Skip to content

Commit 5f791d7

Browse files
another-rexanother-rex
authored
fix: Update osv-scanner.json git queries (#2460)
Add test after fixing the issue mentioned in #2403 (comment) The fix is done in osv-scalibr, and already updated in another PR.
1 parent e7c18a4 commit 5f791d7

File tree

6 files changed

+282
-6
lines changed

6 files changed

+282
-6
lines changed

cmd/osv-scanner/scan/source/__snapshots__/command_test.snap

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3024,6 +3024,61 @@ Scanned <rootdir>/testdata/locks-insecure/osv-scanner-flutter-deps.json file and
30243024

30253025
---
30263026

3027+
[TestCommand_GithubActions/scanning_osv-scanner_custom_format_with_git_tag - 1]
3028+
Scanned <rootdir>/testdata/locks-insecure/osv-scanner-custom-git-tag.json file and found 1 package
3029+
Total 1 package affected by 38 known vulnerabilities (4 Critical, 14 High, 20 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
3030+
0 vulnerabilities can be fixed.
3031+
3032+
3033+
+--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+
3034+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |
3035+
+--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+
3036+
| https://osv.dev/CVE-2016-2177 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3037+
| https://osv.dev/CVE-2016-2182 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3038+
| https://osv.dev/CVE-2021-3449 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3039+
| https://osv.dev/CVE-2022-2097 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3040+
| https://osv.dev/CVE-2022-2274 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3041+
| https://osv.dev/CVE-2022-3358 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3042+
| https://osv.dev/CVE-2022-3602 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3043+
| https://osv.dev/CVE-2022-3786 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3044+
| https://osv.dev/CVE-2022-3996 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3045+
| https://osv.dev/CVE-2022-4203 | 4.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3046+
| https://osv.dev/CVE-2022-4304 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3047+
| https://osv.dev/CVE-2022-4450 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3048+
| https://osv.dev/CVE-2023-0215 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3049+
| https://osv.dev/CVE-2023-0217 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3050+
| https://osv.dev/CVE-2023-0286 | 7.4 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3051+
| https://osv.dev/CVE-2023-0464 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3052+
| https://osv.dev/CVE-2023-0465 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3053+
| https://osv.dev/CVE-2023-0466 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3054+
| https://osv.dev/CVE-2023-1255 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3055+
| https://osv.dev/CVE-2023-2650 | 6.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3056+
| https://osv.dev/CVE-2023-2975 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3057+
| https://osv.dev/CVE-2023-3446 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3058+
| https://osv.dev/CVE-2023-3817 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3059+
| https://osv.dev/CVE-2023-4807 | 7.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3060+
| https://osv.dev/CVE-2023-5363 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3061+
| https://osv.dev/CVE-2023-5678 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3062+
| https://osv.dev/CVE-2023-6129 | 6.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3063+
| https://osv.dev/CVE-2023-6237 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3064+
| https://osv.dev/CVE-2024-0727 | 5.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3065+
| https://osv.dev/CVE-2024-13176 | 4.1 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3066+
| https://osv.dev/CVE-2024-2511 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3067+
| https://osv.dev/CVE-2024-4603 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3068+
| https://osv.dev/CVE-2024-4741 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3069+
| https://osv.dev/CVE-2024-5535 | 9.1 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3070+
| https://osv.dev/CVE-2024-6119 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3071+
| https://osv.dev/CVE-2024-9143 | 4.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3072+
| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3073+
| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
3074+
+--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+
3075+
3076+
---
3077+
3078+
[TestCommand_GithubActions/scanning_osv-scanner_custom_format_with_git_tag - 2]
3079+
3080+
---
3081+
30273082
[TestCommand_HtmlFile - 1]
30283083
Scanning dir ./testdata/locks-many/composer.lock
30293084
Scanned <rootdir>/testdata/locks-many/composer.lock file and found 1 package

cmd/osv-scanner/scan/source/command_test.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -934,6 +934,11 @@ func TestCommand_GithubActions(t *testing.T) {
934934
Args: []string{"", "source", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json"},
935935
Exit: 1,
936936
},
937+
{
938+
Name: "scanning osv-scanner custom format with git tag",
939+
Args: []string{"", "source", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-custom-git-tag.json"},
940+
Exit: 1,
941+
},
937942
{
938943
Name: "scanning osv-scanner custom format output json",
939944
Args: []string{"", "source", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json", "--format=sarif"},

cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3875,7 +3875,7 @@ interactions:
38753875
},
38763876
{
38773877
"id": "DEBIAN-CVE-2025-9714",
3878-
"modified": "2025-11-20T10:18:28.938756Z"
3878+
"modified": "2026-01-10T14:08:12.148171Z"
38793879
},
38803880
{
38813881
"id": "DLA-3012-1",
@@ -4142,7 +4142,7 @@ interactions:
41424142
},
41434143
{
41444144
"id": "DEBIAN-CVE-2024-13176",
4145-
"modified": "2026-01-04T18:14:22.536487Z"
4145+
"modified": "2026-01-10T14:06:53.941794Z"
41464146
},
41474147
{
41484148
"id": "DEBIAN-CVE-2024-2511",

cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2055,7 +2055,7 @@ interactions:
20552055
},
20562056
{
20572057
"id": "DEBIAN-CVE-2025-9714",
2058-
"modified": "2025-11-20T10:18:28.938756Z"
2058+
"modified": "2026-01-10T14:08:12.148171Z"
20592059
},
20602060
{
20612061
"id": "DLA-3012-1",
@@ -2322,7 +2322,7 @@ interactions:
23222322
},
23232323
{
23242324
"id": "DEBIAN-CVE-2024-13176",
2325-
"modified": "2026-01-04T18:14:22.536487Z"
2325+
"modified": "2026-01-10T14:06:53.941794Z"
23262326
},
23272327
{
23282328
"id": "DEBIAN-CVE-2024-2511",
@@ -4517,7 +4517,7 @@ interactions:
45174517
},
45184518
{
45194519
"id": "DEBIAN-CVE-2025-9714",
4520-
"modified": "2025-11-20T10:18:28.938756Z"
4520+
"modified": "2026-01-10T14:08:12.148171Z"
45214521
},
45224522
{
45234523
"id": "DLA-3012-1",
@@ -4784,7 +4784,7 @@ interactions:
47844784
},
47854785
{
47864786
"id": "DEBIAN-CVE-2024-13176",
4787-
"modified": "2026-01-04T18:14:22.536487Z"
4787+
"modified": "2026-01-10T14:06:53.941794Z"
47884788
},
47894789
{
47904790
"id": "DEBIAN-CVE-2024-2511",

cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml

Lines changed: 200 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -121,3 +121,203 @@ interactions:
121121
status: 200 OK
122122
code: 200
123123
duration: 0s
124+
- id: 2
125+
request:
126+
proto: HTTP/1.1
127+
proto_major: 1
128+
proto_minor: 1
129+
content_length: 169
130+
host: api.osv.dev
131+
body: |
132+
{
133+
"queries": [
134+
{
135+
"package": {
136+
"ecosystem": "GIT",
137+
"name": "github.com/openssl/openssl"
138+
},
139+
"version": "openssl-3.0.4"
140+
}
141+
]
142+
}
143+
headers:
144+
Content-Type:
145+
- application/json
146+
X-Test-Name:
147+
- TestCommand_GithubActions/scanning_osv-scanner_custom_format_with_git_tag
148+
url: https://api.osv.dev/v1/querybatch
149+
method: POST
150+
response:
151+
proto: HTTP/2.0
152+
proto_major: 2
153+
proto_minor: 0
154+
content_length: 2458
155+
body: |
156+
{
157+
"results": [
158+
{
159+
"vulns": [
160+
{
161+
"id": "CVE-2016-2177",
162+
"modified": "2025-12-09T16:46:12.318619Z"
163+
},
164+
{
165+
"id": "CVE-2016-2182",
166+
"modified": "2025-12-09T16:46:26.631815Z"
167+
},
168+
{
169+
"id": "CVE-2021-3449",
170+
"modified": "2025-12-10T10:07:59.632202Z"
171+
},
172+
{
173+
"id": "CVE-2022-2097",
174+
"modified": "2025-11-20T11:58:52.675121Z"
175+
},
176+
{
177+
"id": "CVE-2022-2274",
178+
"modified": "2025-11-20T12:02:14.751377Z"
179+
},
180+
{
181+
"id": "CVE-2022-3358",
182+
"modified": "2025-11-20T12:07:23.511908Z"
183+
},
184+
{
185+
"id": "CVE-2022-3602",
186+
"modified": "2025-12-06T07:03:58.914583Z"
187+
},
188+
{
189+
"id": "CVE-2022-3786",
190+
"modified": "2025-12-10T10:09:17.892841Z"
191+
},
192+
{
193+
"id": "CVE-2022-3996",
194+
"modified": "2025-11-20T12:10:00.375284Z"
195+
},
196+
{
197+
"id": "CVE-2022-4203",
198+
"modified": "2025-11-20T12:11:14.835736Z"
199+
},
200+
{
201+
"id": "CVE-2022-4304",
202+
"modified": "2025-11-20T12:10:27.150998Z"
203+
},
204+
{
205+
"id": "CVE-2022-4450",
206+
"modified": "2025-11-20T12:10:56.411256Z"
207+
},
208+
{
209+
"id": "CVE-2023-0215",
210+
"modified": "2025-11-20T12:12:12.402377Z"
211+
},
212+
{
213+
"id": "CVE-2023-0217",
214+
"modified": "2025-11-20T12:12:13.492583Z"
215+
},
216+
{
217+
"id": "CVE-2023-0286",
218+
"modified": "2025-11-20T12:12:17.064221Z"
219+
},
220+
{
221+
"id": "CVE-2023-0464",
222+
"modified": "2025-11-20T12:12:18.734998Z"
223+
},
224+
{
225+
"id": "CVE-2023-0465",
226+
"modified": "2025-11-20T12:12:19.093875Z"
227+
},
228+
{
229+
"id": "CVE-2023-0466",
230+
"modified": "2025-11-20T12:12:19.957706Z"
231+
},
232+
{
233+
"id": "CVE-2023-1255",
234+
"modified": "2025-11-20T12:12:40.724347Z"
235+
},
236+
{
237+
"id": "CVE-2023-2650",
238+
"modified": "2025-11-20T12:16:52.866359Z"
239+
},
240+
{
241+
"id": "CVE-2023-2975",
242+
"modified": "2025-11-20T12:17:30.162527Z"
243+
},
244+
{
245+
"id": "CVE-2023-3446",
246+
"modified": "2025-11-20T12:18:13.491842Z"
247+
},
248+
{
249+
"id": "CVE-2023-3817",
250+
"modified": "2025-11-20T12:19:02.198369Z"
251+
},
252+
{
253+
"id": "CVE-2023-4807",
254+
"modified": "2025-11-20T12:22:30.032710Z"
255+
},
256+
{
257+
"id": "CVE-2023-5363",
258+
"modified": "2025-12-05T03:06:05.983850Z"
259+
},
260+
{
261+
"id": "CVE-2023-5678",
262+
"modified": "2025-12-05T03:10:25.366442Z"
263+
},
264+
{
265+
"id": "CVE-2023-6129",
266+
"modified": "2025-11-20T12:22:57.734531Z"
267+
},
268+
{
269+
"id": "CVE-2023-6237",
270+
"modified": "2025-11-20T12:23:07.333431Z"
271+
},
272+
{
273+
"id": "CVE-2024-0727",
274+
"modified": "2025-11-20T12:23:31.205630Z"
275+
},
276+
{
277+
"id": "CVE-2024-13176",
278+
"modified": "2025-11-20T12:24:35.236055Z"
279+
},
280+
{
281+
"id": "CVE-2024-2511",
282+
"modified": "2025-11-20T12:26:42.817521Z"
283+
},
284+
{
285+
"id": "CVE-2024-4603",
286+
"modified": "2025-11-20T12:28:59.998868Z"
287+
},
288+
{
289+
"id": "CVE-2024-4741",
290+
"modified": "2025-11-20T12:31:20.836244Z"
291+
},
292+
{
293+
"id": "CVE-2024-5535",
294+
"modified": "2025-11-20T12:32:28.603392Z"
295+
},
296+
{
297+
"id": "CVE-2024-6119",
298+
"modified": "2025-12-05T12:32:36.014822Z"
299+
},
300+
{
301+
"id": "CVE-2024-9143",
302+
"modified": "2025-11-20T12:29:52.602673Z"
303+
},
304+
{
305+
"id": "CVE-2025-9230",
306+
"modified": "2025-11-20T12:41:41.279262Z"
307+
},
308+
{
309+
"id": "CVE-2025-9232",
310+
"modified": "2025-11-20T12:41:41.107151Z"
311+
}
312+
]
313+
}
314+
]
315+
}
316+
headers:
317+
Content-Length:
318+
- "2458"
319+
Content-Type:
320+
- application/json
321+
status: 200 OK
322+
code: 200
323+
duration: 0s

cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner-custom-git-tag.json

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
{
2+
"results": [
3+
{
4+
"source": {},
5+
"packages": [
6+
{
7+
"package": {
8+
"name": "github.com/openssl/openssl",
9+
"version": "openssl-3.0.4",
10+
"ecosystem": "GIT"
11+
}
12+
}
13+
]
14+
}
15+
]
16+
}

0 commit comments

Comments
 (0)