test: introduce a locks-many-with-insecure collection of testdata (#2267)

Currently a lot of our tests use specific files from the
`testdata/locks-many` set for stuff that doesn't actually need
vulnerabilities meaning they'll trigger the warning about ignored vulns
that weren't found that is being introduced in #2216 since there are two
vulns in that set.

To make things cleaner I've copied the existing testdata set into a new
`locks-many-with-insecure`, removed the vulns from the original testdata
set, and updated any tests that do actually want vulnerabilities to use
the new set

Author: G-Rath

cmd/osv-scanner/scan/source/__snapshots__/command_test.snap

@@ -169,7 +169,7 @@ func TestCommand(t *testing.T) {
 		},
 		{
 			Name: "Sarif with vulns",
-			Args: []string{"", "source", "--format", "sarif", "--config", "./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/package-lock.json"},
+			Args: []string{"", "source", "--format", "sarif", "./testdata/locks-many-with-insecure/package-lock.json"},
 			Exit: 1,
 		},
 		// output format: gh-annotations
@@ -180,13 +180,13 @@ func TestCommand(t *testing.T) {
 		},
 		{
 			Name: "gh-annotations with vulns",
-			Args: []string{"", "source", "--format", "gh-annotations", "--config", "./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/package-lock.json"},
+			Args: []string{"", "source", "--format", "gh-annotations", "./testdata/locks-many-with-insecure/package-lock.json"},
 			Exit: 1,
 		},
 		// output format: markdown table
 		{
 			Name: "output format: markdown table",
-			Args: []string{"", "source", "--format", "markdown", "--config", "./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/package-lock.json"},
+			Args: []string{"", "source", "--format", "markdown", "./testdata/locks-many-with-insecure/package-lock.json"},
 			Exit: 1,
 		},
 		// output format: cyclonedx 1.4
@@ -280,13 +280,13 @@ func TestCommand(t *testing.T) {
 		// broad config file that overrides a whole ecosystem
 		{
 			Name: "config file can be broad",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-composite-config.toml", "--licenses=MIT", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json", "./testdata/locks-many", "./testdata/locks-insecure", "./testdata/maven-transitive"},
+			Args: []string{"", "source", "--config=./testdata/osv-scanner-composite-config.toml", "--licenses=MIT", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json", "./testdata/locks-many-with-insecure", "./testdata/locks-insecure", "./testdata/maven-transitive"},
 			Exit: 1,
 		},
 		// ignored vulnerabilities and packages without a reason should be called out
 		{
 			Name: "ignores without reason should be explicitly called out",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-reasonless-ignores-config.toml", "./testdata/locks-many/package-lock.json", "./testdata/locks-many/composer.lock"},
+			Args: []string{"", "source", "--config=./testdata/osv-scanner-reasonless-ignores-config.toml", "./testdata/locks-many-with-insecure/package-lock.json", "./testdata/locks-many/composer.lock"},
 			Exit: 0,
 		},
 		// invalid config file
@@ -879,8 +879,8 @@ func TestCommand_LocalDatabases(t *testing.T) {
 		},
 		{
 			Name: "all supported lockfiles in the directory should be checked",
-			Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/locks-many"},
-			Exit: 0,
+			Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/locks-many-with-insecure"},
+			Exit: 1,
 		},
 		{
 			Name: "all supported lockfiles in the directory should be checked",
@@ -948,7 +948,7 @@ func TestCommand_LocalDatabases_AlwaysOffline(t *testing.T) {
 	tests := []testcmd.Case{
 		{
 			Name: "a bunch of different lockfiles and ecosystem",
-			Args: []string{"", "source", "--offline", "./testdata/locks-requirements", "./testdata/locks-many"},
+			Args: []string{"", "source", "--offline", "./testdata/locks-requirements", "./testdata/locks-many-with-insecure"},
 			Exit: 127,
 		},
 	}
@@ -1010,12 +1010,12 @@ func TestCommand_Licenses(t *testing.T) {
 		},
 		{
 			Name: "Vulnerabilities and license summary",
-			Args: []string{"", "source", "--licenses", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/package-lock.json"},
+			Args: []string{"", "source", "--licenses", "./testdata/locks-many-with-insecure/package-lock.json"},
 			Exit: 1,
 		},
 		{
 			Name: "Vulnerabilities and license violations with allowlist",
-			Args: []string{"", "source", "--licenses=MIT", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/package-lock.json"},
+			Args: []string{"", "source", "--licenses=MIT", "./testdata/locks-many-with-insecure/package-lock.json"},
 			Exit: 1,
 		},
 		{
@@ -1025,7 +1025,7 @@ func TestCommand_Licenses(t *testing.T) {
 		},
 		{
 			Name: "Vulnerabilities and all license violations allowlisted",
-			Args: []string{"", "source", "--licenses=Apache-2.0", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/package-lock.json"},
+			Args: []string{"", "source", "--licenses=Apache-2.0", "./testdata/locks-many-with-insecure/package-lock.json"},
 			Exit: 1,
 		},
 		{

cmd/osv-scanner/scan/source/command_test.go

@@ -0,0 +1,16 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.2)
+
+PLATFORMS
+  x86_64-linux
+
+DEPENDENCIES
+  ast
+
+RUBY VERSION
+   ruby 3.0.2p107
+
+BUNDLED WITH
+   2.2.28

cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/Gemfile.lock

@@ -0,0 +1,32 @@
+C:Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ=
+P:apk-tools
+V:2.12.10-r1
+A:x86_64
+S:120973
+I:307200
+T:Alpine Package Keeper - package manager for alpine
+U:https://gitlab.alpinelinux.org/alpine/apk-tools
+L:GPL-2.0-only
+o:apk-tools
+m:Natanael Copa <[email protected]>
+t:1666552494
+c:0188f510baadbae393472103427b9c1875117136
+D:musl>=1.2 ca-certificates-bundle so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 so:libz.so.1
+p:so:libapk.so.3.12.0=3.12.0 cmd:apk=2.12.10-r1
+F:etc
+F:etc/apk
+F:etc/apk/keys
+F:etc/apk/protected_paths.d
+F:lib
+R:libapk.so.3.12.0
+a:0:0:755
+Z:Q1opjpYqXgzmOVo7EbNe8l5Xol08g=
+F:lib/apk
+F:lib/apk/exec
+F:sbin
+R:apk
+a:0:0:755
+Z:Q1/4bmOPe/H1YhHRzlrj27oufThMw=
+F:var
+F:var/lib
+F:var/lib/apk

cmd/osv-scanner/scan/source/testdata/locks-many/alpine.cdx.xml renamed to cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/alpine.cdx.xml

@@ -0,0 +1 @@
+_="whatever this is, it's not a lockfile!"

cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/composer.lock

@@ -0,0 +1,7 @@
+require (
+    golang.org/x/net v1.2.3
+)
+
+replace (
+    golang.org/x/net v1.2.3 => ./fork/net
+)