feat: update scalibr to the latest version (#2446)

This PR updates scalibr to the latests version which includes two major
changes:
- Plugin Configuration: adopting the new protobuf-based configuration
for plugins. The code has been refactored to use this new approach,
which simplifies how features like transitive dependency resolution are
managed.
- Error Handling: Plugin initialization functions in osv-scalibr now
return an error, allowing for more robust error handling during setup.

Author: cuixq

cmd/osv-scanner/__snapshots__/main_test.snap

@@ -47,7 +47,7 @@ OPTIONS:
 
 [Test_run/version - 1]
 osv-scanner version: 2.3.1
-osv-scalibr version: 0.4.0
+osv-scalibr version: 0.4.1
 commit: n/a
 built at: n/a
 

cmd/osv-scanner/scan/source/command.go

@@ -110,7 +110,7 @@ func action(_ context.Context, cmd *cli.Command, stdout, stderr io.Writer, clien
 	experimentalScannerActions := helper.GetExperimentalScannerActions(cmd, client)
 	experimentalScannerActions.RequestUserAgent = "osv-scanner_scan-source/" + version.OSVVersion
 	// Add `source` specific experimental configs
-	experimentalScannerActions.TransitiveScanningActions = osvscanner.TransitiveScanningActions{
+	experimentalScannerActions.TransitiveScanning = osvscanner.TransitiveScanningActions{
 		Disabled:         cmd.Bool("no-resolve"),
 		NativeDataSource: cmd.String("data-source") == "native",
 		MavenRegistry:    cmd.String("maven-registry"),

go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/go-git/go-git/v5 v5.16.4
 	github.com/goccy/go-yaml v1.19.1
 	github.com/google/go-cmp v0.7.0
-	github.com/google/osv-scalibr v0.4.1-0.20251202121049-5e7e15f4a036
+	github.com/google/osv-scalibr v0.4.2-0.20260109000604-557385a20603
 	github.com/ianlancetaylor/demangle v0.0.0-20251118225945-96ee0021ea0f
 	github.com/jedib0t/go-pretty/v6 v6.7.8
 	github.com/modelcontextprotocol/go-sdk v1.2.0

go.sum

@@ -256,8 +256,8 @@ github.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932 h1:5/4TSDzpDnHQ8rKEE
 github.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932/go.mod h1:cC6EdPbj/17GFCPDK39NRarlMI+kt+O60S12cNB5J9Y=
 github.com/google/jsonschema-go v0.3.0 h1:6AH2TxVNtk3IlvkkhjrtbUc4S8AvO0Xii0DxIygDg+Q=
 github.com/google/jsonschema-go v0.3.0/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE=
-github.com/google/osv-scalibr v0.4.1-0.20251202121049-5e7e15f4a036 h1:a+w+8ZQYYybXPWI1yJD+mXri5fMLcThlP41rIB7XNns=
-github.com/google/osv-scalibr v0.4.1-0.20251202121049-5e7e15f4a036/go.mod h1:9Ze2W6nQmu1WX2s95ezOAVZhPDbcA6ZGuEHgFT/sQEU=
+github.com/google/osv-scalibr v0.4.2-0.20260109000604-557385a20603 h1:yiXRYOjrw8KOIaJXz1kR1L15D5TtX1lBNYnXlG4c7vU=
+github.com/google/osv-scalibr v0.4.2-0.20260109000604-557385a20603/go.mod h1:3O4zXBBTy4lbryN1YZXpt/8r+AUJJMnsi5s0+oRFwJo=
 github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
 github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=

internal/scalibrextract/language/java/pomxmlenhanceable/pomxmlenhanceable.go

@@ -4,6 +4,7 @@ package pomxmlenhanceable
 import (
 	"context"
 
+	cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto"
 	"github.com/google/osv-scalibr/extractor/filesystem"
 	"github.com/google/osv-scalibr/extractor/filesystem/language/java/pomxml"
 	"github.com/google/osv-scalibr/extractor/filesystem/language/java/pomxmlnet"
@@ -77,23 +78,26 @@ func (e *Extractor) Extract(ctx context.Context, input *filesystem.ScanInput) (i
 var _ filesystem.Extractor = &Extractor{}
 
 type enhanceable interface {
-	Enhance(config pomxmlnet.Config)
+	Enhance(config *cpb.PluginConfig) error
 }
 
 // Enhance uses the given config to improve the abilities of this extractor,
 // at the cost of additional requirements such as networking and direct fs access
-func (e *Extractor) Enhance(config pomxmlnet.Config) {
-	e.online = pomxmlnet.New(config)
+func (e *Extractor) Enhance(config *cpb.PluginConfig) (err error) {
+	e.online, err = pomxmlnet.New(config)
+	return
 }
 
 var _ enhanceable = &Extractor{}
 
 // EnhanceIfPossible calls Extractor.Enhance with the given config if the
 // provided plug(in) is an Extractor
-func EnhanceIfPossible(plug plugin.Plugin, config pomxmlnet.Config) {
+func EnhanceIfPossible(plug plugin.Plugin, config *cpb.PluginConfig) error {
 	us, ok := plug.(enhanceable)
 
 	if ok {
-		us.Enhance(config)
+		return us.Enhance(config)
 	}
+
+	return nil
 }

internal/scalibrplugin/presets.go

@@ -192,16 +192,19 @@ func baseImageEnricher() enricher.Enricher {
 // TODO(b/400910349): Remove once all plugins take config values.
 // Copied from osv-scalibr
 func noCFG(f func() filesystem.Extractor) extractors.InitFn {
-	return func(_ *cpb.PluginConfig) filesystem.Extractor { return f() }
+	return func(_ *cpb.PluginConfig) (filesystem.Extractor, error) { return f(), nil }
 }
 
 // Wraps initer functions that don't take any config value to initer functions that do.
 // TODO(b/400910349): Remove once all plugins take config values.
 // Copied from osv-scalibr
 func noCFGEnricher(f func() enricher.Enricher) enricherlist.InitFn {
-	return func(_ *cpb.PluginConfig) enricher.Enricher { return f() }
+	return func(_ *cpb.PluginConfig) (enricher.Enricher, error) { return f(), nil }
 }
 
+// Wraps initer functions that don't take any config value to initer functions that do.
+// TODO(b/400910349): Remove once all plugins take config values.
+// Copied from osv-scalibr
 func noCFGAnnotator(f func() annotator.Annotator) annotatorlist.InitFn {
-	return func(_ *cpb.PluginConfig) annotator.Annotator { return f() }
+	return func(_ *cpb.PluginConfig) (annotator.Annotator, error) { return f(), nil }
 }

pkg/osvscanner/osvscanner.go

@@ -12,12 +12,11 @@ import (
 	"sort"
 	"time"
 
-	"deps.dev/util/resolve"
 	scalibr "github.com/google/osv-scalibr"
 	"github.com/google/osv-scalibr/artifact/image/layerscanning/image"
 	"github.com/google/osv-scalibr/binary/proto"
+	cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto"
 	"github.com/google/osv-scalibr/clients/datasource"
-	"github.com/google/osv-scalibr/clients/resolution"
 	"github.com/google/osv-scalibr/enricher/packagedeprecation"
 	"github.com/google/osv-scalibr/enricher/reachability/java"
 	"github.com/google/osv-scalibr/extractor"
@@ -71,7 +70,7 @@ type ScannerActions struct {
 }
 
 type ExperimentalScannerActions struct {
-	TransitiveScanningActions
+	TransitiveScanning TransitiveScanningActions
 
 	PluginsEnabled    []string
 	PluginsDisabled   []string
@@ -101,15 +100,8 @@ type ExternalAccessors struct {
 	VulnMatcher    clientinterfaces.VulnerabilityMatcher
 	LicenseMatcher clientinterfaces.LicenseMatcher
 
-	// Required for pomxmlnet Extractor
-	MavenRegistryAPIClient *datasource.MavenRegistryAPIClient
 	// Required for vendored Extractor
 	OSVDevClient *osvdev.OSVClient
-
-	// DependencyClients is a map of implementations of DependencyClient
-	// for each ecosystem, the following is currently implemented:
-	// - [osvschema.EcosystemMaven] required for pomxmlnet Extractor
-	DependencyClients map[osvconstants.Ecosystem]resolve.Client
 }
 
 // ErrNoPackagesFound for when no packages are found during a scan.
@@ -124,10 +116,7 @@ var ErrVulnerabilitiesFound = errors.New("vulnerabilities found")
 var ErrAPIFailed = errors.New("API query failed")
 
 func initializeExternalAccessors(actions ScannerActions) (ExternalAccessors, error) {
-	ctx := context.Background()
-	externalAccessors := ExternalAccessors{
-		DependencyClients: map[osvconstants.Ecosystem]resolve.Client{},
-	}
+	externalAccessors := ExternalAccessors{}
 	var err error
 
 	userAgent := "osv-scanner-api"
@@ -171,34 +160,6 @@ func initializeExternalAccessors(actions ScannerActions) (ExternalAccessors, err
 	externalAccessors.OSVDevClient = osvdev.DefaultClient()
 	externalAccessors.OSVDevClient.Config.UserAgent = userAgent
 
-	// --- No Transitive Scanning ---
-	if actions.Disabled {
-		return externalAccessors, nil
-	}
-
-	// --- Transitive Scanning Clients ---
-	externalAccessors.MavenRegistryAPIClient, err = datasource.NewMavenRegistryAPIClient(ctx, datasource.MavenRegistry{
-		URL:             actions.MavenRegistry,
-		ReleasesEnabled: true,
-	}, "", false)
-
-	if err != nil {
-		return ExternalAccessors{}, err
-	}
-
-	if !actions.NativeDataSource {
-		externalAccessors.DependencyClients[osvconstants.EcosystemMaven], err = resolution.NewDepsDevClient(depsdev.DepsdevAPI, userAgent)
-	} else {
-		externalAccessors.DependencyClients[osvconstants.EcosystemMaven], err = resolution.NewMavenRegistryClient(ctx, actions.MavenRegistry, "", false)
-	}
-
-	// We only support native registry client for PyPI.
-	externalAccessors.DependencyClients[osvconstants.EcosystemPyPI] = resolution.NewPyPIRegistryClient("", "")
-
-	if err != nil {
-		return ExternalAccessors{}, err
-	}
-
 	return externalAccessors, nil
 }
 
@@ -316,7 +277,14 @@ func DoContainerScan(actions ScannerActions) (models.VulnerabilityResults, error
 	}
 
 	if actions.FlagDeprecatedPackages {
-		plugins = append(plugins, packagedeprecation.New())
+		p, err := packagedeprecation.New(&cpb.PluginConfig{
+			UserAgent: actions.RequestUserAgent,
+		})
+		if err != nil {
+			cmdlogger.Errorf("Failed to enable packagedeprecation enricher: %v", err)
+		} else {
+			plugins = append(plugins, p)
+		}
 	}
 
 	// --- Initialize Image To Scan ---'

pkg/osvscanner/scan.go

@@ -11,17 +11,18 @@ import (
 	"strings"
 
 	scalibr "github.com/google/osv-scalibr"
+	cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto"
 	"github.com/google/osv-scalibr/enricher"
 	"github.com/google/osv-scalibr/enricher/packagedeprecation"
 	"github.com/google/osv-scalibr/enricher/reachability/java"
 	transitivedependencyrequirements "github.com/google/osv-scalibr/enricher/transitivedependency/requirements"
 	"github.com/google/osv-scalibr/extractor"
 	"github.com/google/osv-scalibr/extractor/filesystem"
-	"github.com/google/osv-scalibr/extractor/filesystem/language/java/pomxmlnet"
 	"github.com/google/osv-scalibr/extractor/filesystem/language/python/requirements"
 	"github.com/google/osv-scalibr/extractor/filesystem/simplefileapi"
 	"github.com/google/osv-scalibr/fs"
 	"github.com/google/osv-scalibr/inventory"
+	"github.com/google/osv-scalibr/log"
 	"github.com/google/osv-scalibr/plugin"
 	"github.com/google/osv-scanner/v2/internal/cmdlogger"
 	"github.com/google/osv-scanner/v2/internal/imodels"
@@ -32,18 +33,29 @@ import (
 	"github.com/google/osv-scanner/v2/internal/scalibrplugin"
 	"github.com/google/osv-scanner/v2/internal/testlogger"
 	"github.com/google/osv-scanner/v2/pkg/osvscanner/internal/scanners"
-	"github.com/ossf/osv-schema/bindings/go/osvconstants"
 )
 
 var ErrExtractorNotFound = errors.New("could not determine extractor suitable to this file")
 
 func configurePlugins(plugins []plugin.Plugin, accessors ExternalAccessors, actions ScannerActions) {
 	for _, plug := range plugins {
-		if accessors.DependencyClients[osvconstants.EcosystemMaven] != nil && accessors.MavenRegistryAPIClient != nil {
-			pomxmlenhanceable.EnhanceIfPossible(plug, pomxmlnet.Config{
-				DependencyClient:       accessors.DependencyClients[osvconstants.EcosystemMaven],
-				MavenRegistryAPIClient: accessors.MavenRegistryAPIClient,
+		if !actions.TransitiveScanning.Disabled {
+			err := pomxmlenhanceable.EnhanceIfPossible(plug, &cpb.PluginConfig{
+				UserAgent: actions.RequestUserAgent,
+				PluginSpecific: []*cpb.PluginSpecificConfig{
+					{
+						Config: &cpb.PluginSpecificConfig_PomXmlNet{
+							PomXmlNet: &cpb.POMXMLNetConfig{
+								UpstreamRegistry:    actions.TransitiveScanning.MavenRegistry,
+								DepsDevRequirements: !actions.TransitiveScanning.NativeDataSource,
+							},
+						},
+					},
+				},
 			})
+			if err != nil {
+				log.Errorf("Failed to enhance pomxml extractor: %v", err)
+			}
 		}
 
 		vendored.Configure(plug, vendored.Config{
@@ -81,9 +93,16 @@ func getPlugins(defaultPlugins []string, accessors ExternalAccessors, actions Sc
 
 	plugins := scalibrplugin.Resolve(actions.PluginsEnabled, actions.PluginsDisabled)
 
-	// todo: use Enricher.RequiredPlugins to check this generically
-	if accessors.DependencyClients[osvconstants.EcosystemPyPI] != nil && isRequirementsExtractorEnabled(plugins) {
-		plugins = append(plugins, transitivedependencyrequirements.NewEnricher(accessors.DependencyClients[osvconstants.EcosystemPyPI]))
+	// TODO: Use Enricher.RequiredPlugins to check this generically
+	if !actions.TransitiveScanning.Disabled && isRequirementsExtractorEnabled(plugins) {
+		p, err := transitivedependencyrequirements.New(&cpb.PluginConfig{
+			UserAgent: actions.RequestUserAgent,
+		})
+		if err != nil {
+			log.Errorf("Failed to make transitivedependencyrequirements enricher: %v", err)
+		} else {
+			plugins = append(plugins, p)
+		}
 	}
 
 	configurePlugins(plugins, accessors, actions)
@@ -126,7 +145,14 @@ func scan(accessors ExternalAccessors, actions ScannerActions) (*imodels.ScanRes
 	}
 
 	if actions.FlagDeprecatedPackages {
-		plugins = append(plugins, packagedeprecation.New())
+		p, err := packagedeprecation.New(&cpb.PluginConfig{
+			UserAgent: actions.RequestUserAgent,
+		})
+		if err != nil {
+			log.Errorf("Failed to make packagedeprecation enricher: %v", err)
+		} else {
+			plugins = append(plugins, p)
+		}
 	}
 
 	scanner := scalibr.New()