google · another-rex · Dec 8, 2025 · Dec 6, 2025
diff --git a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap
@@ -592,8 +592,8 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 Scanning local image tarball "./testdata/test-python-full.tar"
 
 Container Scanning Result (Debian GNU/Linux 10 (buster)):
-Total 19 packages affected by 44 known vulnerabilities (1 Critical, 14 High, 14 Medium, 0 Low, 15 Unknown) from 2 ecosystems.
-44 vulnerabilities can be fixed.
+Total 19 packages affected by 46 known vulnerabilities (1 Critical, 16 High, 14 Medium, 0 Low, 15 Unknown) from 2 ecosystems.
+46 vulnerabilities can be fixed.
 
 
 PyPI
@@ -658,7 +658,7 @@ PyPI
 +---------+-------------------+---------------+------------+------------------+---------------+
 | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
 +---------+-------------------+---------------+------------+------------------+---------------+
-| urllib3 | 1.24.3            | Fix Available |          6 | # 17 Layer       | --            |
+| urllib3 | 1.24.3            | Fix Available |          8 | # 17 Layer       | --            |
 +---------+-------------------+---------------+------------+------------------+---------------+
 Debian:10
 +-----------------------------------------------------------------------------------------------------------------------------------------------+
@@ -691,8 +691,8 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 Scanning local image tarball "./testdata/test-package-tracing.tar"
 
 Container Scanning Result (Alpine Linux v3.20):
-Total 9 packages affected by 143 known vulnerabilities (1 Critical, 3 High, 5 Medium, 2 Low, 132 Unknown) from 2 ecosystems.
-143 vulnerabilities can be fixed.
+Total 9 packages affected by 155 known vulnerabilities (1 Critical, 3 High, 5 Medium, 2 Low, 144 Unknown) from 2 ecosystems.
+155 vulnerabilities can be fixed.
 
 
 Go
@@ -701,42 +701,42 @@ Go
 +---------+-------------------+---------------+------------+------------------+---------------+
 | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
 +---------+-------------------+---------------+------------+------------------+---------------+
-| stdlib  | 1.22.4            | Fix Available |         22 | # 9 Layer        | --            |
+| stdlib  | 1.22.4            | Fix Available |         24 | # 9 Layer        | --            |
 +---------+-------------------+---------------+------------+------------------+---------------+
 +---------------------------------------------------------------------------------------------+
 | Source:artifact:/go/bin/ptf-1.2.0                                                           |
 +---------+-------------------+---------------+------------+------------------+---------------+
 | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
 +---------+-------------------+---------------+------------+------------------+---------------+
-| stdlib  | 1.22.4            | Fix Available |         22 | # 2 Layer        | --            |
+| stdlib  | 1.22.4            | Fix Available |         24 | # 2 Layer        | --            |
 +---------+-------------------+---------------+------------+------------------+---------------+
 +---------------------------------------------------------------------------------------------+
 | Source:artifact:/go/bin/ptf-1.3.0                                                           |
 +---------+-------------------+---------------+------------+------------------+---------------+
 | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
 +---------+-------------------+---------------+------------+------------------+---------------+
-| stdlib  | 1.22.4            | Fix Available |         22 | # 4 Layer        | --            |
+| stdlib  | 1.22.4            | Fix Available |         24 | # 4 Layer        | --            |
 +---------+-------------------+---------------+------------+------------------+---------------+
 +---------------------------------------------------------------------------------------------+
 | Source:artifact:/go/bin/ptf-1.3.0-moved                                                     |
 +---------+-------------------+---------------+------------+------------------+---------------+
 | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
 +---------+-------------------+---------------+------------+------------------+---------------+
-| stdlib  | 1.22.4            | Fix Available |         22 | # 3 Layer        | --            |
+| stdlib  | 1.22.4            | Fix Available |         24 | # 3 Layer        | --            |
 +---------+-------------------+---------------+------------+------------------+---------------+
 +---------------------------------------------------------------------------------------------+
 | Source:artifact:/go/bin/ptf-1.4.0                                                           |
 +---------+-------------------+---------------+------------+------------------+---------------+
 | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
 +---------+-------------------+---------------+------------+------------------+---------------+
-| stdlib  | 1.22.4            | Fix Available |         22 | # 2 Layer        | --            |
+| stdlib  | 1.22.4            | Fix Available |         24 | # 2 Layer        | --            |
 +---------+-------------------+---------------+------------+------------------+---------------+
 +---------------------------------------------------------------------------------------------+
 | Source:artifact:/go/bin/ptf-vulnerable                                                      |
 +---------+-------------------+---------------+------------+------------------+---------------+
 | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
 +---------+-------------------+---------------+------------+------------------+---------------+
-| stdlib  | 1.22.4            | Fix Available |         22 | # 7 Layer        | --            |
+| stdlib  | 1.22.4            | Fix Available |         24 | # 7 Layer        | --            |
 +---------+-------------------+---------------+------------+------------------+---------------+
 Alpine:v3.20
 +------------------------------------------------------------------------------------------------------------------------------+
@@ -1255,14 +1255,16 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
               "index": 17
             }
           },
-          "groups": 6,
+          "groups": 8,
           "vulnerabilities": [
             "PYSEC-2020-148",
             "PYSEC-2021-108",
             "PYSEC-2023-192",
             "PYSEC-2023-212",
+            "GHSA-2xpw-w6gg-jr37",
             "GHSA-34jh-p97f-mpxf",
             "GHSA-g4mx-q9vg-27p4",
+            "GHSA-gm62-xv2j-4w53",
             "GHSA-pq67-6m6q-mj2v",
             "GHSA-v845-jxx5-vc9f",
             "GHSA-wqvq-5m8c-6g24"
@@ -1938,7 +1940,7 @@ Scanning local image tarball "./testdata/test-image-with-deprecated.tar"
               "index": 2
             }
           },
-          "groups": 22,
+          "groups": 24,
           "vulnerabilities": [
             "GO-2024-2963",
             "GO-2024-3105",
@@ -1961,7 +1963,9 @@ Scanning local image tarball "./testdata/test-image-with-deprecated.tar"
             "GO-2025-4012",
             "GO-2025-4013",
             "GO-2025-4014",
-            "GO-2025-4015"
+            "GO-2025-4015",
+            "GO-2025-4155",
+            "GO-2025-4175"
           ]
         },
         {
@@ -3486,7 +3490,7 @@ Scanning local image tarball "./testdata/test-ubuntu.tar"
               "index": 7
             }
           },
-          "groups": 74,
+          "groups": 76,
           "vulnerabilities": [
             "GO-2022-0477",
             "GO-2022-0493",
@@ -3561,7 +3565,9 @@ Scanning local image tarball "./testdata/test-ubuntu.tar"
             "GO-2025-4012",
             "GO-2025-4013",
             "GO-2025-4014",
-            "GO-2025-4015"
+            "GO-2025-4015",
+            "GO-2025-4155",
+            "GO-2025-4175"
           ]
         }
       ]

diff --git a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_Docker.yaml b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_Docker.yaml
@@ -12,109 +12,109 @@ interactions:
         {
           "queries": [
             {
+              "version": "3.4.3-r1",
               "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "alpine-baselayout"
-              },
-              "version": "3.4.3-r1"
+                "name": "alpine-baselayout",
+                "ecosystem": "Alpine:v3.18"
+              }
             },
             {
+              "version": "3.4.3-r1",
               "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "alpine-baselayout"
-              },
-              "version": "3.4.3-r1"
+                "name": "alpine-baselayout",
+                "ecosystem": "Alpine:v3.18"
+              }
             },
             {
+              "version": "2.4-r1",
               "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "alpine-keys"
-              },
-              "version": "2.4-r1"
+                "name": "alpine-keys",
+                "ecosystem": "Alpine:v3.18"
+              }
             },
             {
+              "version": "2.14.4-r0",
               "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "apk-tools"
-              },
-              "version": "2.14.4-r0"
+                "name": "apk-tools",
+                "ecosystem": "Alpine:v3.18"
+              }
             },
             {
+              "version": "1.36.1-r7",
               "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "busybox"
-              },
-              "version": "1.36.1-r7"
+                "name": "busybox",
+                "ecosystem": "Alpine:v3.18"
+              }
             },
             {
+              "version": "1.36.1-r7",
               "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "busybox"
-              },
-              "version": "1.36.1-r7"
+                "name": "busybox",
+                "ecosystem": "Alpine:v3.18"
+              }
             },
             {
+              "version": "20240226-r0",
               "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "ca-certificates"
-              },
-              "version": "20240226-r0"
+                "name": "ca-certificates",
+                "ecosystem": "Alpine:v3.18"
+              }
             },
             {
+              "version": "0.7.2-r5",
               "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "libc-dev"
-              },
-              "version": "0.7.2-r5"
+                "name": "libc-dev",
+                "ecosystem": "Alpine:v3.18"
+              }
             },
             {
+              "version": "3.1.7-r0",
               "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "openssl"
-              },
-              "version": "3.1.7-r0"
+                "name": "openssl",
+                "ecosystem": "Alpine:v3.18"
+              }
             },
             {
+              "version": "3.1.7-r0",
               "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "openssl"
-              },
-              "version": "3.1.7-r0"
+                "name": "openssl",
+                "ecosystem": "Alpine:v3.18"
+              }
             },
             {
+              "version": "1.2.4-r2",
               "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "musl"
-              },
-              "version": "1.2.4-r2"
+                "name": "musl",
+                "ecosystem": "Alpine:v3.18"
+              }
             },
             {
+              "version": "1.2.4-r2",
               "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "musl"
-              },
-              "version": "1.2.4-r2"
+                "name": "musl",
+                "ecosystem": "Alpine:v3.18"
+              }
             },
             {
+              "version": "1.3.7-r1",
               "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "pax-utils"
-              },
-              "version": "1.3.7-r1"
+                "name": "pax-utils",
+                "ecosystem": "Alpine:v3.18"
+              }
             },
             {
+              "version": "1.36.1-r7",
               "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "busybox"
-              },
-              "version": "1.36.1-r7"
+                "name": "busybox",
+                "ecosystem": "Alpine:v3.18"
+              }
             },
             {
+              "version": "1.2.13-r1",
               "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "zlib"
-              },
-              "version": "1.2.13-r1"
+                "name": "zlib",
+                "ecosystem": "Alpine:v3.18"
+              }
             }
           ]
         }
@@ -145,39 +145,39 @@ interactions:
               "vulns": [
                 {
                   "id": "ALPINE-CVE-2024-13176",
-                  "modified": "2025-11-19T06:11:21.935709Z"
+                  "modified": "2025-12-03T22:55:07.817006Z"
                 },
                 {
                   "id": "ALPINE-CVE-2024-9143",
-                  "modified": "2025-11-19T06:21:15.538783Z"
+                  "modified": "2025-12-03T22:57:50.413061Z"
                 }
               ]
             },
             {
               "vulns": [
                 {
                   "id": "ALPINE-CVE-2024-13176",
-                  "modified": "2025-11-19T06:11:21.935709Z"
+                  "modified": "2025-12-03T22:55:07.817006Z"
                 },
                 {
                   "id": "ALPINE-CVE-2024-9143",
-                  "modified": "2025-11-19T06:21:15.538783Z"
+                  "modified": "2025-12-03T22:57:50.413061Z"
                 }
               ]
             },
             {
               "vulns": [
                 {
                   "id": "ALPINE-CVE-2025-26519",
-                  "modified": "2025-11-19T06:21:21.194626Z"
+                  "modified": "2025-12-03T22:58:36.705692Z"
                 }
               ]
             },
             {
               "vulns": [
                 {
                   "id": "ALPINE-CVE-2025-26519",
-                  "modified": "2025-11-19T06:21:21.194626Z"
+                  "modified": "2025-12-03T22:58:36.705692Z"
                 }
               ]
             },