified": "2026-05-05T22:36:40.408846Z" + "modified": "2026-05-07T16:59:14.079020Z" }, { "id": "GHSA-mq26-g339-26xf", @@ -12641,7 +12724,7 @@ interactions: "vulns": [ { "id": "GHSA-5rjg-fvgr-3xxf", - "modified": "2026-02-05T09:18:37.263234Z" + "modified": "2026-05-07T12:11:19.939111Z" }, { "id": "GHSA-cx63-2mw6-8hw5", @@ -12657,7 +12740,7 @@ interactions: }, { "id": "PYSEC-2025-49", - "modified": "2025-06-13T06:59:23.470501Z" + "modified": "2026-05-07T12:11:19.939111Z" } ] }, @@ -12665,7 +12748,7 @@ interactions: "vulns": [ { "id": "GHSA-5rjg-fvgr-3xxf", - "modified": "2026-02-05T09:18:37.263234Z" + "modified": "2026-05-07T12:11:19.939111Z" }, { "id": "GHSA-cx63-2mw6-8hw5", @@ -12681,7 +12764,7 @@ interactions: }, { "id": "PYSEC-2025-49", - "modified": "2025-06-13T06:59:23.470501Z" + "modified": "2026-05-07T12:11:19.939111Z" } ] }, @@ -13031,7 +13114,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 19427 + content_length: 22451 body: | { "results": [ @@ -13194,7 +13277,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-05-05T10:59:19.142380Z" + "modified": "2026-05-06T10:29:20.668884Z" }, { "id": "GO-2026-4602", @@ -13206,7 +13289,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-04-13T08:27:21.641293Z" + "modified": "2026-05-07T10:29:24.131289Z" }, { "id": "GO-2026-4865", @@ -13218,7 +13301,11 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-04-13T08:27:12.657016Z" + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" }, { "id": "GO-2026-4946", @@ -13226,7 +13313,35 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-04-13T08:27:18.817379Z" + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" } ] }, @@ -13354,7 +13469,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-05-05T10:59:19.142380Z" + "modified": "2026-05-06T10:29:20.668884Z" }, { "id": "GO-2026-4602", @@ -13366,7 +13481,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-04-13T08:27:21.641293Z" + "modified": "2026-05-07T10:29:24.131289Z" }, { "id": "GO-2026-4865", @@ -13378,7 +13493,11 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-04-13T08:27:12.657016Z" + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" }, { "id": "GO-2026-4946", @@ -13386,7 +13505,35 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-04-13T08:27:18.817379Z" + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" } ] }, @@ -13514,7 +13661,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-05-05T10:59:19.142380Z" + "modified": "2026-05-06T10:29:20.668884Z" }, { "id": "GO-2026-4602", @@ -13526,7 +13673,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-04-13T08:27:21.641293Z" + "modified": "2026-05-07T10:29:24.131289Z" }, { "id": "GO-2026-4865", @@ -13538,7 +13685,11 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-04-13T08:27:12.657016Z" + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" }, { "id": "GO-2026-4946", @@ -13546,7 +13697,35 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-04-13T08:27:18.817379Z" + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" } ] }, @@ -13674,7 +13853,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-05-05T10:59:19.142380Z" + "modified": "2026-05-06T10:29:20.668884Z" }, { "id": "GO-2026-4602", @@ -13686,7 +13865,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-04-13T08:27:21.641293Z" + "modified": "2026-05-07T10:29:24.131289Z" }, { "id": "GO-2026-4865", @@ -13698,7 +13877,11 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-04-13T08:27:12.657016Z" + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" }, { "id": "GO-2026-4946", @@ -13706,7 +13889,35 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-04-13T08:27:18.817379Z" + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" } ] }, @@ -13834,7 +14045,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-05-05T10:59:19.142380Z" + "modified": "2026-05-06T10:29:20.668884Z" }, { "id": "GO-2026-4602", @@ -13846,7 +14057,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-04-13T08:27:21.641293Z" + "modified": "2026-05-07T10:29:24.131289Z" }, { "id": "GO-2026-4865", @@ -13858,7 +14069,11 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-04-13T08:27:12.657016Z" + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" }, { "id": "GO-2026-4946", @@ -13866,7 +14081,35 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-04-13T08:27:18.817379Z" + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" } ] }, @@ -13994,7 +14237,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-05-05T10:59:19.142380Z" + "modified": "2026-05-06T10:29:20.668884Z" }, { "id": "GO-2026-4602", @@ -14006,7 +14249,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-04-13T08:27:21.641293Z" + "modified": "2026-05-07T10:29:24.131289Z" }, { "id": "GO-2026-4865", @@ -14018,7 +14261,11 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-04-13T08:27:12.657016Z" + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" }, { "id": "GO-2026-4946", @@ -14026,7 +14273,35 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-04-13T08:27:18.817379Z" + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" } ] }, @@ -14297,7 +14572,7 @@ interactions: } headers: Content-Length: - - "19427" + - "22451" Content-Type: - application/json status: 200 OK @@ -14923,6 +15198,731 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 4381 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "base-files" + }, + "version": "14ubuntu6" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "bash" + }, + "version": "5.3-2ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "coreutils" + }, + "version": "9.5-1ubuntu2+0.0.0~ubuntu25" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "coreutils-from-gnu" + }, + "version": "0.0.0~ubuntu25" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "gcc-14-base" + }, + "version": "14.3.0-14ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "gnu-coreutils" + }, + "version": "9.7-3ubuntu2" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-1.25-go" + }, + "version": "1.25.7-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-1.25-src" + }, + "version": "1.25.7-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-go" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-src" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libacl1" + }, + "version": "2.3.2-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libattr1" + }, + "version": "1:2.5.2-4" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libc6" + }, + "version": "2.43-2ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libcap2" + }, + "version": "1:2.75-10ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libgcc-s1" + }, + "version": "16-20260322-1ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libgmp10" + }, + "version": "2:6.3.0+dfsg-5ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libpcre2-8-0" + }, + "version": "10.46-1build1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libselinux1" + }, + "version": "3.9-4build1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libssl3t64" + }, + "version": "3.5.5-1ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libsystemd0" + }, + "version": "259.5-0ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libtinfo6" + }, + "version": "6.6+20251231-1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libzstd1" + }, + "version": "1.5.7+dfsg-3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "make" + }, + "version": "4.4.1-3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "openssl-provider-legacy" + }, + "version": "3.5.5-1ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "zlib1g" + }, + "version": "1:1.3.dfsg+really1.3.1-1ubuntu3" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_OCIImage/scanning_insecure_chiseled_ubuntu_image + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 6669 + body: | + { + "results": [ + {}, + {}, + { + "vulns": [ + { + "id": "UBUNTU-CVE-2025-5278", + "modified": "2026-04-27T18:53:24.878093Z" + } + ] + }, + {}, + {}, + {}, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-06T10:29:20.668884Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-03-10T10:43:54.463365Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-03-21T10:57:35.167856Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-07T10:29:24.131289Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-04-13T08:27:21.310377Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-04-13T08:27:14.491210Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-04-13T08:27:23.037509Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-06T10:29:20.668884Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-03-10T10:43:54.463365Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-03-21T10:57:35.167856Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-07T10:29:24.131289Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-04-13T08:27:21.310377Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-04-13T08:27:14.491210Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-04-13T08:27:23.037509Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-06T10:29:20.668884Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-03-10T10:43:54.463365Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-03-21T10:57:35.167856Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-07T10:29:24.131289Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-04-13T08:27:21.310377Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-04-13T08:27:14.491210Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-04-13T08:27:23.037509Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-06T10:29:20.668884Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-03-10T10:43:54.463365Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-03-21T10:57:35.167856Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-07T10:29:24.131289Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-04-13T08:27:21.310377Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-04-13T08:27:14.491210Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-04-13T08:27:23.037509Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-06T10:29:20.668884Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-03-10T10:43:54.463365Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-03-21T10:57:35.167856Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-07T10:29:24.131289Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-04-13T08:27:21.310377Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-04-13T08:27:14.491210Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-04-13T08:27:23.037509Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-06T10:29:20.668884Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-03-10T10:43:54.463365Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-03-21T10:57:35.167856Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-07T10:29:24.131289Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-04-13T08:27:21.310377Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-04-13T08:27:14.491210Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-04-13T08:27:23.037509Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" + } + ] + }, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {} + ] + } + headers: + Content-Length: + - "6669" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s - request: proto: HTTP/1.1 proto_major: 1 diff --git a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml index 0fdd9fc0111..a29c88424b0 100644 --- a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml +++ b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml @@ -1172,7 +1172,7 @@ interactions: }, { "id": "GHSA-jp4c-xjxw-mgf9", - "modified": "2026-05-05T22:36:40.408846Z" + "modified": "2026-05-07T16:59:14.079020Z" }, { "id": "GHSA-mq26-g339-26xf", @@ -1200,7 +1200,7 @@ interactions: }, { "id": "GHSA-jp4c-xjxw-mgf9", - "modified": "2026-05-05T22:36:40.408846Z" + "modified": "2026-05-07T16:59:14.079020Z" }, { "id": "GHSA-mq26-g339-26xf", @@ -1243,7 +1243,7 @@ interactions: "vulns": [ { "id": "GHSA-5rjg-fvgr-3xxf", - "modified": "2026-02-05T09:18:37.263234Z" + "modified": "2026-05-07T12:11:19.939111Z" }, { "id": "GHSA-cx63-2mw6-8hw5", @@ -1259,7 +1259,7 @@ interactions: }, { "id": "PYSEC-2025-49", - "modified": "2025-06-13T06:59:23.470501Z" + "modified": "2026-05-07T12:11:19.939111Z" } ] }, @@ -1267,7 +1267,7 @@ interactions: "vulns": [ { "id": "GHSA-5rjg-fvgr-3xxf", - "modified": "2026-02-05T09:18:37.263234Z" + "modified": "2026-05-07T12:11:19.939111Z" }, { "id": "GHSA-cx63-2mw6-8hw5", @@ -1283,7 +1283,7 @@ interactions: }, { "id": "PYSEC-2025-49", - "modified": "2025-06-13T06:59:23.470501Z" + "modified": "2026-05-07T12:11:19.939111Z" } ] }, @@ -2180,7 +2180,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 7052 + content_length: 7556 body: | { "results": [ @@ -2338,7 +2338,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-05-05T10:59:19.142380Z" + "modified": "2026-05-06T10:29:20.668884Z" }, { "id": "GO-2026-4602", @@ -2350,7 +2350,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-04-13T08:27:21.641293Z" + "modified": "2026-05-07T10:29:24.131289Z" }, { "id": "GO-2026-4865", @@ -2362,7 +2362,11 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-04-13T08:27:12.657016Z" + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" }, { "id": "GO-2026-4946", @@ -2370,7 +2374,35 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-04-13T08:27:18.817379Z" + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" } ] }, @@ -2636,7 +2668,162 @@ interactions: } headers: Content-Length: - - "7052" + - "7556" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 1907 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "Alpine:v3.10", + "name": "alpine-baselayout" + }, + "version": "3.1.2-r0" + }, + { + "package": { + "ecosystem": "Alpine:v3.10", + "name": "alpine-keys" + }, + "version": "2.1-r2" + }, + { + "package": { + "ecosystem": "Alpine:v3.10", + "name": "apk-tools" + }, + "version": "2.10.6-r0" + }, + { + "package": { + "ecosystem": "Alpine:v3.10", + "name": "busybox" + }, + "version": "1.30.1-r5" + }, + { + "package": { + "ecosystem": "Alpine:v3.10", + "name": "ca-certificates" + }, + "version": "20191127-r2" + }, + { + "package": { + "ecosystem": "Alpine:v3.10", + "name": "libc-dev" + }, + "version": "0.7.1-r0" + }, + { + "package": { + "ecosystem": "Alpine:v3.10", + "name": "openssl" + }, + "version": "1.1.1k-r0" + }, + { + "package": { + "ecosystem": "Alpine:v3.10", + "name": "openssl" + }, + "version": "1.1.1k-r0" + }, + { + "package": { + "ecosystem": "Alpine:v3.10", + "name": "libtls-standalone" + }, + "version": "2.9.1-r0" + }, + { + "package": { + "ecosystem": "Alpine:v3.10", + "name": "musl" + }, + "version": "1.1.22-r4" + }, + { + "package": { + "ecosystem": "Alpine:v3.10", + "name": "musl" + }, + "version": "1.1.22-r4" + }, + { + "package": { + "ecosystem": "Alpine:v3.10", + "name": "pax-utils" + }, + "version": "1.2.3-r0" + }, + { + "package": { + "ecosystem": "Alpine:v3.10", + "name": "busybox" + }, + "version": "1.30.1-r5" + }, + { + "package": { + "ecosystem": "Alpine:v3.10", + "name": "zlib" + }, + "version": "1.2.11-r1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_OCIImage_JSONFormat/scanning_insecure_alpine_image_with_detector_preset + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 136 + body: | + { + "results": [ + {}, + {}, + { + "vulns": [ + { + "id": "ALPINE-CVE-2021-36159", + "modified": "2025-12-03T22:50:23.251262Z" + } + ] + }, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {} + ] + } + headers: + Content-Length: + - "136" Content-Type: - application/json status: 200 OK @@ -2742,37 +2929,753 @@ interactions: }, "version": "1.30.1-r5" }, - { - "package": { - "ecosystem": "Alpine:v3.10", - "name": "zlib" - }, - "version": "1.2.11-r1" - } - ] - } - headers: - Content-Type: - - application/json - X-Test-Name: - - TestCommand_OCIImage_JSONFormat/scanning_insecure_alpine_image_with_detector_preset - url: https://api.osv.dev/v1/querybatch - method: POST - response: - proto: HTTP/2.0 - proto_major: 2 - proto_minor: 0 - content_length: 136 - body: | - { - "results": [ - {}, - {}, + { + "package": { + "ecosystem": "Alpine:v3.10", + "name": "zlib" + }, + "version": "1.2.11-r1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_OCIImage_JSONFormat/scanning_insecure_alpine_image_with_specific_detector_enabled + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 136 + body: | + { + "results": [ + {}, + {}, + { + "vulns": [ + { + "id": "ALPINE-CVE-2021-36159", + "modified": "2025-12-03T22:50:23.251262Z" + } + ] + }, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {} + ] + } + headers: + Content-Length: + - "136" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 4381 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "base-files" + }, + "version": "14ubuntu6" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "bash" + }, + "version": "5.3-2ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "coreutils" + }, + "version": "9.5-1ubuntu2+0.0.0~ubuntu25" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "coreutils-from-gnu" + }, + "version": "0.0.0~ubuntu25" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "gcc-14-base" + }, + "version": "14.3.0-14ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "gnu-coreutils" + }, + "version": "9.7-3ubuntu2" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-1.25-go" + }, + "version": "1.25.7-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-1.25-src" + }, + "version": "1.25.7-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-go" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-src" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libacl1" + }, + "version": "2.3.2-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libattr1" + }, + "version": "1:2.5.2-4" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libc6" + }, + "version": "2.43-2ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libcap2" + }, + "version": "1:2.75-10ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libgcc-s1" + }, + "version": "16-20260322-1ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libgmp10" + }, + "version": "2:6.3.0+dfsg-5ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libpcre2-8-0" + }, + "version": "10.46-1build1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libselinux1" + }, + "version": "3.9-4build1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libssl3t64" + }, + "version": "3.5.5-1ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libsystemd0" + }, + "version": "259.5-0ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libtinfo6" + }, + "version": "6.6+20251231-1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libzstd1" + }, + "version": "1.5.7+dfsg-3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "make" + }, + "version": "4.4.1-3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "openssl-provider-legacy" + }, + "version": "3.5.5-1ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "zlib1g" + }, + "version": "1:1.3.dfsg+really1.3.1-1ubuntu3" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_OCIImage_JSONFormat/scanning_insecure_chiseled_ubuntu_image + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 6669 + body: | + { + "results": [ + {}, + {}, + { + "vulns": [ + { + "id": "UBUNTU-CVE-2025-5278", + "modified": "2026-04-27T18:53:24.878093Z" + } + ] + }, + {}, + {}, + {}, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-06T10:29:20.668884Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-03-10T10:43:54.463365Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-03-21T10:57:35.167856Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-07T10:29:24.131289Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-04-13T08:27:21.310377Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-04-13T08:27:14.491210Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-04-13T08:27:23.037509Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-06T10:29:20.668884Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-03-10T10:43:54.463365Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-03-21T10:57:35.167856Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-07T10:29:24.131289Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-04-13T08:27:21.310377Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-04-13T08:27:14.491210Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-04-13T08:27:23.037509Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-06T10:29:20.668884Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-03-10T10:43:54.463365Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-03-21T10:57:35.167856Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-07T10:29:24.131289Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-04-13T08:27:21.310377Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-04-13T08:27:14.491210Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-04-13T08:27:23.037509Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-06T10:29:20.668884Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-03-10T10:43:54.463365Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-03-21T10:57:35.167856Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-07T10:29:24.131289Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-04-13T08:27:21.310377Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-04-13T08:27:14.491210Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-04-13T08:27:23.037509Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-06T10:29:20.668884Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-03-10T10:43:54.463365Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-03-21T10:57:35.167856Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-07T10:29:24.131289Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-04-13T08:27:21.310377Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-04-13T08:27:14.491210Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-04-13T08:27:23.037509Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" + } + ] + }, { "vulns": [ { - "id": "ALPINE-CVE-2021-36159", - "modified": "2025-12-03T22:50:23.251262Z" + "id": "GO-2026-4601", + "modified": "2026-05-06T10:29:20.668884Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-03-10T10:43:54.463365Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-03-21T10:57:35.167856Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-07T10:29:24.131289Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-04-13T08:27:21.310377Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-04-13T08:27:14.491210Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-04-13T08:27:23.037509Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" } ] }, @@ -2786,152 +3689,6 @@ interactions: {}, {}, {}, - {} - ] - } - headers: - Content-Length: - - "136" - Content-Type: - - application/json - status: 200 OK - code: 200 - duration: 0s - - request: - proto: HTTP/1.1 - proto_major: 1 - proto_minor: 1 - content_length: 1907 - host: api.osv.dev - body: | - { - "queries": [ - { - "package": { - "ecosystem": "Alpine:v3.10", - "name": "alpine-baselayout" - }, - "version": "3.1.2-r0" - }, - { - "package": { - "ecosystem": "Alpine:v3.10", - "name": "alpine-keys" - }, - "version": "2.1-r2" - }, - { - "package": { - "ecosystem": "Alpine:v3.10", - "name": "apk-tools" - }, - "version": "2.10.6-r0" - }, - { - "package": { - "ecosystem": "Alpine:v3.10", - "name": "busybox" - }, - "version": "1.30.1-r5" - }, - { - "package": { - "ecosystem": "Alpine:v3.10", - "name": "ca-certificates" - }, - "version": "20191127-r2" - }, - { - "package": { - "ecosystem": "Alpine:v3.10", - "name": "libc-dev" - }, - "version": "0.7.1-r0" - }, - { - "package": { - "ecosystem": "Alpine:v3.10", - "name": "openssl" - }, - "version": "1.1.1k-r0" - }, - { - "package": { - "ecosystem": "Alpine:v3.10", - "name": "openssl" - }, - "version": "1.1.1k-r0" - }, - { - "package": { - "ecosystem": "Alpine:v3.10", - "name": "libtls-standalone" - }, - "version": "2.9.1-r0" - }, - { - "package": { - "ecosystem": "Alpine:v3.10", - "name": "musl" - }, - "version": "1.1.22-r4" - }, - { - "package": { - "ecosystem": "Alpine:v3.10", - "name": "musl" - }, - "version": "1.1.22-r4" - }, - { - "package": { - "ecosystem": "Alpine:v3.10", - "name": "pax-utils" - }, - "version": "1.2.3-r0" - }, - { - "package": { - "ecosystem": "Alpine:v3.10", - "name": "busybox" - }, - "version": "1.30.1-r5" - }, - { - "package": { - "ecosystem": "Alpine:v3.10", - "name": "zlib" - }, - "version": "1.2.11-r1" - } - ] - } - headers: - Content-Type: - - application/json - X-Test-Name: - - TestCommand_OCIImage_JSONFormat/scanning_insecure_alpine_image_with_specific_detector_enabled - url: https://api.osv.dev/v1/querybatch - method: POST - response: - proto: HTTP/2.0 - proto_major: 2 - proto_minor: 0 - content_length: 136 - body: | - { - "results": [ - {}, - {}, - { - "vulns": [ - { - "id": "ALPINE-CVE-2021-36159", - "modified": "2025-12-03T22:50:23.251262Z" - } - ] - }, - {}, {}, {}, {}, @@ -2946,7 +3703,7 @@ interactions: } headers: Content-Length: - - "136" + - "6669" Content-Type: - application/json status: 200 OK @@ -4054,7 +4811,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 17441 + content_length: 17370 body: | { "results": [ @@ -4093,10 +4850,6 @@ interactions: "id": "UBUNTU-CVE-2025-6297", "modified": "2026-04-22T16:08:20.375647Z" }, - { - "id": "UBUNTU-CVE-2026-2219", - "modified": "2026-04-22T16:19:25.951290Z" - }, { "id": "USN-7768-1", "modified": "2026-04-27T18:17:26.257929Z" @@ -4423,11 +5176,11 @@ interactions: }, { "id": "UBUNTU-CVE-2026-33845", - "modified": "2026-05-04T10:51:06.069739Z" + "modified": "2026-05-07T14:01:37.973959Z" }, { "id": "UBUNTU-CVE-2026-33846", - "modified": "2026-05-04T10:50:48.214766Z" + "modified": "2026-05-07T14:02:39.915946Z" }, { "id": "UBUNTU-CVE-2026-3832", @@ -4861,7 +5614,7 @@ interactions: }, { "id": "UBUNTU-CVE-2025-15467", - "modified": "2026-05-04T10:20:57.843169Z" + "modified": "2026-05-07T13:33:59.315945Z" }, { "id": "UBUNTU-CVE-2025-27587", @@ -4933,7 +5686,7 @@ interactions: }, { "id": "USN-7980-1", - "modified": "2026-05-04T09:48:08.312378Z" + "modified": "2026-05-07T13:22:13.480432Z" }, { "id": "USN-8155-1", @@ -5269,7 +6022,7 @@ interactions: } headers: Content-Length: - - "17441" + - "17370" Content-Type: - application/json status: 200 OK @@ -6018,7 +6771,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 23070 + content_length: 23503 body: | { "results": [ @@ -6057,10 +6810,6 @@ interactions: "id": "UBUNTU-CVE-2025-6297", "modified": "2026-04-22T16:08:20.375647Z" }, - { - "id": "UBUNTU-CVE-2026-2219", - "modified": "2026-04-22T16:19:25.951290Z" - }, { "id": "USN-7768-1", "modified": "2026-04-27T18:17:26.257929Z" @@ -6418,7 +7167,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-05-05T10:59:19.142380Z" + "modified": "2026-05-06T10:29:20.668884Z" }, { "id": "GO-2026-4602", @@ -6430,7 +7179,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-04-13T08:27:21.641293Z" + "modified": "2026-05-07T10:29:24.131289Z" }, { "id": "GO-2026-4865", @@ -6442,7 +7191,11 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-04-13T08:27:12.657016Z" + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" }, { "id": "GO-2026-4946", @@ -6450,7 +7203,35 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-04-13T08:27:18.817379Z" + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" } ] }, @@ -6756,11 +7537,11 @@ interactions: }, { "id": "UBUNTU-CVE-2026-33845", - "modified": "2026-05-04T10:51:06.069739Z" + "modified": "2026-05-07T14:01:37.973959Z" }, { "id": "UBUNTU-CVE-2026-33846", - "modified": "2026-05-04T10:50:48.214766Z" + "modified": "2026-05-07T14:02:39.915946Z" }, { "id": "UBUNTU-CVE-2026-3832", @@ -7194,7 +7975,7 @@ interactions: }, { "id": "UBUNTU-CVE-2025-15467", - "modified": "2026-05-04T10:20:57.843169Z" + "modified": "2026-05-07T13:33:59.315945Z" }, { "id": "UBUNTU-CVE-2025-27587", @@ -7266,7 +8047,7 @@ interactions: }, { "id": "USN-7980-1", - "modified": "2026-05-04T09:48:08.312378Z" + "modified": "2026-05-07T13:22:13.480432Z" }, { "id": "USN-8155-1", @@ -7602,7 +8383,7 @@ interactions: } headers: Content-Length: - - "23070" + - "23503" Content-Type: - application/json status: 200 OK diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index da182f444c7..d7980bbb41c 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -1146,8 +1146,8 @@ Scanned /testdata/locks-many-with-insecure/package-lock.json file and f [TestCommand/go_packages_in_osv-scanner.json_format - 1] Scanned /testdata/locks-insecure/osv-scanner.json file and found 2 packages -Total 2 packages affected by 33 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 33 Unknown) from 1 ecosystem. -33 vulnerabilities can be fixed. +Total 2 packages affected by 44 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 44 Unknown) from 1 ecosystem. +44 vulnerabilities can be fixed. +------------------------------+------+-----------+-----------+---------+---------------+------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | @@ -1177,14 +1177,25 @@ Total 2 packages affected by 33 known vulnerabilities (0 Critical, 0 High, 0 Med | https://osv.dev/GO-2026-4865 | | Go | stdlib | 1.24.4 | 1.25.9 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4869 | | Go | stdlib | 1.24.4 | 1.25.9 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4870 | | Go | stdlib | 1.24.4 | 1.25.9 | testdata/locks-insecure/osv-scanner.json | +| https://osv.dev/GO-2026-4918 | | Go | stdlib | 1.24.4 | 1.25.10 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4946 | | Go | stdlib | 1.24.4 | 1.25.9 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4947 | | Go | stdlib | 1.24.4 | 1.25.9 | testdata/locks-insecure/osv-scanner.json | +| https://osv.dev/GO-2026-4971 | | Go | stdlib | 1.24.4 | 1.25.10 | testdata/locks-insecure/osv-scanner.json | +| https://osv.dev/GO-2026-4976 | | Go | stdlib | 1.24.4 | 1.25.10 | testdata/locks-insecure/osv-scanner.json | +| https://osv.dev/GO-2026-4977 | | Go | stdlib | 1.24.4 | 1.25.10 | testdata/locks-insecure/osv-scanner.json | +| https://osv.dev/GO-2026-4980 | | Go | stdlib | 1.24.4 | 1.25.10 | testdata/locks-insecure/osv-scanner.json | +| https://osv.dev/GO-2026-4981 | | Go | stdlib | 1.24.4 | 1.25.10 | testdata/locks-insecure/osv-scanner.json | +| https://osv.dev/GO-2026-4982 | | Go | stdlib | 1.24.4 | 1.25.10 | testdata/locks-insecure/osv-scanner.json | +| https://osv.dev/GO-2026-4986 | | Go | stdlib | 1.24.4 | 1.25.10 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2025-3828 | | Go | toolchain | 1.24.4 | 1.24.5 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4339 | | Go | toolchain | 1.24.4 | 1.24.12 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4433 | | Go | toolchain | 1.24.4 | 1.24.13 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4867 | | Go | toolchain | 1.24.4 | 1.25.9 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4868 | | Go | toolchain | 1.24.4 | 1.25.9 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4871 | | Go | toolchain | 1.24.4 | 1.25.9 | testdata/locks-insecure/osv-scanner.json | +| https://osv.dev/GO-2026-4978 | | Go | toolchain | 1.24.4 | 1.25.10 | testdata/locks-insecure/osv-scanner.json | +| https://osv.dev/GO-2026-4979 | | Go | toolchain | 1.24.4 | 1.25.10 | testdata/locks-insecure/osv-scanner.json | +| https://osv.dev/GO-2026-4984 | | Go | toolchain | 1.24.4 | 1.25.10 | testdata/locks-insecure/osv-scanner.json | +------------------------------+------+-----------+-----------+---------+---------------+------------------------------------------+ --- @@ -5557,8 +5568,8 @@ Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, [TestCommand_MoreLockfiles/gems.locked - 1] Scanned /testdata/locks-scalibr/gems.locked file and found 26 packages -Total 2 packages affected by 6 known vulnerabilities (0 Critical, 2 High, 1 Medium, 0 Low, 3 Unknown) from 1 ecosystem. -6 vulnerabilities can be fixed. +Total 2 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 2 Medium, 0 Low, 3 Unknown) from 1 ecosystem. +8 vulnerabilities can be fixed. +-------------------------------------+------+-----------+----------+---------+---------------+------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | @@ -5566,7 +5577,9 @@ Total 2 packages affected by 6 known vulnerabilities (0 Critical, 2 High, 1 Medi | https://osv.dev/GHSA-9m3q-rhmv-5q44 | 7.5 | RubyGems | json | 2.10.1 | 2.10.2 | testdata/locks-scalibr/gems.locked | | https://osv.dev/GHSA-353f-x4gh-cqq8 | | RubyGems | nokogiri | 1.18.2 | 1.18.9 | testdata/locks-scalibr/gems.locked | | https://osv.dev/GHSA-5w6v-399v-w3cc | | RubyGems | nokogiri | 1.18.2 | 1.18.8 | testdata/locks-scalibr/gems.locked | +| https://osv.dev/GHSA-c4rq-3m3g-8wgx | 7.5 | RubyGems | nokogiri | 1.18.2 | 1.19.3 | testdata/locks-scalibr/gems.locked | | https://osv.dev/GHSA-mrxw-mxhj-p664 | 7.8 | RubyGems | nokogiri | 1.18.2 | 1.18.4 | testdata/locks-scalibr/gems.locked | +| https://osv.dev/GHSA-v2fc-qm4h-8hqv | 5.3 | RubyGems | nokogiri | 1.18.2 | 1.19.3 | testdata/locks-scalibr/gems.locked | | https://osv.dev/GHSA-vvfq-8hwr-qm4m | | RubyGems | nokogiri | 1.18.2 | 1.18.3 | testdata/locks-scalibr/gems.locked | | https://osv.dev/GHSA-wx95-c6cv-8532 | 5.3 | RubyGems | nokogiri | 1.18.2 | 1.19.1 | testdata/locks-scalibr/gems.locked | +-------------------------------------+------+-----------+----------+---------+---------------+------------------------------------+ diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml index 9a6797dad7d..b14af279d07 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml @@ -302,7 +302,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 2986 + content_length: 3490 body: | { "results": [ @@ -462,7 +462,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-05-05T10:59:19.142380Z" + "modified": "2026-05-06T10:29:20.668884Z" }, { "id": "GO-2026-4602", @@ -474,7 +474,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-04-13T08:27:21.641293Z" + "modified": "2026-05-07T10:29:24.131289Z" }, { "id": "GO-2026-4865", @@ -486,7 +486,11 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-04-13T08:27:12.657016Z" + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" }, { "id": "GO-2026-4946", @@ -494,7 +498,35 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-04-13T08:27:18.817379Z" + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" } ] } @@ -502,7 +534,7 @@ interactions: } headers: Content-Length: - - "2986" + - "3490" Content-Type: - application/json status: 200 OK @@ -544,7 +576,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 5959 + content_length: 6967 body: | { "results": [ @@ -704,7 +736,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-05-05T10:59:19.142380Z" + "modified": "2026-05-06T10:29:20.668884Z" }, { "id": "GO-2026-4602", @@ -716,7 +748,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-04-13T08:27:21.641293Z" + "modified": "2026-05-07T10:29:24.131289Z" }, { "id": "GO-2026-4865", @@ -728,7 +760,11 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-04-13T08:27:12.657016Z" + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" }, { "id": "GO-2026-4946", @@ -736,7 +772,35 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-04-13T08:27:18.817379Z" + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" } ] }, @@ -896,7 +960,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-05-05T10:59:19.142380Z" + "modified": "2026-05-06T10:29:20.668884Z" }, { "id": "GO-2026-4602", @@ -908,7 +972,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-04-13T08:27:21.641293Z" + "modified": "2026-05-07T10:29:24.131289Z" }, { "id": "GO-2026-4865", @@ -920,7 +984,11 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-04-13T08:27:12.657016Z" + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" }, { "id": "GO-2026-4946", @@ -928,7 +996,35 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-04-13T08:27:18.817379Z" + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" } ] } @@ -936,7 +1032,7 @@ interactions: } headers: Content-Length: - - "5959" + - "6967" Content-Type: - application/json status: 200 OK @@ -971,7 +1067,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 2986 + content_length: 3490 body: | { "results": [ @@ -1131,7 +1227,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-05-05T10:59:19.142380Z" + "modified": "2026-05-06T10:29:20.668884Z" }, { "id": "GO-2026-4602", @@ -1143,7 +1239,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-04-13T08:27:21.641293Z" + "modified": "2026-05-07T10:29:24.131289Z" }, { "id": "GO-2026-4865", @@ -1155,7 +1251,11 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-04-13T08:27:12.657016Z" + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" }, { "id": "GO-2026-4946", @@ -1163,7 +1263,35 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-04-13T08:27:18.817379Z" + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" } ] } @@ -1171,7 +1299,7 @@ interactions: } headers: Content-Length: - - "2986" + - "3490" Content-Type: - application/json status: 200 OK @@ -4441,7 +4569,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-6732", - "modified": "2026-04-28T20:31:48.028187Z" + "modified": "2026-05-06T09:19:59.111962Z" }, { "id": "DLA-3012-1", @@ -5426,7 +5554,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 2116 + content_length: 2809 body: | { "results": [ @@ -5506,7 +5634,7 @@ interactions: }, { "id": "GO-2026-4601", - "modified": "2026-05-05T10:59:19.142380Z" + "modified": "2026-05-06T10:29:20.668884Z" }, { "id": "GO-2026-4602", @@ -5518,7 +5646,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-04-13T08:27:21.641293Z" + "modified": "2026-05-07T10:29:24.131289Z" }, { "id": "GO-2026-4865", @@ -5530,7 +5658,11 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-04-13T08:27:12.657016Z" + "modified": "2026-05-07T10:29:24.251118Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-07T19:48:30.304907Z" }, { "id": "GO-2026-4946", @@ -5538,7 +5670,35 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-04-13T08:27:18.817379Z" + "modified": "2026-05-07T10:29:23.938623Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-07T19:46:46.353468Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-07T19:48:39.650770Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-07T19:48:33.928206Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-07T19:47:48.961884Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-07T19:48:48.608632Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-07T19:48:37.099912Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-07T19:48:26.153681Z" } ] }, @@ -5558,15 +5718,27 @@ interactions: }, { "id": "GO-2026-4867", - "modified": "2026-04-18T09:26:05.382350Z" + "modified": "2026-05-06T10:29:20.419872Z" }, { "id": "GO-2026-4868", - "modified": "2026-04-18T09:26:01.523258Z" + "modified": "2026-05-06T10:29:21.042020Z" }, { "id": "GO-2026-4871", - "modified": "2026-04-13T08:27:25.964585Z" + "modified": "2026-05-06T10:29:20.740630Z" + }, + { + "id": "GO-2026-4978", + "modified": "2026-05-07T19:48:45.574896Z" + }, + { + "id": "GO-2026-4979", + "modified": "2026-05-07T19:48:51.744963Z" + }, + { + "id": "GO-2026-4984", + "modified": "2026-05-07T19:48:43.011638Z" } ] } @@ -5574,7 +5746,7 @@ interactions: } headers: Content-Length: - - "2116" + - "2809" Content-Type: - application/json status: 200 OK diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CallAnalysis.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CallAnalysis.yaml index 9c9a277acf8..9432bd47be4 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CallAnalysis.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CallAnalysis.yaml @@ -116,7 +116,7 @@ interactions: }, { "id": "GO-2026-4961", - "modified": "2026-04-21T19:15:09.979537Z" + "modified": "2026-05-06T10:29:21.479671Z" }, { "id": "GO-2026-4962", diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml index 6aa4a598305..6409a7d09b5 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml @@ -132,7 +132,7 @@ interactions: }, { "id": "OSV-2024-340", - "modified": "2026-05-05T14:17:12.600457Z" + "modified": "2026-05-07T14:09:36.724586Z" } ] }, @@ -181,7 +181,7 @@ interactions: }, { "id": "CVE-2025-9230", - "modified": "2026-04-16T04:40:07.876695Z" + "modified": "2026-05-07T18:29:19.531271Z" }, { "id": "CVE-2025-9231", @@ -197,15 +197,15 @@ interactions: "vulns": [ { "id": "CVE-2025-11187", - "modified": "2026-04-12T17:35:47.236202Z" + "modified": "2026-05-07T18:29:21.756996Z" }, { "id": "CVE-2025-15467", - "modified": "2026-04-16T04:39:55.464242Z" + "modified": "2026-05-07T18:29:22.159755Z" }, { "id": "CVE-2025-15468", - "modified": "2026-04-12T17:59:06.013579Z" + "modified": "2026-05-07T18:29:20.997946Z" }, { "id": "CVE-2025-15469", @@ -241,7 +241,7 @@ interactions: }, { "id": "CVE-2025-9230", - "modified": "2026-04-16T04:40:07.876695Z" + "modified": "2026-05-07T18:29:19.531271Z" }, { "id": "CVE-2025-9231", diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml index c475fc38b3f..8042c34a95a 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml @@ -2121,7 +2121,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-6732", - "modified": "2026-04-28T20:31:48.028187Z" + "modified": "2026-05-06T09:19:59.111962Z" }, { "id": "DLA-3012-1", @@ -4757,7 +4757,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-6732", - "modified": "2026-04-28T20:31:48.028187Z" + "modified": "2026-05-06T09:19:59.111962Z" }, { "id": "DLA-3012-1", diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml index c6d66c941e6..8f53bf3acb4 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml @@ -296,7 +296,7 @@ interactions: }, { "id": "CVE-2025-15467", - "modified": "2026-04-16T04:39:55.464242Z" + "modified": "2026-05-07T18:29:22.159755Z" }, { "id": "CVE-2025-68160", @@ -320,7 +320,7 @@ interactions: }, { "id": "CVE-2025-9230", - "modified": "2026-04-16T04:40:07.876695Z" + "modified": "2026-05-07T18:29:19.531271Z" }, { "id": "CVE-2025-9232", diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_JavareachArchive.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_JavareachArchive.yaml index 9a0b14941f9..8c889437013 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_JavareachArchive.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_JavareachArchive.yaml @@ -259,7 +259,7 @@ interactions: }, { "id": "GHSA-9m6f-7xcq-8vf8", - "modified": "2024-02-18T05:32:25.400029Z" + "modified": "2026-05-06T18:48:47.299219Z" }, { "id": "GHSA-c8hm-7hpq-7jhg", @@ -735,7 +735,7 @@ interactions: }, { "id": "GHSA-9m6f-7xcq-8vf8", - "modified": "2024-02-18T05:32:25.400029Z" + "modified": "2026-05-06T18:48:47.299219Z" }, { "id": "GHSA-c8hm-7hpq-7jhg", @@ -1211,7 +1211,7 @@ interactions: }, { "id": "GHSA-9m6f-7xcq-8vf8", - "modified": "2024-02-18T05:32:25.400029Z" + "modified": "2026-05-06T18:48:47.299219Z" }, { "id": "GHSA-c8hm-7hpq-7jhg", diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_MoreLockfiles.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_MoreLockfiles.yaml index f516414b0fc..e9280d7e352 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_MoreLockfiles.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_MoreLockfiles.yaml @@ -364,7 +364,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 526 + content_length: 666 body: | { "results": [ @@ -399,10 +399,18 @@ interactions: "id": "GHSA-5w6v-399v-w3cc", "modified": "2026-02-04T02:49:28.572138Z" }, + { + "id": "GHSA-c4rq-3m3g-8wgx", + "modified": "2026-05-07T15:59:19.908097Z" + }, { "id": "GHSA-mrxw-mxhj-p664", "modified": "2026-02-04T04:34:58.905946Z" }, + { + "id": "GHSA-v2fc-qm4h-8hqv", + "modified": "2026-05-07T15:59:19.133488Z" + }, { "id": "GHSA-vvfq-8hwr-qm4m", "modified": "2026-02-04T03:58:31.466756Z" @@ -427,7 +435,7 @@ interactions: } headers: Content-Length: - - "526" + - "666" Content-Type: - application/json status: 200 OK @@ -642,11 +650,11 @@ interactions: "vulns": [ { "id": "GHSA-7gcm-g887-7qv7", - "modified": "2026-02-05T16:35:34.839005Z" + "modified": "2026-05-07T15:11:10.704825Z" }, { "id": "GHSA-8qvm-5x2c-j2w7", - "modified": "2026-02-04T03:00:07.684118Z" + "modified": "2026-05-07T15:11:16.613726Z" } ] } From 57e9f1b494a4e99a1a54f778ff4c68a7a6923c13 Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 18 May 2026 12:16:58 +1000 Subject: [PATCH 5/9] chore: refresh test snapshots after merge --- .../image/__snapshots__/command_test.snap | 354 +++++++++ .../cassettes/TestCommand_OCIImage.yaml | 725 ++++++++++++++++++ .../TestCommand_OCIImage_JSONFormat.yaml | 725 ++++++++++++++++++ .../cassettes/TestCommand_Transitive.yaml | 52 ++ go.mod | 4 +- go.sum | 48 +- 6 files changed, 1882 insertions(+), 26 deletions(-) diff --git a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap index b21702c53d3..3a4bc9f0a16 100755 --- a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap @@ -1044,6 +1044,76 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne --- +[TestCommand_OCIImage/scanning_insecure_chiseled_ubuntu_image - 1] +Scanning local image tarball "./testdata/test-chisel.tar" + + +Container Scanning Result (Ubuntu 26.04 LTS): +Total 7 packages affected by 103 known vulnerabilities (0 Critical, 0 High, 1 Medium, 0 Low, 102 Unknown) from 2 ecosystems. +102 vulnerabilities can be fixed. + + +Go ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/bin/go | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/bin/gofmt | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/pkg/tool/linux_amd64/asm | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/pkg/tool/linux_amd64/compile | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/pkg/tool/linux_amd64/link | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ ++---------------------------------------------------------------------------------------------+ +| Source:artifact:/usr/lib/go-1.25/pkg/tool/linux_amd64/vet | ++---------+-------------------+---------------+------------+------------------+---------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | ++---------+-------------------+---------------+------------+------------------+---------------+ +| stdlib | 1.25.7 | Fix Available | 17 | # 0 Layer | -- | ++---------+-------------------+---------------+------------+------------------+---------------+ +Ubuntu:26.04 ++-------------------------------------------------------------------------------------------------------------------------------------------+ +| Source:os:/var/lib/chisel/manifest.wall | ++----------------+-----------------------------+------------------+------------+-------------------------+------------------+---------------+ +| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | ++----------------+-----------------------------+------------------+------------+-------------------------+------------------+---------------+ +| coreutils | 9.5-1ubuntu2+0.0.0~ubuntu25 | No fix available | 1 | coreutils | # 0 Layer | -- | ++----------------+-----------------------------+------------------+------------+-------------------------+------------------+---------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. +You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. + +--- + +[TestCommand_OCIImage/scanning_insecure_chiseled_ubuntu_image - 2] + +--- + [TestCommand_OCIImage/scanning_node_modules_using_npm_with_no_packages - 1] Scanning local image tarball "./testdata/test-node_modules-npm-empty.tar" @@ -2917,6 +2987,290 @@ Scanning local image tarball "./testdata/test-alpine-etcshadow.tar" --- +[TestCommand_OCIImage_JSONFormat/scanning_insecure_chiseled_ubuntu_image - 1] +{ + "results": [ + { + "source": { + "path": "/usr/lib/go-1.25/bin/go", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/usr/lib/go-1.25/bin/gofmt", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/usr/lib/go-1.25/pkg/tool/linux_amd64/asm", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/usr/lib/go-1.25/pkg/tool/linux_amd64/compile", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/usr/lib/go-1.25/pkg/tool/linux_amd64/link", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/usr/lib/go-1.25/pkg/tool/linux_amd64/vet", + "type": "artifact" + }, + "packages": [ + { + "package": { + "name": "stdlib", + "version": "1.25.7", + "ecosystem": "Go", + "image_origin_details": { + "index": 0 + } + }, + "groups": 17, + "vulnerabilities": [ + "GO-2026-4601", + "GO-2026-4602", + "GO-2026-4603", + "GO-2026-4864", + "GO-2026-4865", + "GO-2026-4869", + "GO-2026-4870", + "GO-2026-4918", + "GO-2026-4946", + "GO-2026-4947", + "GO-2026-4971", + "GO-2026-4976", + "GO-2026-4977", + "GO-2026-4980", + "GO-2026-4981", + "GO-2026-4982", + "GO-2026-4986" + ] + } + ] + }, + { + "source": { + "path": "/var/lib/chisel/manifest.wall", + "type": "os" + }, + "packages": [ + { + "package": { + "name": "coreutils", + "os_package_name": "coreutils", + "version": "9.5-1ubuntu2+0.0.0~ubuntu25", + "ecosystem": "Ubuntu:26.04", + "image_origin_details": { + "index": 0 + } + }, + "groups": 1, + "vulnerabilities": [ + "UBUNTU-CVE-2025-5278" + ] + } + ] + } + ], + "experimental_config": { + "licenses": { + "summary": false, + "allowlist": null + } + }, + "image_metadata": { + "os": "Ubuntu 26.04 LTS", + "layer_metadata": [ + { + "diff_id": "sha256:...", + "command": "COPY /rootfs/ / # buildkit", + "is_empty": false, + "base_image_index": 0 + } + ], + "base_images": [ + {} + ] + } +} + +--- + +[TestCommand_OCIImage_JSONFormat/scanning_insecure_chiseled_ubuntu_image - 2] +Scanning local image tarball "./testdata/test-chisel.tar" + +--- + [TestCommand_OCIImage_JSONFormat/scanning_node_modules_using_npm_with_some_packages - 1] { "results": [ diff --git a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml index 3fab67cedfd..874b5e7355c 100644 --- a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml +++ b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml @@ -15203,6 +15203,731 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 4381 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "base-files" + }, + "version": "14ubuntu6" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "bash" + }, + "version": "5.3-2ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "coreutils" + }, + "version": "9.5-1ubuntu2+0.0.0~ubuntu25" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "coreutils-from-gnu" + }, + "version": "0.0.0~ubuntu25" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "gcc-14-base" + }, + "version": "14.3.0-14ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "gnu-coreutils" + }, + "version": "9.7-3ubuntu2" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-1.25-go" + }, + "version": "1.25.7-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-1.25-src" + }, + "version": "1.25.7-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-go" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-src" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libacl1" + }, + "version": "2.3.2-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libattr1" + }, + "version": "1:2.5.2-4" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libc6" + }, + "version": "2.43-2ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libcap2" + }, + "version": "1:2.75-10ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libgcc-s1" + }, + "version": "16-20260322-1ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libgmp10" + }, + "version": "2:6.3.0+dfsg-5ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libpcre2-8-0" + }, + "version": "10.46-1build1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libselinux1" + }, + "version": "3.9-4build1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libssl3t64" + }, + "version": "3.5.5-1ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libsystemd0" + }, + "version": "259.5-0ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libtinfo6" + }, + "version": "6.6+20251231-1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libzstd1" + }, + "version": "1.5.7+dfsg-3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "make" + }, + "version": "4.4.1-3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "openssl-provider-legacy" + }, + "version": "3.5.5-1ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "zlib1g" + }, + "version": "1:1.3.dfsg+really1.3.1-1ubuntu3" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_OCIImage/scanning_insecure_chiseled_ubuntu_image + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 6669 + body: | + { + "results": [ + {}, + {}, + { + "vulns": [ + { + "id": "UBUNTU-CVE-2025-5278", + "modified": "2026-04-27T18:53:24.878093Z" + } + ] + }, + {}, + {}, + {}, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-15T10:59:21.996030Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-15T10:59:22.297557Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-14T10:29:23.774115Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-15T10:59:21.996030Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-15T10:59:22.297557Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-14T10:29:23.774115Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-15T10:59:21.996030Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-15T10:59:22.297557Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-14T10:29:23.774115Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-15T10:59:21.996030Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-15T10:59:22.297557Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-14T10:29:23.774115Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-15T10:59:21.996030Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-15T10:59:22.297557Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-14T10:29:23.774115Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-15T10:59:21.996030Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-15T10:59:22.297557Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-14T10:29:23.774115Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {} + ] + } + headers: + Content-Length: + - "6669" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s - request: proto: HTTP/1.1 proto_major: 1 diff --git a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml index cdcea4672e7..6c31c614c6f 100644 --- a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml +++ b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml @@ -2988,6 +2988,731 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 4381 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "base-files" + }, + "version": "14ubuntu6" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "bash" + }, + "version": "5.3-2ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "coreutils" + }, + "version": "9.5-1ubuntu2+0.0.0~ubuntu25" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "coreutils-from-gnu" + }, + "version": "0.0.0~ubuntu25" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "gcc-14-base" + }, + "version": "14.3.0-14ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "gnu-coreutils" + }, + "version": "9.7-3ubuntu2" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Go", + "name": "stdlib" + }, + "version": "1.25.7" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-1.25-go" + }, + "version": "1.25.7-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-1.25-src" + }, + "version": "1.25.7-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-go" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "golang-src" + }, + "version": "2:1.26~1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libacl1" + }, + "version": "2.3.2-2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libattr1" + }, + "version": "1:2.5.2-4" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libc6" + }, + "version": "2.43-2ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libcap2" + }, + "version": "1:2.75-10ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libgcc-s1" + }, + "version": "16-20260322-1ubuntu1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libgmp10" + }, + "version": "2:6.3.0+dfsg-5ubuntu2" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libpcre2-8-0" + }, + "version": "10.46-1build1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libselinux1" + }, + "version": "3.9-4build1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libssl3t64" + }, + "version": "3.5.5-1ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libsystemd0" + }, + "version": "259.5-0ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libtinfo6" + }, + "version": "6.6+20251231-1" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "libzstd1" + }, + "version": "1.5.7+dfsg-3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "make" + }, + "version": "4.4.1-3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "openssl-provider-legacy" + }, + "version": "3.5.5-1ubuntu3" + }, + { + "package": { + "ecosystem": "Ubuntu:26.04", + "name": "zlib1g" + }, + "version": "1:1.3.dfsg+really1.3.1-1ubuntu3" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_OCIImage_JSONFormat/scanning_insecure_chiseled_ubuntu_image + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 6669 + body: | + { + "results": [ + {}, + {}, + { + "vulns": [ + { + "id": "UBUNTU-CVE-2025-5278", + "modified": "2026-04-27T18:53:24.878093Z" + } + ] + }, + {}, + {}, + {}, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-15T10:59:21.996030Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-15T10:59:22.297557Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-14T10:29:23.774115Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-15T10:59:21.996030Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-15T10:59:22.297557Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-14T10:29:23.774115Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-15T10:59:21.996030Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-15T10:59:22.297557Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-14T10:29:23.774115Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-15T10:59:21.996030Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-15T10:59:22.297557Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-14T10:29:23.774115Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-15T10:59:21.996030Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-15T10:59:22.297557Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-14T10:29:23.774115Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + { + "vulns": [ + { + "id": "GO-2026-4601", + "modified": "2026-05-15T10:59:22.531449Z" + }, + { + "id": "GO-2026-4602", + "modified": "2026-05-15T10:59:23.640277Z" + }, + { + "id": "GO-2026-4603", + "modified": "2026-05-15T10:59:23.946663Z" + }, + { + "id": "GO-2026-4864", + "modified": "2026-05-15T10:59:21.996030Z" + }, + { + "id": "GO-2026-4865", + "modified": "2026-05-15T10:59:24.648972Z" + }, + { + "id": "GO-2026-4869", + "modified": "2026-05-15T10:59:23.054049Z" + }, + { + "id": "GO-2026-4870", + "modified": "2026-05-15T10:59:22.297557Z" + }, + { + "id": "GO-2026-4918", + "modified": "2026-05-11T08:11:05.383192Z" + }, + { + "id": "GO-2026-4946", + "modified": "2026-05-15T10:59:22.987884Z" + }, + { + "id": "GO-2026-4947", + "modified": "2026-05-14T10:29:23.774115Z" + }, + { + "id": "GO-2026-4971", + "modified": "2026-05-11T08:11:03.964539Z" + }, + { + "id": "GO-2026-4976", + "modified": "2026-05-11T08:11:26.883618Z" + }, + { + "id": "GO-2026-4977", + "modified": "2026-05-11T08:11:25.012229Z" + }, + { + "id": "GO-2026-4980", + "modified": "2026-05-11T08:11:24.291670Z" + }, + { + "id": "GO-2026-4981", + "modified": "2026-05-11T08:11:09.084571Z" + }, + { + "id": "GO-2026-4982", + "modified": "2026-05-11T08:11:21.041304Z" + }, + { + "id": "GO-2026-4986", + "modified": "2026-05-11T08:11:18.687307Z" + } + ] + }, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {}, + {} + ] + } + headers: + Content-Length: + - "6669" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s - request: proto: HTTP/1.1 proto_major: 1 diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml index baf94fb0feb..7b7d01ab893 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml @@ -1378,6 +1378,58 @@ interactions: status: 200 OK code: 200 duration: 0s + - request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 324 + host: api.osv.dev + body: | + { + "queries": [ + { + "package": { + "ecosystem": "Maven", + "name": "com.google.android.gms:play-services" + }, + "version": "10.0.0" + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.logging.log4j:log4j-web" + }, + "version": "2.14.1" + } + ] + } + headers: + Content-Type: + - application/json + X-Test-Name: + - TestCommand_Transitive/pom.xml_transitive_native_source + url: https://api.osv.dev/v1/querybatch + method: POST + response: + proto: HTTP/2.0 + proto_major: 2 + proto_minor: 0 + content_length: 19 + body: | + { + "results": [ + {}, + {} + ] + } + headers: + Content-Length: + - "19" + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 0s - request: proto: HTTP/1.1 proto_major: 1 diff --git a/go.mod b/go.mod index f4697470fce..7dbc0f31b83 100644 --- a/go.mod +++ b/go.mod @@ -86,7 +86,7 @@ require ( github.com/distribution/reference v0.6.0 // indirect github.com/djherbis/times v1.6.0 // indirect github.com/dlclark/regexp2 v1.11.5 // indirect - github.com/docker/cli v29.2.1+incompatible // indirect + github.com/docker/cli v29.4.3+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker v28.5.2+incompatible // indirect github.com/docker/docker-credential-helpers v0.9.5 // indirect @@ -136,7 +136,7 @@ require ( github.com/microcosm-cc/bluemonday v1.0.27 // indirect github.com/micromdm/plist v0.2.2 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect - github.com/moby/buildkit v0.26.3 // indirect + github.com/moby/buildkit v0.30.0 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect github.com/muesli/cancelreader v0.2.2 // indirect diff --git a/go.sum b/go.sum index 94866d299aa..364037375fb 100644 --- a/go.sum +++ b/go.sum @@ -111,13 +111,13 @@ github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4= github.com/compose-spec/compose-go/v2 v2.10.2 h1:USa1NUbDcl/cjb8T9iwnuFsnO79H+2ho2L5SjFKz3uI= github.com/compose-spec/compose-go/v2 v2.10.2/go.mod h1:ZU6zlcweCZKyiB7BVfCizQT9XmkEIMFE+PRZydVcsZg= -github.com/containerd/cgroups/v3 v3.1.0 h1:azxYVj+91ZgSnIBp2eI3k9y2iYQSR/ZQIgh9vKO+HSY= -github.com/containerd/cgroups/v3 v3.1.0/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins= +github.com/containerd/cgroups/v3 v3.1.3 h1:eUNflyMddm18+yrDmZPn3jI7C5hJ9ahABE5q6dyLYXQ= +github.com/containerd/cgroups/v3 v3.1.3/go.mod h1:PKZ2AcWmSBsY/tJUVhtS/rluX0b1uq1GmPO1ElCmbOw= github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ= github.com/containerd/containerd/api v1.10.0 h1:5n0oHYVBwN4VhoX9fFykCV9dF1/BvAXeg2F8W6UYq1o= github.com/containerd/containerd/api v1.10.0/go.mod h1:NBm1OAk8ZL+LG8R0ceObGxT5hbUYj7CzTmR3xh0DlMM= -github.com/containerd/containerd/v2 v2.2.0 h1:K7TqcXy+LnFmZaui2DgHsnp2gAHhVNWYaHlx7HXfys8= -github.com/containerd/containerd/v2 v2.2.0/go.mod h1:YCMjKjA4ZA7egdHNi3/93bJR1+2oniYlnS+c0N62HdE= +github.com/containerd/containerd/v2 v2.2.3 h1:mOBRLaHGvmgy0bRo1Sg6OD8ugMKZIvCoWWMeMMygliA= +github.com/containerd/containerd/v2 v2.2.3/go.mod h1:ns24cwt+p36mRnuKE3hLRxVBpuSP+a/Y25AMki1t/RY= github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4= github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE= github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= @@ -134,8 +134,8 @@ github.com/containerd/plugin v1.0.0 h1:c8Kf1TNl6+e2TtMHZt+39yAPDbouRH9WAToRjex48 github.com/containerd/plugin v1.0.0/go.mod h1:hQfJe5nmWfImiqT1q8Si3jLv3ynMUIBB47bQ+KexvO8= github.com/containerd/stargz-snapshotter/estargz v0.18.2 h1:yXkZFYIzz3eoLwlTUZKz2iQ4MrckBxJjkmD16ynUTrw= github.com/containerd/stargz-snapshotter/estargz v0.18.2/go.mod h1:XyVU5tcJ3PRpkA9XS2T5us6Eg35yM0214Y+wvrZTBrY= -github.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRqQ= -github.com/containerd/ttrpc v1.2.7/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o= +github.com/containerd/ttrpc v1.2.8 h1:xbVu6D4qF2jihdh9rDVOKqUMiFBQk6YctTdo1zk087Y= +github.com/containerd/ttrpc v1.2.8/go.mod h1:wyZW2K79t4Hfcxl+GUvkZqRBzJlqFFvgEeeWXa42tyE= github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40= github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= @@ -155,8 +155,8 @@ github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c= github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0= github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ= github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8= -github.com/docker/cli v29.2.1+incompatible h1:n3Jt0QVCN65eiVBoUTZQM9mcQICCJt3akW4pKAbKdJg= -github.com/docker/cli v29.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v29.4.3+incompatible h1:u+UliYm2J/rYrIh2FqHQg32neRG8GjbvNuwQRTzGspU= +github.com/docker/cli v29.4.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM= @@ -256,8 +256,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8= github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c= github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k= github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM= @@ -313,8 +313,8 @@ github.com/micromdm/plist v0.2.2 h1:a5Yt/coion6hwVEW0da8a5P8IyAchXZ6eC+oBA0uJW8= github.com/micromdm/plist v0.2.2/go.mod h1:flkfm0od6GzyXBqI28h5sgEyi3iPO28W2t1Zm9LpwWs= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= -github.com/moby/buildkit v0.26.3 h1:D+ruZVAk/3ipRq5XRxBH9/DIFpRjSlTtMbghT5gQP9g= -github.com/moby/buildkit v0.26.3/go.mod h1:4T4wJzQS4kYWIfFRjsbJry4QoxDBjK+UGOEOs1izL7w= +github.com/moby/buildkit v0.30.0 h1:OsK8T3BaYH52UNStpKd7gytDtHWWt2Fawak/lAPWatU= +github.com/moby/buildkit v0.30.0/go.mod h1:k2wuw5ddaOqzh58RLt+mBn2XhK34gi6+gd0faONQ1xU= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= @@ -337,8 +337,8 @@ github.com/modelcontextprotocol/go-sdk v1.5.0 h1:CHU0FIX9kpueNkxuYtfYQn1Z0slhFzB github.com/modelcontextprotocol/go-sdk v1.5.0/go.mod h1:gggDIhoemhWs3BGkGwd1umzEXCEMMvAnhTrnbXJKKKA= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= -github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= -github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/morikuni/aec v1.1.0 h1:vBBl0pUnvi/Je71dsRrhMBtreIqNMYErSAbEeb8jrXQ= +github.com/morikuni/aec v1.1.0/go.mod h1:xDRgiq/iw5l+zkao76YTKzKttOp2cwPEne25HDkJnBw= github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI= github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo= github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA= @@ -355,8 +355,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= -github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww= -github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5diQ8ibYCRkxg= +github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.14.1 h1:a7XlXV/nN/l5zFP1FWZYoExpClu1QOPMfWUV2CZ8kEQ= github.com/opencontainers/selinux v1.14.1/go.mod h1:LenyElirjUHszfxrjuFqC85HIeXZKumHcKMQtnaDlQQ= github.com/ossf/osv-schema/bindings/go v0.0.0-20260424063704-83285ce2a866 h1:Los+Hnv3nFlNkIES9bca+PrGSau8MDzC9pRC/WWMmfE= @@ -494,10 +494,10 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 h1:CqXxU8V go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0/go.mod h1:BuhAPThV8PBHBvg8ZzZ/Ok3idOdhWIodywz2xEcRbJo= go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I= go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0/go.mod h1:Vl1/iaggsuRlrHf/hfPJPvVag77kKyvrLeD10kpMl+A= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 h1:3iZJKlCZufyRzPzlQhUIWVmfltrXuGyfjREgGP3UUjc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0/go.mod h1:/G+nUPfhq2e+qiXMGxMwumDrP5jtzU+mWN7/sjT2rak= go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM= go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY= go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg= @@ -506,8 +506,8 @@ go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfC go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A= go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A= go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0= -go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= -go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= +go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g= +go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= @@ -623,8 +623,8 @@ golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc= golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38= -golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI= -golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= +golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U= +golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= From 6aa55e7d3845f24f334fe1d3e4f4c016fea88d0f Mon Sep 17 00:00:00 2001 From: Rex P Date: Mon, 18 May 2026 13:58:52 +1000 Subject: [PATCH 6/9] More refresh --- .../cassettes/TestCommand_Transitive.yaml | 52 ------------------- 1 file changed, 52 deletions(-) diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml index 7b7d01ab893..baf94fb0feb 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml @@ -1378,58 +1378,6 @@ interactions: status: 200 OK code: 200 duration: 0s - - request: - proto: HTTP/1.1 - proto_major: 1 - proto_minor: 1 - content_length: 324 - host: api.osv.dev - body: | - { - "queries": [ - { - "package": { - "ecosystem": "Maven", - "name": "com.google.android.gms:play-services" - }, - "version": "10.0.0" - }, - { - "package": { - "ecosystem": "Maven", - "name": "org.apache.logging.log4j:log4j-web" - }, - "version": "2.14.1" - } - ] - } - headers: - Content-Type: - - application/json - X-Test-Name: - - TestCommand_Transitive/pom.xml_transitive_native_source - url: https://api.osv.dev/v1/querybatch - method: POST - response: - proto: HTTP/2.0 - proto_major: 2 - proto_minor: 0 - content_length: 19 - body: | - { - "results": [ - {}, - {} - ] - } - headers: - Content-Length: - - "19" - Content-Type: - - application/json - status: 200 OK - code: 200 - duration: 0s - request: proto: HTTP/1.1 proto_major: 1 From 3e04a380b2b7381ff6e5b4787e08ffbbfa9be32b Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Tue, 19 May 2026 22:14:35 +0200 Subject: [PATCH 7/9] test: force chisel pull from frozen pocket --- cmd/osv-scanner/scan/image/testdata/test-chisel.Dockerfile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/cmd/osv-scanner/scan/image/testdata/test-chisel.Dockerfile b/cmd/osv-scanner/scan/image/testdata/test-chisel.Dockerfile index dd4db727a4d..bc51c043a54 100644 --- a/cmd/osv-scanner/scan/image/testdata/test-chisel.Dockerfile +++ b/cmd/osv-scanner/scan/image/testdata/test-chisel.Dockerfile @@ -1,6 +1,6 @@ FROM ubuntu:26.04@sha256:f3d28607ddd78734bb7f71f117f3c6706c666b8b76cbff7c9ff6e5718d46ff64 AS builder -RUN apt install --update -y curl wget +RUN apt install --update -y curl wget git # Deb arch to GOARCH RUN arch="$(dpkg --print-architecture | sed -e 's/armhf/arm/g' -e 's/ppc64el/ppc64le/g')" && \ @@ -12,8 +12,11 @@ RUN arch="$(dpkg --print-architecture | sed -e 's/armhf/arm/g' -e 's/ppc64el/ppc RUN sha384sum -c chisel_v*sha384 RUN tar -xf chisel_v*tar.gz -C /usr/local/bin +RUN git clone --depth 1 --branch ubuntu-26.04 https://github.com/canonical/chisel-releases.git chisel-releases +# Remove the `resolute-security` and `resolute-updates` suites from `chisel.yaml` to force pull from a frozen pocket +RUN sed -i 's/suites: \[resolute, resolute-security, resolute-updates\]/suites: \[resolute\]/g' chisel-releases/chisel.yaml RUN mkdir /rootfs && \ - chisel cut --root /rootfs \ + chisel cut --release ./chisel-releases --root /rootfs \ base-files_base \ base-files_chisel \ base-files_release-info \ From 2bb423a022a1eeffcec3da0eedc0902593b2c055 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Tue, 19 May 2026 22:14:41 +0200 Subject: [PATCH 8/9] chore: udpate tests --- .../image/__snapshots__/command_test.snap | 15 +-- .../cassettes/TestCommand_OCIImage.yaml | 94 ++++++++++--------- .../TestCommand_OCIImage_JSONFormat.yaml | 60 ++++++------ .../source/__snapshots__/command_test.snap | 35 ++++--- .../testdata/cassettes/TestCommand.yaml | 38 ++++---- .../cassettes/TestCommand_CommitSupport.yaml | 2 +- .../TestCommand_Config_UnusedIgnores.yaml | 8 +- .../cassettes/TestCommand_Transitive.yaml | 20 ++-- .../update/__snapshots__/command_test.snap | 16 +++- 9 files changed, 162 insertions(+), 126 deletions(-) diff --git a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap index 3a4bc9f0a16..d5c8491a160 100755 --- a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap @@ -619,8 +619,8 @@ Scanning local image tarball "./testdata/test-java-full.tar" Container Scanning Result (Alpine Linux v3.21) (Based on "eclipse-temurin" image): -Total 30 packages affected by 109 known vulnerabilities (6 Critical, 50 High, 46 Medium, 6 Low, 1 Unknown) from 2 ecosystems. -109 vulnerabilities can be fixed. +Total 30 packages affected by 110 known vulnerabilities (6 Critical, 51 High, 46 Medium, 6 Low, 1 Unknown) from 2 ecosystems. +110 vulnerabilities can be fixed. Maven @@ -659,7 +659,7 @@ Alpine:v3.21 | busybox | 1.37.0-r9 | Fix Available | 2 | busybox... (3) | # 0 Layer | alpine | | expat | 2.6.4-r0 | Fix Available | 7 | libexpat | # 5 Layer | eclipse-temurin | | gnupg | 2.4.7-r0 | Fix Available | 2 | gnupg... (11) | # 5 Layer | eclipse-temurin | -| gnutls | 3.8.8-r0 | Fix Available | 14 | gnutls | # 5 Layer | eclipse-temurin | +| gnutls | 3.8.8-r0 | Fix Available | 15 | gnutls | # 5 Layer | eclipse-temurin | | libpng | 1.6.44-r0 | Fix Available | 11 | libpng | # 5 Layer | eclipse-temurin | | libtasn1 | 4.19.0-r2 | Fix Available | 2 | libtasn1 | # 5 Layer | eclipse-temurin | | musl | 1.2.5-r8 | Fix Available | 3 | musl, musl-utils | # 0 Layer | alpine | @@ -754,8 +754,8 @@ Scanning local image tarball "./testdata/test-python-full.tar" Container Scanning Result (Debian GNU/Linux 10 (buster)) (Based on "python" image): -Total 21 packages affected by 59 known vulnerabilities (1 Critical, 19 High, 21 Medium, 3 Low, 15 Unknown) from 2 ecosystems. -57 vulnerabilities can be fixed. +Total 21 packages affected by 60 known vulnerabilities (1 Critical, 19 High, 22 Medium, 3 Low, 15 Unknown) from 2 ecosystems. +58 vulnerabilities can be fixed. PyPI @@ -792,7 +792,7 @@ PyPI +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ -| idna | 2.7 | Fix Available | 1 | # 17 Layer | -- | +| idna | 2.7 | Fix Available | 2 | # 17 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +-------------------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | @@ -1447,9 +1447,10 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne "index": 17 } }, - "groups": 1, + "groups": 2, "vulnerabilities": [ "PYSEC-2024-60", + "GHSA-65pc-fj4g-8rjx", "GHSA-jjg7-2v4v-x38h" ] } diff --git a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml index 874b5e7355c..2b954b6377b 100644 --- a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml +++ b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml @@ -6638,7 +6638,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -6650,7 +6650,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -6662,7 +6662,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -9298,7 +9298,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 13745 + content_length: 13817 body: | { "results": [ @@ -9544,6 +9544,10 @@ interactions: "id": "ALPINE-CVE-2026-3833", "modified": "2026-05-11T15:31:04.173991Z" }, + { + "id": "ALPINE-CVE-2026-42009", + "modified": "2026-05-19T09:30:34.884543Z" + }, { "id": "ALPINE-CVE-2026-42010", "modified": "2026-05-14T09:31:40.053539Z" @@ -10357,7 +10361,7 @@ interactions: } headers: Content-Length: - - "13745" + - "13817" Content-Type: - application/json status: 200 OK @@ -12282,7 +12286,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 6660 + content_length: 6730 body: | { "results": [ @@ -12409,6 +12413,10 @@ interactions: {}, { "vulns": [ + { + "id": "GHSA-65pc-fj4g-8rjx", + "modified": "2026-05-19T14:45:16.378872Z" + }, { "id": "GHSA-jjg7-2v4v-x38h", "modified": "2026-02-04T03:49:45.087439Z" @@ -12867,7 +12875,7 @@ interactions: } headers: Content-Length: - - "6660" + - "6730" Content-Type: - application/json status: 200 OK @@ -13294,7 +13302,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -13306,7 +13314,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -13318,7 +13326,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -13486,7 +13494,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -13498,7 +13506,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -13510,7 +13518,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -13678,7 +13686,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -13690,7 +13698,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -13702,7 +13710,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -13870,7 +13878,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -13882,7 +13890,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -13894,7 +13902,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -14062,7 +14070,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -14074,7 +14082,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -14086,7 +14094,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -14254,7 +14262,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -14266,7 +14274,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -14278,7 +14286,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -15482,7 +15490,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -15494,7 +15502,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -15506,7 +15514,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -15554,7 +15562,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -15566,7 +15574,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -15578,7 +15586,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -15626,7 +15634,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -15638,7 +15646,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -15650,7 +15658,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -15698,7 +15706,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -15710,7 +15718,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -15722,7 +15730,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -15770,7 +15778,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -15782,7 +15790,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -15794,7 +15802,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -15842,7 +15850,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -15854,7 +15862,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -15866,7 +15874,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", diff --git a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml index 6c31c614c6f..3b9fc8197a4 100644 --- a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml +++ b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml @@ -800,7 +800,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 6660 + content_length: 6730 body: | { "results": [ @@ -927,6 +927,10 @@ interactions: {}, { "vulns": [ + { + "id": "GHSA-65pc-fj4g-8rjx", + "modified": "2026-05-19T14:45:16.378872Z" + }, { "id": "GHSA-jjg7-2v4v-x38h", "modified": "2026-02-04T03:49:45.087439Z" @@ -1385,7 +1389,7 @@ interactions: } headers: Content-Length: - - "6660" + - "6730" Content-Type: - application/json status: 200 OK @@ -1854,7 +1858,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-2673", - "modified": "2026-05-14T09:30:41.007180Z" + "modified": "2026-05-19T09:30:35.023887Z" }, { "id": "ALPINE-CVE-2026-28387", @@ -1934,7 +1938,7 @@ interactions: }, { "id": "ALPINE-CVE-2026-2673", - "modified": "2026-05-14T09:30:41.007180Z" + "modified": "2026-05-19T09:30:35.023887Z" }, { "id": "ALPINE-CVE-2026-28387", @@ -2354,7 +2358,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -2366,7 +2370,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -2378,7 +2382,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -3267,7 +3271,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -3279,7 +3283,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -3291,7 +3295,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -3339,7 +3343,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -3351,7 +3355,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -3363,7 +3367,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -3411,7 +3415,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -3423,7 +3427,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -3435,7 +3439,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -3483,7 +3487,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -3495,7 +3499,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -3507,7 +3511,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -3555,7 +3559,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -3567,7 +3571,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -3579,7 +3583,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -3627,7 +3631,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -3639,7 +3643,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -3651,7 +3655,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -7183,7 +7187,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -7195,7 +7199,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -7207,7 +7211,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 4c7d587fcad..3061e3ef7a6 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -911,7 +911,7 @@ Scanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages Filtered 10 local/unscannable package/s from the scan. -Total 27 packages affected by 200 known vulnerabilities (22 Critical, 87 High, 64 Medium, 4 Low, 23 Unknown) from 4 ecosystems. +Total 27 packages affected by 200 known vulnerabilities (22 Critical, 86 High, 65 Medium, 4 Low, 23 Unknown) from 4 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ @@ -1082,7 +1082,7 @@ Total 27 packages affected by 200 known vulnerabilities (22 Critical, 87 High, 6 | https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-2673 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28386 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28387 | 8.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28388 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2168,7 +2168,7 @@ Filtered 8 vulnerabilities from output testdata/osv-scanner-partial-ignores-config.toml has unused ignores: - CVE-2019-5188 -Total 27 packages affected by 194 known vulnerabilities (22 Critical, 82 High, 63 Medium, 4 Low, 23 Unknown) from 4 ecosystems. +Total 27 packages affected by 194 known vulnerabilities (22 Critical, 81 High, 64 Medium, 4 Low, 23 Unknown) from 4 ecosystems. 10 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ @@ -2331,7 +2331,7 @@ Total 27 packages affected by 194 known vulnerabilities (22 Critical, 82 High, 6 | https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-2673 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28386 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28387 | 8.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28388 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -2417,7 +2417,7 @@ Filtered 6 vulnerabilities from output testdata/osv-scanner-partial-ignores-config.toml has unused ignores: - CVE-2019-5188 -Total 24 packages affected by 186 known vulnerabilities (20 Critical, 79 High, 60 Medium, 4 Low, 23 Unknown) from 3 ecosystems. +Total 24 packages affected by 186 known vulnerabilities (20 Critical, 78 High, 61 Medium, 4 Low, 23 Unknown) from 3 ecosystems. 10 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -2572,7 +2572,7 @@ Total 24 packages affected by 186 known vulnerabilities (20 Critical, 79 High, 6 | https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-2673 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28386 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28387 | 8.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28388 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -4749,7 +4749,7 @@ Filtered 1 local/unscannable package/s from the scan. Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded Go local db from /osv-scanner/Go/all.zip -Total 22 packages affected by 183 known vulnerabilities (19 Critical, 78 High, 59 Medium, 4 Low, 23 Unknown) from 2 ecosystems. +Total 22 packages affected by 183 known vulnerabilities (19 Critical, 77 High, 60 Medium, 4 Low, 23 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -4903,7 +4903,7 @@ Total 22 packages affected by 183 known vulnerabilities (19 Critical, 78 High, 5 | https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-2673 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28386 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28387 | 8.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28388 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -4982,7 +4982,7 @@ Filtered 1 local/unscannable package/s from the scan. Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded Go local db from /osv-scanner/Go/all.zip -Total 22 packages affected by 183 known vulnerabilities (19 Critical, 78 High, 59 Medium, 4 Low, 23 Unknown) from 2 ecosystems. +Total 22 packages affected by 183 known vulnerabilities (19 Critical, 77 High, 60 Medium, 4 Low, 23 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ @@ -5136,7 +5136,7 @@ Total 22 packages affected by 183 known vulnerabilities (19 Critical, 78 High, 5 | https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DEBIAN-CVE-2026-2673 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28386 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28387 | 8.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-28388 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | @@ -5956,6 +5956,11 @@ Total 3 packages affected by 13 known vulnerabilities (1 Critical, 4 High, 7 Med Scanning dir ./testdata/locks-requirements/requirements.txt Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages Loaded PyPI local db from /osv-scanner/PyPI/all.zip +PYSEC-2011-28 does not have any ranges or versions - this is probably a mistake! +PYSEC-2011-29 does not have any ranges or versions - this is probably a mistake! +PYSEC-2011-30 does not have any ranges or versions - this is probably a mistake! +PYSEC-2011-31 does not have any ranges or versions - this is probably a mistake! +PYSEC-2020-345 does not have any ranges or versions - this is probably a mistake! Total 3 packages affected by 13 known vulnerabilities (1 Critical, 4 High, 7 Medium, 1 Low, 0 Unknown) from 1 ecosystem. 13 vulnerabilities can be fixed. @@ -6019,8 +6024,8 @@ Total 3 packages affected by 9 known vulnerabilities (0 Critical, 3 High, 4 Medi [TestCommand_Transitive/requirements.txt_transitive_default - 1] Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages -Total 5 packages affected by 24 known vulnerabilities (1 Critical, 10 High, 11 Medium, 1 Low, 1 Unknown) from 1 ecosystem. -24 vulnerabilities can be fixed. +Total 5 packages affected by 25 known vulnerabilities (1 Critical, 10 High, 12 Medium, 1 Low, 1 Unknown) from 1 ecosystem. +25 vulnerabilities can be fixed. +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | @@ -6043,6 +6048,7 @@ Total 5 packages affected by 24 known vulnerabilities (1 Critical, 10 High, 11 M | https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4 | PyPI | requests | 2.20.0 | 2.33.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2024-60 | 7.5 | PyPI | idna | 2.7.0 | 3.7 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-jjg7-2v4v-x38h | | | | | | | +| https://osv.dev/GHSA-65pc-fj4g-8rjx | 6.9 | PyPI | idna | 2.7.0 | 3.15 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2020-148 | 6.9 | PyPI | urllib3 | 1.24.3 | 1.25.9 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-wqvq-5m8c-6g24 | | | | | | | | https://osv.dev/PYSEC-2021-108 | | PyPI | urllib3 | 1.24.3 | 1.26.5 | testdata/locks-requirements/requirements.txt | @@ -6067,8 +6073,8 @@ Total 5 packages affected by 24 known vulnerabilities (1 Critical, 10 High, 11 M [TestCommand_Transitive/requirements.txt_transitive_native_source - 1] Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages -Total 5 packages affected by 24 known vulnerabilities (1 Critical, 10 High, 11 Medium, 1 Low, 1 Unknown) from 1 ecosystem. -24 vulnerabilities can be fixed. +Total 5 packages affected by 25 known vulnerabilities (1 Critical, 10 High, 12 Medium, 1 Low, 1 Unknown) from 1 ecosystem. +25 vulnerabilities can be fixed. +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | @@ -6091,6 +6097,7 @@ Total 5 packages affected by 24 known vulnerabilities (1 Critical, 10 High, 11 M | https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4 | PyPI | requests | 2.20.0 | 2.33.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2024-60 | 7.5 | PyPI | idna | 2.7 | 3.7 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-jjg7-2v4v-x38h | | | | | | | +| https://osv.dev/GHSA-65pc-fj4g-8rjx | 6.9 | PyPI | idna | 2.7 | 3.15 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2020-148 | 6.9 | PyPI | urllib3 | 1.24.3 | 1.25.9 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-wqvq-5m8c-6g24 | | | | | | | | https://osv.dev/PYSEC-2021-108 | | PyPI | urllib3 | 1.24.3 | 1.26.5 | testdata/locks-requirements/requirements.txt | diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml index f81ca5af1df..b5e804616e3 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml @@ -474,7 +474,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -486,7 +486,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -498,7 +498,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -748,7 +748,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -760,7 +760,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -772,7 +772,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -972,7 +972,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -984,7 +984,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -996,7 +996,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -1239,7 +1239,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -1251,7 +1251,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -1263,7 +1263,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -4317,7 +4317,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-41989", - "modified": "2026-04-28T20:31:52.784484Z" + "modified": "2026-05-18T21:00:35.644624Z" }, { "id": "DEBIAN-CVE-2026-41990", @@ -4998,7 +4998,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-2673", - "modified": "2026-05-14T09:00:11.435092Z" + "modified": "2026-05-19T09:00:10.116381Z" }, { "id": "DEBIAN-CVE-2026-28386", @@ -5712,7 +5712,7 @@ interactions: }, { "id": "GO-2026-4864", - "modified": "2026-05-15T10:59:21.996030Z" + "modified": "2026-05-19T10:29:18.989085Z" }, { "id": "GO-2026-4865", @@ -5724,7 +5724,7 @@ interactions: }, { "id": "GO-2026-4870", - "modified": "2026-05-15T10:59:22.297557Z" + "modified": "2026-05-19T10:29:19.060466Z" }, { "id": "GO-2026-4918", @@ -5736,7 +5736,7 @@ interactions: }, { "id": "GO-2026-4947", - "modified": "2026-05-14T10:29:23.774115Z" + "modified": "2026-05-19T10:29:18.889608Z" }, { "id": "GO-2026-4971", @@ -7745,7 +7745,7 @@ interactions: }, { "id": "GHSA-hxwh-jpp2-84pm", - "modified": "2026-02-04T02:15:39.891834Z" + "modified": "2026-05-19T05:26:16.591908Z" }, { "id": "GHSA-xc3p-ff3m-f46v", @@ -7757,7 +7757,7 @@ interactions: }, { "id": "PYSEC-2024-71", - "modified": "2025-10-09T08:27:44.186589Z" + "modified": "2026-05-19T05:26:16.591908Z" } ] }, diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml index 2ecd54a3e33..349f9b0fe29 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml @@ -132,7 +132,7 @@ interactions: }, { "id": "OSV-2024-340", - "modified": "2026-05-17T14:28:07.764086Z" + "modified": "2026-05-19T14:28:33.772959Z" } ] }, diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml index bb40655067f..012b3eabe6f 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml @@ -1803,7 +1803,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-41989", - "modified": "2026-04-28T20:31:52.784484Z" + "modified": "2026-05-18T21:00:35.644624Z" }, { "id": "DEBIAN-CVE-2026-41990", @@ -2484,7 +2484,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-2673", - "modified": "2026-05-14T09:00:11.435092Z" + "modified": "2026-05-19T09:00:10.116381Z" }, { "id": "DEBIAN-CVE-2026-28386", @@ -4439,7 +4439,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-41989", - "modified": "2026-04-28T20:31:52.784484Z" + "modified": "2026-05-18T21:00:35.644624Z" }, { "id": "DEBIAN-CVE-2026-41990", @@ -5120,7 +5120,7 @@ interactions: }, { "id": "DEBIAN-CVE-2026-2673", - "modified": "2026-05-14T09:00:11.435092Z" + "modified": "2026-05-19T09:00:10.116381Z" }, { "id": "DEBIAN-CVE-2026-28386", diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml index baf94fb0feb..51fb3015971 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml @@ -1630,7 +1630,7 @@ interactions: }, { "id": "GHSA-hxwh-jpp2-84pm", - "modified": "2026-02-04T02:15:39.891834Z" + "modified": "2026-05-19T05:26:16.591908Z" }, { "id": "GHSA-xc3p-ff3m-f46v", @@ -1642,7 +1642,7 @@ interactions: }, { "id": "PYSEC-2024-71", - "modified": "2025-10-09T08:27:44.186589Z" + "modified": "2026-05-19T05:26:16.591908Z" } ] }, @@ -1781,7 +1781,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 2223 + content_length: 2293 body: | { "results": [ @@ -1842,6 +1842,10 @@ interactions: }, { "vulns": [ + { + "id": "GHSA-65pc-fj4g-8rjx", + "modified": "2026-05-19T14:45:16.378872Z" + }, { "id": "GHSA-jjg7-2v4v-x38h", "modified": "2026-02-04T03:49:45.087439Z" @@ -1941,7 +1945,7 @@ interactions: } headers: Content-Length: - - "2223" + - "2293" Content-Type: - application/json status: 200 OK @@ -2060,7 +2064,7 @@ interactions: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 - content_length: 2223 + content_length: 2293 body: | { "results": [ @@ -2121,6 +2125,10 @@ interactions: }, { "vulns": [ + { + "id": "GHSA-65pc-fj4g-8rjx", + "modified": "2026-05-19T14:45:16.378872Z" + }, { "id": "GHSA-jjg7-2v4v-x38h", "modified": "2026-02-04T03:49:45.087439Z" @@ -2220,7 +2228,7 @@ interactions: } headers: Content-Length: - - "2223" + - "2293" Content-Type: - application/json status: 200 OK diff --git a/cmd/osv-scanner/update/__snapshots__/command_test.snap b/cmd/osv-scanner/update/__snapshots__/command_test.snap index 64ee1509b04..5537d97edeb 100755 --- a/cmd/osv-scanner/update/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/update/__snapshots__/command_test.snap @@ -227,6 +227,14 @@ Version updates (the update command) can be risky when run on untrusted projects [TestCommand/update_pom_with_in_place_changes_using_native_data_source - 1] Version updates (the update command) can be risky when run on untrusted projects. It may trigger the package manager to execute scripts or follow external registries specified in the project. Please ensure you trust the source code and artifacts before proceeding. +failed to get response from https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/maven-metadata.xml: API query failed: Maven registry https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/maven-metadata.xml query status: 429 +failed to suggest Maven version for package "com.fasterxml.jackson.core:jackson-core": no versions found for Maven package com.fasterxml.jackson.core:jackson-core +failed to get response from https://repo.maven.apache.org/maven2/junit/junit/maven-metadata.xml: API query failed: Maven registry https://repo.maven.apache.org/maven2/junit/junit/maven-metadata.xml query status: 429 +failed to suggest Maven version for package "junit:junit": no versions found for Maven package junit:junit +failed to get response from https://repo.maven.apache.org/maven2/org/slf4j/slf4j-migrator/maven-metadata.xml: API query failed: Maven registry https://repo.maven.apache.org/maven2/org/slf4j/slf4j-migrator/maven-metadata.xml query status: 429 +failed to suggest Maven version for package "org.slf4j:slf4j-migrator": no versions found for Maven package org.slf4j:slf4j-migrator +failed to get response from https://repo.maven.apache.org/maven2/org/apache/logging/log4j/log4j-api/maven-metadata.xml: API query failed: Maven registry https://repo.maven.apache.org/maven2/org/apache/logging/log4j/log4j-api/maven-metadata.xml query status: 429 +failed to suggest Maven version for package "org.apache.logging.log4j:log4j-api": no versions found for Maven package org.apache.logging.log4j:log4j-api --- @@ -253,14 +261,14 @@ Version updates (the update command) can be risky when run on untrusted projects UTF-8 1.7 1.7 - 4.13.2 + 4.12 com.fasterxml.jackson.core jackson-core - 2.21.3 + 2.14.0 junit @@ -275,7 +283,7 @@ Version updates (the update command) can be risky when run on untrusted projects org.slf4j slf4j-migrator - 2.0.18 + 2.0.0 @@ -287,7 +295,7 @@ Version updates (the update command) can be risky when run on untrusted projects org.apache.logging.log4j log4j-api - 2.26.0 + 2.0 From 4e6f75adf0caa7c8c2eccca0515ccdf3fcfdeb0a Mon Sep 17 00:00:00 2001 From: Rex P Date: Wed, 20 May 2026 14:47:04 +1000 Subject: [PATCH 9/9] Update chisel --- .../testdata/cassettes/TestCommand_OCIImage.yaml | 2 +- .../scan/source/__snapshots__/command_test.snap | 6 +++--- .../source/testdata/cassettes/TestCommand.yaml | 2 +- .../cassettes/TestCommand_JavareachArchive.yaml | 6 +++--- .../cassettes/TestCommand_Transitive.yaml | 2 +- .../update/__snapshots__/command_test.snap | 16 ++++------------ 6 files changed, 13 insertions(+), 21 deletions(-) diff --git a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml index 2b954b6377b..8f5246c1872 100644 --- a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml +++ b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml @@ -10274,7 +10274,7 @@ interactions: "vulns": [ { "id": "GHSA-355h-qmc2-wpwf", - "modified": "2026-04-17T00:30:15.516948Z" + "modified": "2026-05-20T00:45:32.367357Z" }, { "id": "GHSA-qh8g-58pp-2wxh", diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap index 3061e3ef7a6..a6cf4e6cb7e 100755 --- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap @@ -3644,7 +3644,7 @@ Total 4 packages affected by 56 known vulnerabilities (18 Critical, 30 High, 6 M | https://osv.dev/GHSA-w3f4-3q6j-rh82 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-wh8g-3j2c-rqj5 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-j288-q9x7-2f5v | 6.5 | Maven | org.apache.commons:commons-lang3 | 3.12.0 | 3.18.0 | testdata/artifact/javareach_test.jar | -| https://osv.dev/GHSA-355h-qmc2-wpwf | 7.4 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.60 | testdata/artifact/javareach_test.jar | +| https://osv.dev/GHSA-355h-qmc2-wpwf | 7.4 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.33 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cj7v-27pg-wf7q | 2.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.47 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-hmr7-m48g-48f6 | 5.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-qh8g-58pp-2wxh | 6.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.12 | testdata/artifact/javareach_test.jar | @@ -3729,7 +3729,7 @@ Total 8 packages affected by 62 known vulnerabilities (18 Critical, 32 High, 9 M | https://osv.dev/GHSA-wh8g-3j2c-rqj5 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-j288-q9x7-2f5v | 6.5 | Maven | org.apache.commons:commons-lang3 | 3.12.0 | 3.18.0 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-7r82-7xv7-xcpj | 5.3 | Maven | org.apache.httpcomponents:httpclient | 4.5.5 | 4.5.13 | testdata/artifact/javareach_test.jar | -| https://osv.dev/GHSA-355h-qmc2-wpwf | 7.4 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.60 | testdata/artifact/javareach_test.jar | +| https://osv.dev/GHSA-355h-qmc2-wpwf | 7.4 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.33 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cj7v-27pg-wf7q | 2.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.47 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-hmr7-m48g-48f6 | 5.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-qh8g-58pp-2wxh | 6.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.12 | testdata/artifact/javareach_test.jar | @@ -3809,7 +3809,7 @@ Total 8 packages affected by 62 known vulnerabilities (18 Critical, 32 High, 9 M | https://osv.dev/GHSA-wh8g-3j2c-rqj5 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-j288-q9x7-2f5v | 6.5 | Maven | org.apache.commons:commons-lang3 | 3.12.0 | 3.18.0 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-7r82-7xv7-xcpj | 5.3 | Maven | org.apache.httpcomponents:httpclient | 4.5.5 | 4.5.13 | testdata/artifact/javareach_test.jar | -| https://osv.dev/GHSA-355h-qmc2-wpwf | 7.4 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.60 | testdata/artifact/javareach_test.jar | +| https://osv.dev/GHSA-355h-qmc2-wpwf | 7.4 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.33 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cj7v-27pg-wf7q | 2.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.47 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-hmr7-m48g-48f6 | 5.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-qh8g-58pp-2wxh | 6.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.12 | testdata/artifact/javareach_test.jar | diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml index b5e804616e3..1dbddeb3795 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml @@ -7745,7 +7745,7 @@ interactions: }, { "id": "GHSA-hxwh-jpp2-84pm", - "modified": "2026-05-19T05:26:16.591908Z" + "modified": "2026-05-19T20:30:23.753027Z" }, { "id": "GHSA-xc3p-ff3m-f46v", diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_JavareachArchive.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_JavareachArchive.yaml index 8c889437013..fa63f26e631 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_JavareachArchive.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_JavareachArchive.yaml @@ -421,7 +421,7 @@ interactions: "vulns": [ { "id": "GHSA-355h-qmc2-wpwf", - "modified": "2026-04-17T00:30:15.516948Z" + "modified": "2026-05-20T00:45:32.367357Z" }, { "id": "GHSA-cj7v-27pg-wf7q", @@ -897,7 +897,7 @@ interactions: "vulns": [ { "id": "GHSA-355h-qmc2-wpwf", - "modified": "2026-04-17T00:30:15.516948Z" + "modified": "2026-05-20T00:45:32.367357Z" }, { "id": "GHSA-cj7v-27pg-wf7q", @@ -1373,7 +1373,7 @@ interactions: "vulns": [ { "id": "GHSA-355h-qmc2-wpwf", - "modified": "2026-04-17T00:30:15.516948Z" + "modified": "2026-05-20T00:45:32.367357Z" }, { "id": "GHSA-cj7v-27pg-wf7q", diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml index 51fb3015971..fb25ec6de43 100644 --- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml +++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml @@ -1630,7 +1630,7 @@ interactions: }, { "id": "GHSA-hxwh-jpp2-84pm", - "modified": "2026-05-19T05:26:16.591908Z" + "modified": "2026-05-19T20:30:23.753027Z" }, { "id": "GHSA-xc3p-ff3m-f46v", diff --git a/cmd/osv-scanner/update/__snapshots__/command_test.snap b/cmd/osv-scanner/update/__snapshots__/command_test.snap index 5537d97edeb..64ee1509b04 100755 --- a/cmd/osv-scanner/update/__snapshots__/command_test.snap +++ b/cmd/osv-scanner/update/__snapshots__/command_test.snap @@ -227,14 +227,6 @@ Version updates (the update command) can be risky when run on untrusted projects [TestCommand/update_pom_with_in_place_changes_using_native_data_source - 1] Version updates (the update command) can be risky when run on untrusted projects. It may trigger the package manager to execute scripts or follow external registries specified in the project. Please ensure you trust the source code and artifacts before proceeding. -failed to get response from https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/maven-metadata.xml: API query failed: Maven registry https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/maven-metadata.xml query status: 429 -failed to suggest Maven version for package "com.fasterxml.jackson.core:jackson-core": no versions found for Maven package com.fasterxml.jackson.core:jackson-core -failed to get response from https://repo.maven.apache.org/maven2/junit/junit/maven-metadata.xml: API query failed: Maven registry https://repo.maven.apache.org/maven2/junit/junit/maven-metadata.xml query status: 429 -failed to suggest Maven version for package "junit:junit": no versions found for Maven package junit:junit -failed to get response from https://repo.maven.apache.org/maven2/org/slf4j/slf4j-migrator/maven-metadata.xml: API query failed: Maven registry https://repo.maven.apache.org/maven2/org/slf4j/slf4j-migrator/maven-metadata.xml query status: 429 -failed to suggest Maven version for package "org.slf4j:slf4j-migrator": no versions found for Maven package org.slf4j:slf4j-migrator -failed to get response from https://repo.maven.apache.org/maven2/org/apache/logging/log4j/log4j-api/maven-metadata.xml: API query failed: Maven registry https://repo.maven.apache.org/maven2/org/apache/logging/log4j/log4j-api/maven-metadata.xml query status: 429 -failed to suggest Maven version for package "org.apache.logging.log4j:log4j-api": no versions found for Maven package org.apache.logging.log4j:log4j-api --- @@ -261,14 +253,14 @@ failed to suggest Maven version for package "org.apache.logging.log4j:log4j-api" UTF-8 1.7 1.7 - 4.12 + 4.13.2 com.fasterxml.jackson.core jackson-core - 2.14.0 + 2.21.3 junit @@ -283,7 +275,7 @@ failed to suggest Maven version for package "org.apache.logging.log4j:log4j-api" org.slf4j slf4j-migrator - 2.0.0 + 2.0.18 @@ -295,7 +287,7 @@ failed to suggest Maven version for package "org.apache.logging.log4j:log4j-api" org.apache.logging.log4j log4j-api - 2.0 + 2.26.0