Skip to content

feat: import chisel in scalibrplugin#2772

Merged
another-rex merged 12 commits into
google:mainfrom
zhijie-yang:ROCKS-2010/add-chisel-scalibr-plugin
May 20, 2026
Merged

feat: import chisel in scalibrplugin#2772
another-rex merged 12 commits into
google:mainfrom
zhijie-yang:ROCKS-2010/add-chisel-scalibr-plugin

Conversation

@zhijie-yang
Copy link
Copy Markdown
Contributor

@zhijie-yang zhijie-yang commented May 5, 2026

Description

This PR imports the os/chisel extractor from the osv-scalibr in the scalibrplugin/presets.go to enable the scanning of container images built with Chisel.

The description of Ubuntu chiseled packages is added to docs/supported_languages_and_lockfiles.md, which corresponds to the changes of this PR.

This PR expects no breaking changes nor regressive UX to be introduced to the OSV-Scanner.

Related pull requests

google/osv-scalibr#764
google/osv-scalibr#2018

P.S. I've run make refresh-all REBUILD_IMAGES=true to update the snapshots.

FYI: @cjdcordeiro

@another-rex another-rex force-pushed the ROCKS-2010/add-chisel-scalibr-plugin branch from 64e6842 to 8b9aa1d Compare May 7, 2026 03:58
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented May 7, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.23%. Comparing base (4e36a74) to head (4e6f75a).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2772      +/-   ##
==========================================
+ Coverage   79.19%   79.23%   +0.03%     
==========================================
  Files         121      121              
  Lines        8185     8185              
==========================================
+ Hits         6482     6485       +3     
+ Misses       1322     1320       -2     
+ Partials      381      380       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

another-rex
another-rex reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@another-rex another-rex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you added a e2e test by added a dockerfile that can build a chisel image, which can be scanned by scanner?

@zhijie-yang
Copy link
Copy Markdown
Contributor Author

zhijie-yang commented May 7, 2026

Added as cmd/osv-scanner/scan/image/testdata/test-chisel.Dockerfile.

@zhijie-yang zhijie-yang requested a review from another-rex May 7, 2026 19:27
@another-rex another-rex force-pushed the ROCKS-2010/add-chisel-scalibr-plugin branch from 8a3f52e to 9168fb5 Compare May 8, 2026 00:29
another-rex and others added 5 commits May 18, 2026 12:11
@another-rex
Merge remote-tracking branch 'upstream/main' into ROCKS-2010/add-chis…
7b86831 
…el-scalibr-plugin

# Conflicts:
#	cmd/osv-scanner/scan/image/__snapshots__/command_test.snap
#	cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml
#	cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml
#	cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml
#	cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CallAnalysis.yaml
#	cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml
#	cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml
#	cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_MoreLockfiles.yaml
#	go.mod
#	go.sum
@another-rex
chore: refresh test snapshots after merge
57e9f1b
@another-rex
More refresh
6aa55e7
@another-rex
Merge branch 'main' into ROCKS-2010/add-chisel-scalibr-plugin
7529bce
@another-rex
Merge branch 'main' into ROCKS-2010/add-chisel-scalibr-plugin
ff9dbca
@another-rex
Copy link
Copy Markdown
Collaborator

another-rex commented May 19, 2026
edited
Loading

@zhijie-yang Hmm been trying to make this test pass for a while. The issue seems to be that because the image is not pinned, it's making the test container image that's being scanned is constantly changing. Is there a way we can pin the versions that chisel is adding?

@zhijie-yang
Copy link
Copy Markdown
Contributor Author

zhijie-yang commented May 19, 2026

Hey @another-rex , I've modified the Dockerfile and let Chisel pull the packages from a frozen pocket of the Ubuntu archive. Please see if the tests can pass stably.

@another-rex another-rex merged commit 57b8b78 into google:main May 20, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@another-rex another-rex another-rex approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zhijie-yang @codecov-commenter @another-rex