test: use a different name for the default config file and ensure all vulns are ignored (#2254)

This should make it a lot easier to author and maintain cmd tests
without disappointing tools like scorecard and dependabot, as it means
going forward we can just drop a `osv-scanner.toml` configured to ignore
everything into any `testdata` fixture that has actual vulns without it
impacting our tests.

This is even more useful in the context of
#2216 which has us report
ignored vulns that weren't found, which currently happens a lot in our
test suite due to how artificial everything is 😅

Previously we'd discussed making this read from an env variable which I
think could be useful for others, but this starts by just making our
currently-constant "config file name" string an internally public
variable so that we can change it as part of the setup of our tests

Author: G-Rath

cmd/osv-scanner/__snapshots__/main_test.snap

@@ -50,7 +50,6 @@ Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the
 [Test_run_SubCommands/with_no_subcommand - 1]
 Scanning dir ./testdata/locks-many/composer.lock
 Scanned <rootdir>/testdata/locks-many/composer.lock file and found 1 package
-Loaded filter from: <rootdir>/testdata/locks-many/osv-scanner.toml
 No issues found
 
 ---
@@ -62,7 +61,6 @@ No issues found
 [Test_run_SubCommands/with_scan_subcommand - 1]
 Scanning dir ./testdata/locks-many/composer.lock
 Scanned <rootdir>/testdata/locks-many/composer.lock file and found 1 package
-Loaded filter from: <rootdir>/testdata/locks-many/osv-scanner.toml
 No issues found
 
 ---

cmd/osv-scanner/fix/testdata/in-place-npm/osv-scanner.toml

@@ -1,35 +1,2 @@
 [[PackageOverrides]]
-name = "chownr"
-ecosystem = "npm"
 ignore = true
-reason = "This is an intentionally vulnerable test project"
-
-[[PackageOverrides]]
-name = "concat-stream"
-ecosystem = "npm"
-ignore = true
-reason = "This is an intentionally vulnerable test project"
-
-[[PackageOverrides]]
-name = "hosted-git-info"
-ecosystem = "npm"
-ignore = true
-reason = "This is an intentionally vulnerable test project"
-
-[[PackageOverrides]]
-name = "request"
-ecosystem = "npm"
-ignore = true
-reason = "This is an intentionally vulnerable test project"
-
-[[PackageOverrides]]
-name = "semver"
-ecosystem = "npm"
-ignore = true
-reason = "This is an intentionally vulnerable test project"
-
-[[PackageOverrides]]
-name = "tough-cookie"
-ecosystem = "npm"
-ignore = true
-reason = "This is an intentionally vulnerable test project"

cmd/osv-scanner/fix/testdata/override-maven/osv-scanner.toml

@@ -1,23 +1,2 @@
 [[PackageOverrides]]
-name = "commons-io:commons-io"
-ecosystem = "Maven"
 ignore = true
-reason = "This is an intentionally vulnerable test project"
-
-[[PackageOverrides]]
-name = "org.apache.httpcomponents:httpclient"
-ecosystem = "Maven"
-ignore = true
-reason = "This is an intentionally vulnerable test project"
-
-[[PackageOverrides]]
-name = "org.codehaus.plexus:plexus-utils"
-ecosystem = "Maven"
-ignore = true
-reason = "This is an intentionally vulnerable test project"
-
-[[PackageOverrides]]
-name = "org.jsoup:jsoup"
-ecosystem = "Maven"
-ignore = true
-reason = "This is an intentionally vulnerable test project"

cmd/osv-scanner/fix/testmain_test.go

@@ -7,11 +7,14 @@ import (
 	"github.com/google/osv-scanner/v2/cmd/osv-scanner/fix"
 	"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd"
 	"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd"
+	"github.com/google/osv-scanner/v2/internal/config"
 	"github.com/google/osv-scanner/v2/internal/testlogger"
 	"github.com/google/osv-scanner/v2/internal/testutility"
 )
 
 func TestMain(m *testing.M) {
+	config.OSVScannerConfigName = "osv-scanner-test.toml"
+
 	slog.SetDefault(slog.New(testlogger.New()))
 	testcmd.CommandsUnderTest = []cmd.CommandBuilder{fix.Command}
 	m.Run()

cmd/osv-scanner/scan/__snapshots__/command_test.snap

@@ -14,7 +14,6 @@ No issues found
 [TestCommand_SubCommands/with_no_subcommand - 1]
 Scanning dir ./testdata/locks-many/composer.lock
 Scanned <rootdir>/testdata/locks-many/composer.lock file and found 1 package
-Loaded filter from: <rootdir>/testdata/locks-many/osv-scanner.toml
 No issues found
 
 ---
@@ -26,7 +25,6 @@ No issues found
 [TestCommand_SubCommands/with_scan_subcommand - 1]
 Scanning dir ./testdata/locks-many/composer.lock
 Scanned <rootdir>/testdata/locks-many/composer.lock file and found 1 package
-Loaded filter from: <rootdir>/testdata/locks-many/osv-scanner.toml
 No issues found
 
 ---

cmd/osv-scanner/scan/image/testdata/java-fixture/app/osv-scanner.toml

@@ -0,0 +1,2 @@
+[[PackageOverrides]]
+ignore = true

cmd/osv-scanner/scan/image/testdata/python-fixture/osv-scanner.toml

@@ -0,0 +1,2 @@
+[[PackageOverrides]]
+ignore = true

cmd/osv-scanner/scan/image/testmain_test.go

@@ -7,11 +7,14 @@ import (
 	"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd"
 	"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd"
 	"github.com/google/osv-scanner/v2/cmd/osv-scanner/scan/image"
+	"github.com/google/osv-scanner/v2/internal/config"
 	"github.com/google/osv-scanner/v2/internal/testlogger"
 	"github.com/google/osv-scanner/v2/internal/testutility"
 )
 
 func TestMain(m *testing.M) {
+	config.OSVScannerConfigName = "osv-scanner-test.toml"
+
 	slog.SetDefault(slog.New(testlogger.New()))
 	testcmd.CommandsUnderTest = []cmd.CommandBuilder{image.Command}
 	m.Run()

cmd/osv-scanner/scan/source/__snapshots__/command_test.snap

@@ -29,63 +29,63 @@ func TestCommand(t *testing.T) {
 		// one specific supported sbom with vulns
 		{
 			Name: "folder of supported sbom with vulns",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/sbom-insecure/"},
+			Args: []string{"", "source", "./testdata/sbom-insecure/"},
 			Exit: 1,
 		},
 		// one specific supported sbom with only unimportant
 		{
 			Name: "folder of supported sbom with only unimportant",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/sbom-insecure/only-unimportant.spdx.json"},
+			Args: []string{"", "source", "./testdata/sbom-insecure/only-unimportant.spdx.json"},
 			Exit: 0,
 		},
 		// one specific supported sbom with only unimportant but with --all-vulns
 		{
 			Name: "folder of supported sbom with only unimportant",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--all-vulns", "./testdata/sbom-insecure/only-unimportant.spdx.json"},
+			Args: []string{"", "source", "--all-vulns", "./testdata/sbom-insecure/only-unimportant.spdx.json"},
 			Exit: 1,
 		},
 		// one specific supported sbom with vulns
 		{
 			Name: "one specific supported sbom with vulns",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--sbom", "./testdata/sbom-insecure/alpine.cdx.xml"},
+			Args: []string{"", "source", "--sbom", "./testdata/sbom-insecure/alpine.cdx.xml"},
 			Exit: 1,
 		},
 		{
 			Name: "one specific supported sbom with vulns using -L flag",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "./testdata/sbom-insecure/alpine.cdx.xml"},
+			Args: []string{"", "source", "-L", "./testdata/sbom-insecure/alpine.cdx.xml"},
 			Exit: 1,
 		},
 		// one specific supported sbom with vulns and invalid PURLs
 		{
 			Name: "one specific supported sbom with invalid PURLs",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--sbom", "./testdata/sbom-insecure/bad-purls.cdx.xml"},
+			Args: []string{"", "source", "--sbom", "./testdata/sbom-insecure/bad-purls.cdx.xml"},
 			Exit: 0,
 		},
 		{
 			Name: "one specific supported sbom with invalid PURLs using -L flag",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "./testdata/sbom-insecure/bad-purls.cdx.xml"},
+			Args: []string{"", "source", "-L", "./testdata/sbom-insecure/bad-purls.cdx.xml"},
 			Exit: 0,
 		},
 		// one specific supported sbom with duplicate PURLs
 		{
 			Name: "one specific supported sbom with duplicate PURLs",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--sbom", "./testdata/sbom-insecure/with-duplicates.cdx.xml"},
+			Args: []string{"", "source", "--sbom", "./testdata/sbom-insecure/with-duplicates.cdx.xml"},
 			Exit: 1,
 		},
 		{
 			Name: "one specific supported sbom with duplicate PURLs using -L flag",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "./testdata/sbom-insecure/with-duplicates.cdx.xml"},
+			Args: []string{"", "source", "-L", "./testdata/sbom-insecure/with-duplicates.cdx.xml"},
 			Exit: 1,
 		},
 		// one file that does not match the supported sbom file names
 		{
 			Name: "one file that does not match the supported sbom file names",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--sbom", "./testdata/locks-many/composer.lock"},
+			Args: []string{"", "source", "--sbom", "./testdata/locks-many/composer.lock"},
 			Exit: 127,
 		},
 		{
 			Name: "one file that does not match the supported sbom file names using -L flag",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "spdx:./testdata/locks-many/composer.lock"},
+			Args: []string{"", "source", "-L", "spdx:./testdata/locks-many/composer.lock"},
 			Exit: 127,
 		},
 		// one specific unsupported lockfile
@@ -257,12 +257,12 @@ func TestCommand(t *testing.T) {
 		},
 		{
 			Name: "PURL SBOM case sensitivity (api)",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--format", "table", "./testdata/sbom-insecure/alpine.cdx.xml"},
+			Args: []string{"", "source", "--format", "table", "./testdata/sbom-insecure/alpine.cdx.xml"},
 			Exit: 1,
 		},
 		{
 			Name: "PURL SBOM case sensitivity (local)",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--offline", "--download-offline-databases", "--format", "table", "./testdata/sbom-insecure/alpine.cdx.xml"},
+			Args: []string{"", "source", "--offline", "--download-offline-databases", "--format", "table", "./testdata/sbom-insecure/alpine.cdx.xml"},
 			Exit: 1,
 		},
 		// Go project with an overridden go version
@@ -310,12 +310,12 @@ func TestCommand(t *testing.T) {
 		// a bunch of requirements.txt files with different names
 		{
 			Name: "requirements.txt can have all kinds of names",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-requirements"},
+			Args: []string{"", "source", "./testdata/locks-requirements"},
 			Exit: 1,
 		},
 		{
 			Name: "go_packages_in_osv-scanner.json_format",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner.json"},
+			Args: []string{"", "source", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner.json"},
 			Exit: 1,
 		},
 	}
@@ -723,7 +723,6 @@ func TestCommand_LockfileWithExplicitParseAs(t *testing.T) {
 			Args: []string{
 				"",
 				"source",
-				"--config=./testdata/osv-scanner-empty-config.toml",
 				"-L",
 				"package-lock.json:" + filepath.FromSlash("./testdata/locks-insecure/my-package-lock.json"),
 				filepath.FromSlash("./testdata/locks-insecure"),
@@ -735,7 +734,6 @@ func TestCommand_LockfileWithExplicitParseAs(t *testing.T) {
 			Args: []string{
 				"",
 				"source",
-				"--config=./testdata/osv-scanner-empty-config.toml",
 				"-L", "package-lock.json:" + filepath.FromSlash("./testdata/locks-insecure/my-package-lock.json"),
 				"-L", "yarn.lock:" + filepath.FromSlash("./testdata/locks-insecure/my-yarn.lock"),
 				filepath.FromSlash("./testdata/locks-insecure"),
@@ -747,7 +745,6 @@ func TestCommand_LockfileWithExplicitParseAs(t *testing.T) {
 			Args: []string{
 				"",
 				"source",
-				"--config=./testdata/osv-scanner-empty-config.toml",
 				"-L", "yarn.lock:" + filepath.FromSlash("./testdata/locks-insecure/my-yarn.lock"),
 				"-L", "package-lock.json:" + filepath.FromSlash("./testdata/locks-insecure/my-package-lock.json"),
 				filepath.FromSlash("./testdata/locks-insecure"),
@@ -844,12 +841,12 @@ func TestCommand_GithubActions(t *testing.T) {
 	tests := []testcmd.Case{
 		{
 			Name: "scanning osv-scanner custom format",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json"},
+			Args: []string{"", "source", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json"},
 			Exit: 1,
 		},
 		{
 			Name: "scanning osv-scanner custom format output json",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json", "--format=sarif"},
+			Args: []string{"", "source", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json", "--format=sarif"},
 			Exit: 1,
 		},
 	}
@@ -872,7 +869,7 @@ func TestCommand_LocalDatabases(t *testing.T) {
 		},
 		{
 			Name: "one specific supported sbom with vulns",
-			Args: []string{"", "source", "--offline", "--download-offline-databases", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/sbom-insecure/postgres-stretch.cdx.xml"},
+			Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/sbom-insecure/postgres-stretch.cdx.xml"},
 			Exit: 1,
 		},
 		{
@@ -951,7 +948,7 @@ func TestCommand_LocalDatabases_AlwaysOffline(t *testing.T) {
 	tests := []testcmd.Case{
 		{
 			Name: "a bunch of different lockfiles and ecosystem",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--offline", "./testdata/locks-requirements", "./testdata/locks-many"},
+			Args: []string{"", "source", "--offline", "./testdata/locks-requirements", "./testdata/locks-many"},
 			Exit: 127,
 		},
 	}
@@ -1078,12 +1075,12 @@ func TestCommand_Licenses(t *testing.T) {
 		},
 		{
 			Name: "When offline licenses summary cannot be printed",
-			Args: []string{"", "source", "--offline", "--licenses", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/package-lock.json"},
+			Args: []string{"", "source", "--offline", "--licenses", "./testdata/locks-many/package-lock.json"},
 			Exit: 127,
 		},
 		{
 			Name: "When offline licenses cannot be checked",
-			Args: []string{"", "source", "--offline", "--licenses=MIT", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/package-lock.json"},
+			Args: []string{"", "source", "--offline", "--licenses=MIT", "./testdata/locks-many/package-lock.json"},
 			Exit: 127,
 		},
 		{
@@ -1107,69 +1104,69 @@ func TestCommand_Transitive(t *testing.T) {
 	tests := []testcmd.Case{
 		{
 			Name: "scans transitive dependencies for pom.xml by default",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/maven-transitive/pom.xml"},
+			Args: []string{"", "source", "./testdata/maven-transitive/pom.xml"},
 			Exit: 1,
 		},
 		{
 			Name: "scans transitive dependencies by specifying pom.xml",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "pom.xml:./testdata/maven-transitive/abc.xml"},
+			Args: []string{"", "source", "-L", "pom.xml:./testdata/maven-transitive/abc.xml"},
 			Exit: 1,
 		},
 		{
 			Name: "scans pom.xml with non UTF-8 encoding",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "pom.xml:./testdata/maven-transitive/encoding.xml"},
+			Args: []string{"", "source", "-L", "pom.xml:./testdata/maven-transitive/encoding.xml"},
 			Exit: 1,
 		},
 		{
 			// Direct dependencies do not have any vulnerability.
 			Name: "does not scan transitive dependencies for pom.xml with offline mode",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--offline", "--download-offline-databases", "./testdata/maven-transitive/pom.xml"},
+			Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/maven-transitive/pom.xml"},
 			Exit: 0,
 		},
 		{
 			// Direct dependencies do not have any vulnerability.
 			Name: "does not scan transitive dependencies for pom.xml with no-resolve",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--no-resolve", "./testdata/maven-transitive/pom.xml"},
+			Args: []string{"", "source", "--no-resolve", "./testdata/maven-transitive/pom.xml"},
 			Exit: 0,
 		},
 		{
 			Name: "scans dependencies from multiple registries",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "-L", "pom.xml:./testdata/maven-transitive/registry.xml"},
+			Args: []string{"", "source", "-L", "pom.xml:./testdata/maven-transitive/registry.xml"},
 			Exit: 1,
 		},
 		{
 			Name: "resolves transitive dependencies with native data source",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--data-source=native", "-L", "pom.xml:./testdata/maven-transitive/registry.xml"},
+			Args: []string{"", "source", "--data-source=native", "-L", "pom.xml:./testdata/maven-transitive/registry.xml"},
 			Exit: 1,
 		},
 		{
 			Name: "uses native data source for requirements.txt",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-requirements/requirements.txt"},
+			Args: []string{"", "source", "./testdata/locks-requirements/requirements.txt"},
 			Exit: 1,
 		},
 		{
 			Name: "fall back to the offline extractor if resolution failed",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-requirements/unresolvable-requirements.txt"},
+			Args: []string{"", "source", "./testdata/locks-requirements/unresolvable-requirements.txt"},
 			Exit: 1,
 		},
 		{
 			Name: "does not scan transitive dependencies for requirements.txt with no-resolve",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--no-resolve", "./testdata/locks-requirements/requirements.txt"},
+			Args: []string{"", "source", "--no-resolve", "./testdata/locks-requirements/requirements.txt"},
 			Exit: 1,
 		},
 		{
 			Name: "does not scan transitive dependencies for requirements.txt with offline mode",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--offline", "--download-offline-databases", "./testdata/locks-requirements/requirements.txt"},
+			Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/locks-requirements/requirements.txt"},
 			Exit: 1,
 		},
 		{
 			Name: "errors_with_invalid_data_source",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--data-source=github", "-L", "pom.xml:./testdata/maven-transitive/registry.xml"},
+			Args: []string{"", "source", "--data-source=github", "-L", "pom.xml:./testdata/maven-transitive/registry.xml"},
 			Exit: 127,
 		},
 		{
 			Name: "scan local disk transitive dependencies",
-			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--no-resolve", "./testdata/locks-requirements/requirements-transitive.txt"},
+			Args: []string{"", "source", "--no-resolve", "./testdata/locks-requirements/requirements-transitive.txt"},
 			Exit: 1,
 		},
 	}