chore: v1.9.2 Changelog (#1455)

fixes #1453 #1443
google · Dec 19, 2024 · 1e295ee · 1e295ee
1 parent 5e6828a
commit 1e295ee
Show file tree

Hide file tree

Showing 18 changed files with 629 additions and 645 deletions.
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -16,10 +16,10 @@ name: Checks
 
 on:
   push:
-    branches: [main, v2]
+    branches: [main, v1]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [main, v2]
+    branches: [main, v1]
 
 concurrency:
   # Pushing new changes to a branch will cancel any in-progress CI runs

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -13,10 +13,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [main, v2]
+    branches: [main, v1]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [main, v2]
+    branches: [main, v1]
 
 # Restrict jobs in this workflow to have no permissions by default; permissions
 # should be granted per job as needed using a dedicated `permissions` block

diff --git a/.github/workflows/osv-scanner-unified-action.yml b/.github/workflows/osv-scanner-unified-action.yml
@@ -16,11 +16,11 @@ name: OSV-Scanner Scheduled Scan
 
 on:
   pull_request:
-    branches: ["main", "v2"]
+    branches: ["main", "v1"]
   schedule:
     - cron: "12 12 * * 1"
   push:
-    branches: ["main", "v2"]
+    branches: ["main", "v1"]
 
 # Restrict jobs in this workflow to have no permissions by default; permissions
 # should be granted per job as needed using a dedicated `permissions` block

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -12,7 +12,7 @@ on:
   schedule:
     - cron: "32 22 * * 6"
   push:
-    branches: ["main", "v2"]
+    branches: ["main", "v1"]
 
 # Restrict jobs in this workflow to have no permissions by default; permissions
 # should be granted per job as needed using a dedicated `permissions` block

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,16 @@
+# v1.9.2
+
+### Fixes:
+
+- [Bug #1327](https://github.com/google/osv-scanner/pull/1327) Parsing crash on malformed pnpm lockfile.
+- [Bug #1377](https://github.com/google/osv-scanner/pull/1377) Warn if a vulnerability is ignored multiple times in the same config.
+- [Bug #1394](https://github.com/google/osv-scanner/pull/1394) Guided remediation: handle extraneous/missing packages in package-lock.json more leniently.
+- [Bug #1443](https://github.com/google/osv-scanner/issues/1443) Go call analysis now works with Go version up to v1.23.4.
+- [Bug #1436](https://github.com/google/osv-scanner/pull/1436) Only fetch Maven snapshots and releases when enabled.
+- [Bug #1456](https://github.com/google/osv-scanner/pull/1456) Remove redundant calls from PreFetch.
+
+# v1.9.1
+
 OSV-Scanner v2 is coming soon! The next release will start with version `v2.0.0-alpha1`.
 
 Here's a peek at some of the exciting upcoming features:
@@ -16,8 +29,6 @@ Most breaking changes will only be in the API. More details in the upcoming alph
 
 This is the final feature v1 release of osv-scanner, future releases for v1 will only contain bug fixes.
 
-# v1.9.1
-
 ### Features:
 
 - [Feature #1295](https://github.com/google/osv-scanner/pull/1295) Support offline database in fix subcommand.

diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap
@@ -80,7 +80,7 @@ Loaded filter from: <rootdir>/fixtures/locks-many/osv-scanner.toml
           "informationUri": "https://github.com/google/osv-scanner",
           "name": "osv-scanner",
           "rules": [],
-          "version": "1.9.1"
+          "version": "1.9.2"
         }
       },
       "results": []
@@ -234,7 +234,7 @@ Loaded Alpine local db from <tempdir>/osv-scanner/Alpine/all.zip
               }
             }
           ],
-          "version": "1.9.1"
+          "version": "1.9.2"
         }
       },
       "artifacts": [
@@ -868,7 +868,7 @@ No issues found
 ---
 
 [TestRun/version - 1]
-osv-scanner version: 1.9.1
+osv-scanner version: 1.9.2
 commit: n/a
 built at: n/a
 
@@ -991,7 +991,7 @@ Scanned <rootdir>/fixtures/locks-insecure/osv-scanner-flutter-deps.json file as
               }
             }
           ],
-          "version": "1.9.1"
+          "version": "1.9.2"
         }
       },
       "artifacts": [
@@ -2522,24 +2522,6 @@ No issues found
 
 ---
 
-[TestRun_MavenTransitive/resolve_transitive_dependencies_with_native_datda_source - 1]
-Scanned <rootdir>/fixtures/maven-transitive/registry.xml file as a pom.xml and found 59 packages
-+-------------------------------------+------+-----------+-----------------------------------------------+---------+----------------------------------------+
-| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE                                       | VERSION | SOURCE                                 |
-+-------------------------------------+------+-----------+-----------------------------------------------+---------+----------------------------------------+
-| https://osv.dev/GHSA-cm6r-892j-jv2g | 6.1  | Maven     | com.google.android.gms:play-services-basement | 10.0.0  | fixtures/maven-transitive/registry.xml |
-| https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0  | Maven     | org.apache.logging.log4j:log4j-core           | 2.14.1  | fixtures/maven-transitive/registry.xml |
-| https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6  | Maven     | org.apache.logging.log4j:log4j-core           | 2.14.1  | fixtures/maven-transitive/registry.xml |
-| https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven     | org.apache.logging.log4j:log4j-core           | 2.14.1  | fixtures/maven-transitive/registry.xml |
-| https://osv.dev/GHSA-p6xc-xr62-6r2g | 8.6  | Maven     | org.apache.logging.log4j:log4j-core           | 2.14.1  | fixtures/maven-transitive/registry.xml |
-+-------------------------------------+------+-----------+-----------------------------------------------+---------+----------------------------------------+
-
----
-
-[TestRun_MavenTransitive/resolve_transitive_dependencies_with_native_datda_source - 2]
-
----
-
 [TestRun_MavenTransitive/scans_dependencies_from_multiple_registries - 1]
 Scanned <rootdir>/fixtures/maven-transitive/registry.xml file as a pom.xml and found 59 packages
 +-------------------------------------+------+-----------+-----------------------------------------------+---------+----------------------------------------+
@@ -2643,21 +2625,7 @@ failed to load image ./fixtures/oci-image/no-file-here.tar: open ./fixtures/oci-
 
 [TestRun_OCIImage/scanning_node_modules_using_npm_with_no_packages - 1]
 Scanning image ../../internal/image/fixtures/test-node_modules-npm-empty.tar
-Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
-4 vulnerabilities have fixes available.
-
-Alpine:v3.19
-+----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-npm-empty.tar:/lib/apk/db/installed                |
-+---------+-------------------+---------------+------------+
-| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
-+---------+-------------------+---------------+------------+
-| busybox | 1.36.1-r15        | Fix Available |          4 |
-+---------+-------------------+---------------+------------+
-
-For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
-You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.
+No issues found
 
 ---
 
@@ -2667,8 +2635,8 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 
 [TestRun_OCIImage/scanning_node_modules_using_npm_with_some_packages - 1]
 Scanning image ../../internal/image/fixtures/test-node_modules-npm-full.tar
-Total 3 packages affected by 6 vulnerabilities (2 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
-5 vulnerabilities have fixes available.
+Total 2 packages affected by 2 vulnerabilities (2 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
+1 vulnerabilities have fixes available.
 
 npm
 +--------------------------------------------------------------+
@@ -2680,15 +2648,6 @@ npm
 | cryo     | 0.0.6             | No fix available |          1 |
 | minimist | 0.0.8             | Fix Available    |          1 |
 +----------+-------------------+------------------+------------+
-Alpine:v3.19
-+----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-npm-full.tar:/lib/apk/db/installed                 |
-+---------+-------------------+---------------+------------+
-| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
-+---------+-------------------+---------------+------------+
-| busybox | 1.36.1-r15        | Fix Available |          4 |
-+---------+-------------------+---------------+------------+
 
 For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
 You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.
@@ -2701,21 +2660,7 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 
 [TestRun_OCIImage/scanning_node_modules_using_pnpm_with_no_packages - 1]
 Scanning image ../../internal/image/fixtures/test-node_modules-pnpm-empty.tar
-Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
-4 vulnerabilities have fixes available.
-
-Alpine:v3.19
-+----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-pnpm-empty.tar:/lib/apk/db/installed               |
-+---------+-------------------+---------------+------------+
-| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
-+---------+-------------------+---------------+------------+
-| busybox | 1.36.1-r15        | Fix Available |          4 |
-+---------+-------------------+---------------+------------+
-
-For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
-You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.
+No issues found
 
 ---
 
@@ -2725,21 +2670,7 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 
 [TestRun_OCIImage/scanning_node_modules_using_pnpm_with_some_packages - 1]
 Scanning image ../../internal/image/fixtures/test-node_modules-pnpm-full.tar
-Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
-4 vulnerabilities have fixes available.
-
-Alpine:v3.19
-+----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-pnpm-full.tar:/lib/apk/db/installed                |
-+---------+-------------------+---------------+------------+
-| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
-+---------+-------------------+---------------+------------+
-| busybox | 1.36.1-r15        | Fix Available |          4 |
-+---------+-------------------+---------------+------------+
-
-For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
-You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.
+No issues found
 
 ---
 
@@ -2749,21 +2680,7 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 
 [TestRun_OCIImage/scanning_node_modules_using_yarn_with_no_packages - 1]
 Scanning image ../../internal/image/fixtures/test-node_modules-yarn-empty.tar
-Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
-4 vulnerabilities have fixes available.
-
-Alpine:v3.19
-+----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-yarn-empty.tar:/lib/apk/db/installed               |
-+---------+-------------------+---------------+------------+
-| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
-+---------+-------------------+---------------+------------+
-| busybox | 1.36.1-r15        | Fix Available |          4 |
-+---------+-------------------+---------------+------------+
-
-For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
-You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.
+No issues found
 
 ---
 
@@ -2773,21 +2690,7 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 
 [TestRun_OCIImage/scanning_node_modules_using_yarn_with_some_packages - 1]
 Scanning image ../../internal/image/fixtures/test-node_modules-yarn-full.tar
-Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
-4 vulnerabilities have fixes available.
-
-Alpine:v3.19
-+----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-yarn-full.tar:/lib/apk/db/installed                |
-+---------+-------------------+---------------+------------+
-| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
-+---------+-------------------+---------------+------------+
-| busybox | 1.36.1-r15        | Fix Available |          4 |
-+---------+-------------------+---------------+------------+
-
-For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
-You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.
+No issues found
 
 ---
 

diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go
@@ -763,7 +763,7 @@ func TestRun_OCIImage(t *testing.T) {
 		{
 			name: "scanning node_modules using npm with no packages",
 			args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-node_modules-npm-empty.tar"},
-			exit: 1,
+			exit: 0,
 		},
 		{
 			name: "scanning node_modules using npm with some packages",
@@ -773,22 +773,22 @@ func TestRun_OCIImage(t *testing.T) {
 		{
 			name: "scanning node_modules using yarn with no packages",
 			args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-node_modules-yarn-empty.tar"},
-			exit: 1,
+			exit: 0,
 		},
 		{
 			name: "scanning node_modules using yarn with some packages",
 			args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-node_modules-yarn-full.tar"},
-			exit: 1,
+			exit: 0,
 		},
 		{
 			name: "scanning node_modules using pnpm with no packages",
 			args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-node_modules-pnpm-empty.tar"},
-			exit: 1,
+			exit: 0,
 		},
 		{
 			name: "scanning node_modules using pnpm with some packages",
 			args: []string{"", "--experimental-oci-image", "../../internal/image/fixtures/test-node_modules-pnpm-full.tar"},
-			exit: 1,
+			exit: 0,
 		},
 	}
 	for _, tt := range tests {

diff --git a/docs/github-action.md b/docs/github-action.md
@@ -55,7 +55,7 @@ permissions:
 
 jobs:
   scan-pr:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].2"
 ```
 
 ### View results
@@ -98,7 +98,7 @@ permissions:
 
 jobs:
   scan-scheduled:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].2"
 ```
 
 As written, the scanner will run on 12:30 pm UTC every Monday, and also on every push to the main branch. You can change the schedule by following the instructions [here](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule).
@@ -133,7 +133,7 @@ permissions:
 
 jobs:
   osv-scan:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].2"
     with:
       # Only scan the top level go.mod file without recursively scanning directories since
       # this is pipeline is about releasing the go module and binary
@@ -186,7 +186,7 @@ Examples
 ```yml
 jobs:
   scan-pr:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].2"
     with:
       scan-args: |-
         --lockfile=./path/to/lockfile1
@@ -198,7 +198,7 @@ jobs:
 ```yml
 jobs:
   scan-pr:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].2"
     with:
       scan-args: |-
         --recursive
@@ -225,7 +225,7 @@ jobs:
     name: Vulnerability scanning
     # makes sure the extraction step is completed before running the scanner
     needs: extract-deps
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].2"
     with:
       # Download the artifact uploaded in extract-deps step
       download-artifact: converted-OSV-Scanner-deps

diff --git a/docs/installation.md b/docs/installation.md
@@ -77,7 +77,7 @@ Alternatively, you can install this from source by running:
 go install github.com/google/osv-scanner/cmd/osv-scanner@v1
 ```
 
-This requires Go 1.22.7+ to be installed.
+This requires Go 1.22.10+ to be installed.
 
 ## Build from source