diff --git a/internal/output/__snapshots__/githubannotation_test.snap b/internal/output/__snapshots__/githubannotation_test.snap index 591ce3d5725..bd1f9dd480a 100755 --- a/internal/output/__snapshots__/githubannotation_test.snap +++ b/internal/output/__snapshots__/githubannotation_test.snap @@ -59,10 +59,22 @@ ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+------------------+------+-----------------+---------------+%0A+---------+------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+------------------+------+-----------------+---------------+%0A+---------+------------------+------+-----------------+---------------+ --- +[TestPrintGHAnnotationReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] +::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/third/lockfile::path/to/my/third/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ +--- + [TestPrintGHAnnotationReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/third/lockfile::path/to/my/third/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- +[TestPrintGHAnnotationReport_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] +::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ +--- + +[TestPrintGHAnnotationReport_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] +::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ +--- + [TestPrintGHAnnotationReport_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- @@ -91,6 +103,10 @@ ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-5 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.2 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A| mine3 | https://osv.dev/OSV-3 | | 0.4.1 | |%0A| mine3 | https://osv.dev/OSV-5 | | 0.4.1 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- +[TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] +::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-5 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.2 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A| mine3 | https://osv.dev/OSV-3 | | 0.4.1 | |%0A| mine3 | https://osv.dev/OSV-5 | | 0.4.1 | |%0A+---------+-----------------------+------+-----------------+---------------+ +--- + [TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_no_packages - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+------------------+------+-----------------+---------------+%0A+---------+------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+------------------+------+-----------------+---------------+%0A+---------+------------------+------+-----------------+---------------+::error file=path/to/my/third/lockfile::path/to/my/third/lockfile%0A+---------+------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+------------------+------+-----------------+---------------+%0A+---------+------------------+------+-----------------+---------------+ --- @@ -107,6 +123,18 @@ ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+------------------+------+-----------------+---------------+%0A+---------+------------------+------+-----------------+---------------+ --- +[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] +::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+--------------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+--------------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| mine1 | https://osv.dev/GHSA-123 | | 1.2.3 | |%0A+---------+--------------------------+------+-----------------+---------------+ +--- + +[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] +::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ +--- + +[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] +::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ +--- + [TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- @@ -115,6 +143,10 @@ ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- +[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] +::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+--------------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+--------------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| | https://osv.dev/GHSA-123 | | | |%0A+---------+--------------------------+------+-----------------+---------------+ +--- + [TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+--------------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+--------------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| | https://osv.dev/GHSA-123 | | | |%0A+---------+--------------------------+------+-----------------+---------------+ --- diff --git a/internal/output/__snapshots__/machinejson_test.snap b/internal/output/__snapshots__/machinejson_test.snap index ff1db9f942c..c3f0c7f4df8 100755 --- a/internal/output/__snapshots__/machinejson_test.snap +++ b/internal/output/__snapshots__/machinejson_test.snap @@ -843,7 +843,7 @@ --- -[TestPrintJSONResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] +[TestPrintJSONResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] { "results": [ { @@ -877,6 +877,11 @@ "OSV-1" ], "aliases": null, + "experimentalAnalysis": { + "OSV-1": { + "called": false + } + }, "max_severity": "" } ], @@ -920,6 +925,11 @@ "OSV-2" ], "aliases": null, + "experimentalAnalysis": { + "OSV-2": { + "called": true + } + }, "max_severity": "" } ], @@ -983,6 +993,11 @@ "OSV-1" ], "aliases": null, + "experimentalAnalysis": { + "OSV-1": { + "called": false + } + }, "max_severity": "" } ], @@ -1008,7 +1023,7 @@ --- -[TestPrintJSONResults_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] +[TestPrintJSONResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] { "results": [ { @@ -1053,43 +1068,27 @@ ] } ] - } - ], - "experimental_config": { - "licenses": { - "summary": false, - "allowlist": [ - "ISC" - ] - } - } -} - ---- - -[TestPrintJSONResults_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] -{ - "results": [ + }, { "source": { - "path": "path/to/my/first/lockfile", + "path": "path/to/my/second/lockfile", "type": "" }, "packages": [ { "package": { - "name": "mine1", - "version": "1.2.3", + "name": "mine2", + "version": "3.2.5", "ecosystem": "npm" }, "vulnerabilities": [ { "modified": "0001-01-01T00:00:00Z", - "id": "OSV-1", - "summary": "Something scary!", + "id": "OSV-2", + "summary": "Something less scary!", "severity": [ { - "type": "high", + "type": "low", "score": "1" } ] @@ -1098,7 +1097,7 @@ "groups": [ { "ids": [ - "OSV-1" + "OSV-2" ], "aliases": null, "max_severity": "" @@ -1107,19 +1106,29 @@ "licenses": [ "ISC" ] + }, + { + "package": { + "name": "mine3", + "version": "0.4.1", + "ecosystem": "npm" + }, + "licenses": [ + "ISC" + ] } ] }, { "source": { - "path": "path/to/my/second/lockfile", + "path": "path/to/my/third/lockfile", "type": "" }, "packages": [ { "package": { - "name": "mine2", - "version": "5.9.0", + "name": "mine1", + "version": "1.3.5", "ecosystem": "npm" }, "licenses": [ @@ -1128,6 +1137,41 @@ "license_violations": [ "MIT" ] + }, + { + "package": { + "name": "mine1", + "version": "1.2.3", + "ecosystem": "npm" + }, + "vulnerabilities": [ + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-1", + "summary": "Something scary!", + "severity": [ + { + "type": "high", + "score": "1" + } + ] + } + ], + "groups": [ + { + "ids": [ + "OSV-1" + ], + "aliases": null, + "max_severity": "" + } + ], + "licenses": [ + "Apache-2.0" + ], + "license_violations": [ + "Apache-2.0" + ] } ] } @@ -1144,7 +1188,7 @@ --- -[TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] +[TestPrintJSONResults_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] { "results": [ { @@ -1159,10 +1203,6 @@ "version": "1.2.3", "ecosystem": "npm" }, - "dependency_groups": [ - "dev", - "optional" - ], "vulnerabilities": [ { "modified": "0001-01-01T00:00:00Z", @@ -1174,17 +1214,6 @@ "score": "1" } ] - }, - { - "modified": "0001-01-01T00:00:00Z", - "id": "OSV-5", - "summary": "Something scarier!", - "severity": [ - { - "type": "extreme", - "score": "1" - } - ] } ], "groups": [ @@ -1193,21 +1222,49 @@ "OSV-1" ], "aliases": null, - "max_severity": "" - }, - { - "ids": [ - "OSV-5" - ], - "aliases": null, + "experimentalAnalysis": { + "OSV-1": { + "called": true + } + }, "max_severity": "" } + ], + "licenses": [ + "MIT" + ], + "license_violations": [ + "MIT" ] - }, + } + ] + } + ], + "experimental_config": { + "licenses": { + "summary": false, + "allowlist": [ + "ISC" + ] + } + } +} + +--- + +[TestPrintJSONResults_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] +{ + "results": [ + { + "source": { + "path": "path/to/my/first/lockfile", + "type": "" + }, + "packages": [ { "package": { "name": "mine1", - "version": "1.2.2", + "version": "1.2.3", "ecosystem": "npm" }, "vulnerabilities": [ @@ -1229,35 +1286,59 @@ "OSV-1" ], "aliases": null, + "experimentalAnalysis": { + "OSV-1": { + "called": false + } + }, "max_severity": "" } + ], + "licenses": [ + "MIT" + ], + "license_violations": [ + "MIT" ] } ] - }, + } + ], + "experimental_config": { + "licenses": { + "summary": false, + "allowlist": [ + "ISC" + ] + } + } +} + +--- + +[TestPrintJSONResults_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] +{ + "results": [ { "source": { - "path": "path/to/my/second/lockfile", + "path": "path/to/my/first/lockfile", "type": "" }, "packages": [ { "package": { - "name": "mine2", - "version": "3.2.5", + "name": "mine1", + "version": "1.2.3", "ecosystem": "npm" }, - "dependency_groups": [ - "dev" - ], "vulnerabilities": [ { "modified": "0001-01-01T00:00:00Z", - "id": "OSV-2", - "summary": "Something less scary!", + "id": "OSV-1", + "summary": "Something scary!", "severity": [ { - "type": "low", + "type": "high", "score": "1" } ] @@ -1266,61 +1347,17 @@ "groups": [ { "ids": [ - "OSV-2" + "OSV-1" ], "aliases": null, "max_severity": "" } - ] - }, - { - "package": { - "name": "mine3", - "version": "0.4.1", - "ecosystem": "npm" - }, - "dependency_groups": [ - "build" ], - "vulnerabilities": [ - { - "modified": "0001-01-01T00:00:00Z", - "id": "OSV-3", - "summary": "Something mildly scary!", - "severity": [ - { - "type": "medium", - "score": "1" - } - ] - }, - { - "modified": "0001-01-01T00:00:00Z", - "id": "OSV-5", - "summary": "Something scarier!", - "severity": [ - { - "type": "extreme", - "score": "1" - } - ] - } + "licenses": [ + "MIT" ], - "groups": [ - { - "ids": [ - "OSV-3" - ], - "aliases": null, - "max_severity": "" - }, - { - "ids": [ - "OSV-5" - ], - "aliases": null, - "max_severity": "" - } + "license_violations": [ + "MIT" ] } ] @@ -1329,14 +1366,16 @@ "experimental_config": { "licenses": { "summary": false, - "allowlist": null + "allowlist": [ + "ISC" + ] } } } --- -[TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] +[TestPrintJSONResults_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] { "results": [ { @@ -1362,14 +1401,283 @@ "score": "1" } ] - }, + } + ], + "groups": [ { - "modified": "0001-01-01T00:00:00Z", - "id": "OSV-5", - "summary": "Something scarier!", - "severity": [ - { - "type": "extreme", + "ids": [ + "OSV-1" + ], + "aliases": null, + "max_severity": "" + } + ], + "licenses": [ + "ISC" + ] + } + ] + }, + { + "source": { + "path": "path/to/my/second/lockfile", + "type": "" + }, + "packages": [ + { + "package": { + "name": "mine2", + "version": "5.9.0", + "ecosystem": "npm" + }, + "licenses": [ + "MIT" + ], + "license_violations": [ + "MIT" + ] + } + ] + } + ], + "experimental_config": { + "licenses": { + "summary": false, + "allowlist": [ + "ISC" + ] + } + } +} + +--- + +[TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] +{ + "results": [ + { + "source": { + "path": "path/to/my/first/lockfile", + "type": "" + }, + "packages": [ + { + "package": { + "name": "mine1", + "version": "1.2.3", + "ecosystem": "npm" + }, + "dependency_groups": [ + "dev", + "optional" + ], + "vulnerabilities": [ + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-1", + "summary": "Something scary!", + "severity": [ + { + "type": "high", + "score": "1" + } + ] + }, + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-5", + "summary": "Something scarier!", + "severity": [ + { + "type": "extreme", + "score": "1" + } + ] + } + ], + "groups": [ + { + "ids": [ + "OSV-1" + ], + "aliases": null, + "max_severity": "" + }, + { + "ids": [ + "OSV-5" + ], + "aliases": null, + "max_severity": "" + } + ] + }, + { + "package": { + "name": "mine1", + "version": "1.2.2", + "ecosystem": "npm" + }, + "vulnerabilities": [ + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-1", + "summary": "Something scary!", + "severity": [ + { + "type": "high", + "score": "1" + } + ] + } + ], + "groups": [ + { + "ids": [ + "OSV-1" + ], + "aliases": null, + "max_severity": "" + } + ] + } + ] + }, + { + "source": { + "path": "path/to/my/second/lockfile", + "type": "" + }, + "packages": [ + { + "package": { + "name": "mine2", + "version": "3.2.5", + "ecosystem": "npm" + }, + "dependency_groups": [ + "dev" + ], + "vulnerabilities": [ + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-2", + "summary": "Something less scary!", + "severity": [ + { + "type": "low", + "score": "1" + } + ] + } + ], + "groups": [ + { + "ids": [ + "OSV-2" + ], + "aliases": null, + "max_severity": "" + } + ] + }, + { + "package": { + "name": "mine3", + "version": "0.4.1", + "ecosystem": "npm" + }, + "dependency_groups": [ + "build" + ], + "vulnerabilities": [ + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-3", + "summary": "Something mildly scary!", + "severity": [ + { + "type": "medium", + "score": "1" + } + ] + }, + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-5", + "summary": "Something scarier!", + "severity": [ + { + "type": "extreme", + "score": "1" + } + ] + } + ], + "groups": [ + { + "ids": [ + "OSV-3" + ], + "aliases": null, + "max_severity": "" + }, + { + "ids": [ + "OSV-5" + ], + "aliases": null, + "max_severity": "" + } + ] + } + ] + } + ], + "experimental_config": { + "licenses": { + "summary": false, + "allowlist": null + } + } +} + +--- + +[TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] +{ + "results": [ + { + "source": { + "path": "path/to/my/first/lockfile", + "type": "" + }, + "packages": [ + { + "package": { + "name": "mine1", + "version": "1.2.3", + "ecosystem": "npm" + }, + "vulnerabilities": [ + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-1", + "summary": "Something scary!", + "severity": [ + { + "type": "high", + "score": "1" + } + ] + }, + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-5", + "summary": "Something scarier!", + "severity": [ + { + "type": "extreme", "score": "1" } ] @@ -1701,7 +2009,188 @@ "summary": "Something scary!", "severity": [ { - "type": "high", + "type": "high", + "score": "1" + } + ] + } + ], + "groups": [ + { + "ids": [ + "OSV-1" + ], + "aliases": null, + "max_severity": "" + } + ] + } + ] + } + ], + "experimental_config": { + "licenses": { + "summary": false, + "allowlist": null + } + } +} + +--- + +[TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] +{ + "results": [ + { + "source": { + "path": "path/to/my/first/lockfile", + "type": "" + }, + "packages": [ + { + "package": { + "name": "mine1", + "version": "1.2.3", + "ecosystem": "Packagist" + }, + "vulnerabilities": [ + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-1", + "summary": "Something scary!", + "severity": [ + { + "type": "high", + "score": "1" + } + ] + }, + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-5", + "summary": "Something scarier!", + "severity": [ + { + "type": "extreme", + "score": "1" + } + ] + } + ], + "groups": [ + { + "ids": [ + "OSV-1" + ], + "aliases": null, + "max_severity": "" + }, + { + "ids": [ + "OSV-5" + ], + "aliases": null, + "max_severity": "" + } + ] + }, + { + "package": { + "name": "mine1", + "version": "1.2.2", + "ecosystem": "npm" + }, + "vulnerabilities": [ + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-1", + "summary": "Something scary!", + "severity": [ + { + "type": "high", + "score": "1" + } + ] + } + ], + "groups": [ + { + "ids": [ + "OSV-1" + ], + "aliases": null, + "max_severity": "" + } + ] + } + ] + }, + { + "source": { + "path": "path/to/my/second/lockfile", + "type": "" + }, + "packages": [ + { + "package": { + "name": "mine2", + "version": "3.2.5", + "ecosystem": "NuGet" + }, + "dependency_groups": [ + "dev" + ], + "vulnerabilities": [ + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-2", + "summary": "Something less scary!", + "severity": [ + { + "type": "low", + "score": "1" + } + ] + } + ], + "groups": [ + { + "ids": [ + "OSV-2" + ], + "aliases": null, + "max_severity": "" + } + ] + }, + { + "package": { + "name": "mine3", + "version": "0.4.1", + "ecosystem": "Packagist" + }, + "dependency_groups": [ + "build" + ], + "vulnerabilities": [ + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-3", + "summary": "Something mildly scary!", + "severity": [ + { + "type": "medium", + "score": "1" + } + ] + }, + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-5", + "summary": "Something scarier!", + "severity": [ + { + "type": "extreme", "score": "1" } ] @@ -1710,7 +2199,14 @@ "groups": [ { "ids": [ - "OSV-1" + "OSV-3" + ], + "aliases": null, + "max_severity": "" + }, + { + "ids": [ + "OSV-5" ], "aliases": null, "max_severity": "" @@ -1730,7 +2226,7 @@ --- -[TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] +[TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] { "results": [ { @@ -1775,6 +2271,11 @@ "OSV-1" ], "aliases": null, + "experimentalAnalysis": { + "OSV-1": { + "called": false + } + }, "max_severity": "" }, { @@ -1782,6 +2283,11 @@ "OSV-5" ], "aliases": null, + "experimentalAnalysis": { + "OSV-5": { + "called": true + } + }, "max_severity": "" } ] @@ -1894,6 +2400,11 @@ "OSV-3" ], "aliases": null, + "experimentalAnalysis": { + "OSV-3": { + "called": true + } + }, "max_severity": "" }, { @@ -2016,6 +2527,197 @@ --- +[TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] +{ + "results": [ + { + "source": { + "path": "path/to/my/first/lockfile", + "type": "" + }, + "packages": [ + { + "package": { + "name": "mine1", + "version": "1.2.3", + "ecosystem": "npm" + }, + "vulnerabilities": [ + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-1", + "summary": "Something scary!", + "severity": [ + { + "type": "high", + "score": "1" + } + ] + }, + { + "modified": "0001-01-01T00:00:00Z", + "id": "GHSA-123", + "summary": "Something scarier!", + "severity": [ + { + "type": "high", + "score": "1" + } + ] + } + ], + "groups": [ + { + "ids": [ + "OSV-1" + ], + "aliases": null, + "experimentalAnalysis": { + "OSV-1": { + "called": true + } + }, + "max_severity": "" + }, + { + "ids": [ + "GHSA-123" + ], + "aliases": null, + "experimentalAnalysis": { + "GHSA-123": { + "called": false + } + }, + "max_severity": "" + } + ] + } + ] + } + ], + "experimental_config": { + "licenses": { + "summary": false, + "allowlist": null + } + } +} + +--- + +[TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] +{ + "results": [ + { + "source": { + "path": "path/to/my/first/lockfile", + "type": "" + }, + "packages": [ + { + "package": { + "name": "mine1", + "version": "1.2.3", + "ecosystem": "npm" + }, + "vulnerabilities": [ + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-1", + "summary": "Something scary!", + "severity": [ + { + "type": "high", + "score": "1" + } + ] + } + ], + "groups": [ + { + "ids": [ + "OSV-1" + ], + "aliases": null, + "experimentalAnalysis": { + "OSV-1": { + "called": true + } + }, + "max_severity": "" + } + ] + } + ] + } + ], + "experimental_config": { + "licenses": { + "summary": false, + "allowlist": null + } + } +} + +--- + +[TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] +{ + "results": [ + { + "source": { + "path": "path/to/my/first/lockfile", + "type": "" + }, + "packages": [ + { + "package": { + "name": "mine1", + "version": "1.2.3", + "ecosystem": "npm" + }, + "vulnerabilities": [ + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-1", + "summary": "Something scary!", + "severity": [ + { + "type": "high", + "score": "1" + } + ] + } + ], + "groups": [ + { + "ids": [ + "OSV-1" + ], + "aliases": null, + "experimentalAnalysis": { + "OSV-1": { + "called": false + } + }, + "max_severity": "" + } + ] + } + ] + } + ], + "experimental_config": { + "licenses": { + "summary": false, + "allowlist": null + } + } +} + +--- + [TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] { "results": [ @@ -2121,6 +2823,80 @@ --- +[TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] +{ + "results": [ + { + "source": { + "path": "path/to/my/first/lockfile", + "type": "" + }, + "packages": [ + { + "package": { + "name": "mine1", + "version": "1.2.3", + "ecosystem": "npm" + }, + "vulnerabilities": [ + { + "modified": "0001-01-01T00:00:00Z", + "id": "OSV-1", + "summary": "Something scary!", + "severity": [ + { + "type": "high", + "score": "1" + } + ] + }, + { + "modified": "0001-01-01T00:00:00Z", + "id": "GHSA-123", + "aliases": [ + "OSV-1" + ], + "summary": "Something scary!", + "severity": [ + { + "type": "high", + "score": "1" + } + ] + } + ], + "groups": [ + { + "ids": [ + "OSV-1", + "GHSA-123" + ], + "aliases": [ + "OSV-1", + "GHSA-123" + ], + "experimentalAnalysis": { + "OSV-1": { + "called": false + } + }, + "max_severity": "" + } + ] + } + ] + } + ], + "experimental_config": { + "licenses": { + "summary": false, + "allowlist": null + } + } +} + +--- + [TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability - 1] { "results": [ diff --git a/internal/output/__snapshots__/markdowntable_test.snap b/internal/output/__snapshots__/markdowntable_test.snap index 423fbb45fc0..04d245bd9f7 100755 --- a/internal/output/__snapshots__/markdowntable_test.snap +++ b/internal/output/__snapshots__/markdowntable_test.snap @@ -86,6 +86,21 @@ --- +[TestPrintMarkdownTableResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] +| OSV URL | CVSS | Ecosystem | Package | Version | Source | +| --- | --- | --- | --- | --- | --- | +| https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | path/to/my/second/lockfile | +| Uncalled vulnerabilities | | | | | | +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | path/to/my/third/lockfile | +| License Violation | Ecosystem | Package | Version | Source | +| --- | --- | --- | --- | --- | +| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +| MIT | npm | mine1 | 1.3.5 | path/to/my/third/lockfile | +| Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/third/lockfile | + +--- + [TestPrintMarkdownTableResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] | OSV URL | CVSS | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | --- | @@ -100,6 +115,27 @@ --- +[TestPrintMarkdownTableResults_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] +| OSV URL | CVSS | Ecosystem | Package | Version | Source | +| --- | --- | --- | --- | --- | --- | +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +| License Violation | Ecosystem | Package | Version | Source | +| --- | --- | --- | --- | --- | +| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | + +--- + +[TestPrintMarkdownTableResults_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] +| OSV URL | CVSS | Ecosystem | Package | Version | Source | +| --- | --- | --- | --- | --- | --- | +| Uncalled vulnerabilities | | | | | | +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +| License Violation | Ecosystem | Package | Version | Source | +| --- | --- | --- | --- | --- | +| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | + +--- + [TestPrintMarkdownTableResults_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] | OSV URL | CVSS | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | --- | @@ -169,6 +205,19 @@ --- +[TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] +| OSV URL | CVSS | Ecosystem | Package | Version | Source | +| --- | --- | --- | --- | --- | --- | +| https://osv.dev/OSV-5 | | Packagist | mine1 | 1.2.3 | path/to/my/first/lockfile | +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | path/to/my/first/lockfile | +| https://osv.dev/OSV-2 | | NuGet | mine2 | 3.2.5 | path/to/my/second/lockfile | +| https://osv.dev/OSV-3 | | Packagist | mine3 | 0.4.1 | path/to/my/second/lockfile | +| https://osv.dev/OSV-5 | | Packagist | mine3 | 0.4.1 | path/to/my/second/lockfile | +| Uncalled vulnerabilities | | | | | | +| https://osv.dev/OSV-1 | | Packagist | mine1 | 1.2.3 | path/to/my/first/lockfile | + +--- + [TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_no_packages - 1] --- @@ -185,6 +234,30 @@ --- +[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] +| OSV URL | CVSS | Ecosystem | Package | Version | Source | +| --- | --- | --- | --- | --- | --- | +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +| Uncalled vulnerabilities | | | | | | +| https://osv.dev/GHSA-123 | | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | + +--- + +[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] +| OSV URL | CVSS | Ecosystem | Package | Version | Source | +| --- | --- | --- | --- | --- | --- | +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | + +--- + +[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] +| OSV URL | CVSS | Ecosystem | Package | Version | Source | +| --- | --- | --- | --- | --- | --- | +| Uncalled vulnerabilities | | | | | | +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | + +--- + [TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] | OSV URL | CVSS | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | --- | @@ -199,6 +272,14 @@ --- +[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] +| OSV URL | CVSS | Ecosystem | Package | Version | Source | +| --- | --- | --- | --- | --- | --- | +| Uncalled vulnerabilities | | | | | | +| https://osv.dev/OSV-1
https://osv.dev/GHSA-123 | | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | + +--- + [TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability - 1] | OSV URL | CVSS | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | --- | diff --git a/internal/output/__snapshots__/sarif_test.snap b/internal/output/__snapshots__/sarif_test.snap index f652d81d403..2bb5e39755a 100755 --- a/internal/output/__snapshots__/sarif_test.snap +++ b/internal/output/__snapshots__/sarif_test.snap @@ -453,7 +453,7 @@ --- -[TestPrintSARIFReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] +[TestPrintSARIFReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] { "version": "2.1.0", "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", @@ -583,7 +583,7 @@ --- -[TestPrintSARIFReport_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] +[TestPrintSARIFReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] { "version": "2.1.0", "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", @@ -608,8 +608,26 @@ "OSV-1" ], "help": { - "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", - "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + }, + { + "id": "OSV-2", + "name": "OSV-2", + "shortDescription": { + "text": "OSV-2: Something less scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-2" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" } } ], @@ -622,6 +640,18 @@ "uri": "path/to/my/first/lockfile" }, "length": -1 + }, + { + "location": { + "uri": "path/to/my/third/lockfile" + }, + "length": -1 + }, + { + "location": { + "uri": "path/to/my/second/lockfile" + }, + "length": -1 } ], "results": [ @@ -641,6 +671,40 @@ } } ] + }, + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/third/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-2", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/second/lockfile" + } + } + } + ] } ] } @@ -649,7 +713,7 @@ --- -[TestPrintSARIFReport_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] +[TestPrintSARIFReport_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] { "version": "2.1.0", "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", @@ -715,7 +779,7 @@ --- -[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] +[TestPrintSARIFReport_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] { "version": "2.1.0", "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", @@ -740,62 +804,8 @@ "OSV-1" ], "help": { - "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.2 |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", - "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.2 |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" - } - }, - { - "id": "OSV-2", - "name": "OSV-2", - "shortDescription": { - "text": "OSV-2: Something less scary!" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "deprecatedIds": [ - "OSV-2" - ], - "help": { - "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", - "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" - } - }, - { - "id": "OSV-3", - "name": "OSV-3", - "shortDescription": { - "text": "OSV-3: Something mildly scary!" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "deprecatedIds": [ - "OSV-3" - ], - "help": { - "text": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/list?q=OSV-3)**.\n\n## [OSV-3](https://osv.dev/vulnerability/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", - "markdown": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/list?q=OSV-3)**.\n\n## [OSV-3](https://osv.dev/vulnerability/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" - } - }, - { - "id": "OSV-5", - "name": "OSV-5", - "shortDescription": { - "text": "OSV-5: Something scarier!" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "deprecatedIds": [ - "OSV-5" - ], - "help": { - "text": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/list?q=OSV-5)**.\n\n## [OSV-5](https://osv.dev/vulnerability/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", - "markdown": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/list?q=OSV-5)**.\n\n## [OSV-5](https://osv.dev/vulnerability/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" } } ], @@ -808,32 +818,9 @@ "uri": "path/to/my/first/lockfile" }, "length": -1 - }, - { - "location": { - "uri": "path/to/my/second/lockfile" - }, - "length": -1 } ], "results": [ - { - "ruleId": "OSV-1", - "ruleIndex": 0, - "level": "warning", - "message": { - "text": "Package 'mine1@1.2.2' is vulnerable to 'OSV-1'." - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "path/to/my/first/lockfile" - } - } - } - ] - }, { "ruleId": "OSV-1", "ruleIndex": 0, @@ -850,47 +837,62 @@ } } ] - }, - { - "ruleId": "OSV-2", - "ruleIndex": 1, - "level": "warning", - "message": { - "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." - }, - "locations": [ + } + ] + } + ] +} + +--- + +[TestPrintSARIFReport_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ { - "physicalLocation": { - "artifactLocation": { - "uri": "path/to/my/second/lockfile" - } + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" } } - ] - }, + ], + "version": "1.8.1" + } + }, + "artifacts": [ { - "ruleId": "OSV-3", - "ruleIndex": 2, - "level": "warning", - "message": { - "text": "Package 'mine3@0.4.1' is vulnerable to 'OSV-3'." + "location": { + "uri": "path/to/my/first/lockfile" }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "path/to/my/second/lockfile" - } - } - } - ] - }, + "length": -1 + } + ], + "results": [ { - "ruleId": "OSV-5", - "ruleIndex": 3, + "ruleId": "OSV-1", + "ruleIndex": 0, "level": "warning", "message": { - "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-5'." + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "locations": [ { @@ -901,23 +903,6 @@ } } ] - }, - { - "ruleId": "OSV-5", - "ruleIndex": 3, - "level": "warning", - "message": { - "text": "Package 'mine3@0.4.1' is vulnerable to 'OSV-5'." - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "path/to/my/second/lockfile" - } - } - } - ] } ] } @@ -926,7 +911,7 @@ --- -[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] +[TestPrintSARIFReport_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] { "version": "2.1.0", "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", @@ -951,8 +936,74 @@ "OSV-1" ], "help": { - "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.2 |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", - "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.2 |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.8.1" + } + }, + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + } + ] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.2 |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.2 |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" } }, { @@ -1137,158 +1188,7 @@ --- -[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] -{ - "version": "2.1.0", - "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "informationUri": "https://github.com/google/osv-scanner", - "name": "osv-scanner", - "rules": [], - "version": "1.8.1" - } - }, - "results": [] - } - ] -} - ---- - -[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] -{ - "version": "2.1.0", - "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "informationUri": "https://github.com/google/osv-scanner", - "name": "osv-scanner", - "rules": [ - { - "id": "OSV-1", - "name": "OSV-1", - "shortDescription": { - "text": "OSV-1: Something scary!" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "deprecatedIds": [ - "OSV-1" - ], - "help": { - "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", - "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" - } - }, - { - "id": "OSV-2", - "name": "OSV-2", - "shortDescription": { - "text": "OSV-2: Something less scary!" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "deprecatedIds": [ - "OSV-2" - ], - "help": { - "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", - "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" - } - } - ], - "version": "1.8.1" - } - }, - "artifacts": [ - { - "location": { - "uri": "path/to/my/first/lockfile" - }, - "length": -1 - }, - { - "location": { - "uri": "path/to/my/third/lockfile" - }, - "length": -1 - }, - { - "location": { - "uri": "path/to/my/second/lockfile" - }, - "length": -1 - } - ], - "results": [ - { - "ruleId": "OSV-1", - "ruleIndex": 0, - "level": "warning", - "message": { - "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "path/to/my/first/lockfile" - } - } - } - ] - }, - { - "ruleId": "OSV-1", - "ruleIndex": 0, - "level": "warning", - "message": { - "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "path/to/my/third/lockfile" - } - } - } - ] - }, - { - "ruleId": "OSV-2", - "ruleIndex": 1, - "level": "warning", - "message": { - "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "path/to/my/second/lockfile" - } - } - } - ] - } - ] - } - ] -} - ---- - -[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] +[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] { "version": "2.1.0", "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", @@ -1499,28 +1399,7 @@ --- -[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_no_packages - 1] -{ - "version": "2.1.0", - "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "informationUri": "https://github.com/google/osv-scanner", - "name": "osv-scanner", - "rules": [], - "version": "1.8.1" - } - }, - "results": [] - } - ] -} - ---- - -[TestPrintSARIFReport_WithVulnerabilities/no_sources - 1] +[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] { "version": "2.1.0", "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", @@ -1541,7 +1420,7 @@ --- -[TestPrintSARIFReport_WithVulnerabilities/one_source_with_no_packages - 1] +[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] { "version": "2.1.0", "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", @@ -1551,18 +1430,734 @@ "driver": { "informationUri": "https://github.com/google/osv-scanner", "name": "osv-scanner", - "rules": [], - "version": "1.8.1" - } - }, - "results": [] - } - ] -} - ---- + "rules": [ + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + }, + { + "id": "OSV-2", + "name": "OSV-2", + "shortDescription": { + "text": "OSV-2: Something less scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-2" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.8.1" + } + }, + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + }, + { + "location": { + "uri": "path/to/my/third/lockfile" + }, + "length": -1 + }, + { + "location": { + "uri": "path/to/my/second/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/third/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-2", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/second/lockfile" + } + } + } + ] + } + ] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.2 |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.2 |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + }, + { + "id": "OSV-2", + "name": "OSV-2", + "shortDescription": { + "text": "OSV-2: Something less scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-2" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + }, + { + "id": "OSV-3", + "name": "OSV-3", + "shortDescription": { + "text": "OSV-3: Something mildly scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-3" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/list?q=OSV-3)**.\n\n## [OSV-3](https://osv.dev/vulnerability/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/list?q=OSV-3)**.\n\n## [OSV-3](https://osv.dev/vulnerability/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + }, + { + "id": "OSV-5", + "name": "OSV-5", + "shortDescription": { + "text": "OSV-5: Something scarier!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-5" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/list?q=OSV-5)**.\n\n## [OSV-5](https://osv.dev/vulnerability/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/list?q=OSV-5)**.\n\n## [OSV-5](https://osv.dev/vulnerability/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.8.1" + } + }, + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + }, + { + "location": { + "uri": "path/to/my/second/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.2' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-2", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/second/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-3", + "ruleIndex": 2, + "level": "warning", + "message": { + "text": "Package 'mine3@0.4.1' is vulnerable to 'OSV-3'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/second/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-5", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-5'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-5", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Package 'mine3@0.4.1' is vulnerable to 'OSV-5'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/second/lockfile" + } + } + } + ] + } + ] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.2 |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.2 |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + }, + { + "id": "OSV-2", + "name": "OSV-2", + "shortDescription": { + "text": "OSV-2: Something less scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-2" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + }, + { + "id": "OSV-3", + "name": "OSV-3", + "shortDescription": { + "text": "OSV-3: Something mildly scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-3" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/list?q=OSV-3)**.\n\n## [OSV-3](https://osv.dev/vulnerability/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/list?q=OSV-3)**.\n\n## [OSV-3](https://osv.dev/vulnerability/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + }, + { + "id": "OSV-5", + "name": "OSV-5", + "shortDescription": { + "text": "OSV-5: Something scarier!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-5" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/list?q=OSV-5)**.\n\n## [OSV-5](https://osv.dev/vulnerability/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/list?q=OSV-5)**.\n\n## [OSV-5](https://osv.dev/vulnerability/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.8.1" + } + }, + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + }, + { + "location": { + "uri": "path/to/my/second/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.2' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-2", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/second/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-3", + "ruleIndex": 2, + "level": "warning", + "message": { + "text": "Package 'mine3@0.4.1' is vulnerable to 'OSV-3'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/second/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-5", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-5'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-5", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Package 'mine3@0.4.1' is vulnerable to 'OSV-5'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/second/lockfile" + } + } + } + ] + } + ] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_no_packages - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.8.1" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/no_sources - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.8.1" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/one_source_with_no_packages - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.8.1" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.8.1" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ + { + "id": "GHSA-123", + "name": "GHSA-123", + "shortDescription": { + "text": "GHSA-123: Something scarier!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "GHSA-123" + ], + "help": { + "text": "**Your dependency is vulnerable to [GHSA-123](https://osv.dev/list?q=GHSA-123)**.\n\n## [GHSA-123](https://osv.dev/vulnerability/GHSA-123)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"GHSA-123\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [GHSA-123](https://osv.dev/list?q=GHSA-123)**.\n\n## [GHSA-123](https://osv.dev/vulnerability/GHSA-123)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"GHSA-123\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + }, + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.8.1" + } + }, + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "GHSA-123", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'GHSA-123'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-1", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + } + ] + } + ] +} -[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] +--- + +[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] { "version": "2.1.0", "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", @@ -1572,11 +2167,122 @@ "driver": { "informationUri": "https://github.com/google/osv-scanner", "name": "osv-scanner", - "rules": [], + "rules": [ + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], "version": "1.8.1" } }, - "results": [] + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + } + ] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.8.1" + } + }, + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + } + ] } ] } @@ -1715,6 +2421,90 @@ --- +[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1", + "GHSA-123" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**\n(Also published as: [GHSA-123](https://osv.dev/vulnerability/GHSA-123), ).\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n## [GHSA-123](https://osv.dev/vulnerability/GHSA-123)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**\n(Also published as: [GHSA-123](https://osv.dev/vulnerability/GHSA-123), ).\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n## [GHSA-123](https://osv.dev/vulnerability/GHSA-123)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.8.1" + } + }, + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1' (also known as 'GHSA-123')." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1' (also known as 'GHSA-123')." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + } + ] + } + ] +} + +--- + [TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability - 1] { "version": "2.1.0", diff --git a/internal/output/__snapshots__/table_test.snap b/internal/output/__snapshots__/table_test.snap index cc77791a0c2..2bec0d8124c 100755 --- a/internal/output/__snapshots__/table_test.snap +++ b/internal/output/__snapshots__/table_test.snap @@ -100,6 +100,27 @@ --- +[TestPrintTableResults_LongTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] +╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬────────────────────────────╮ +│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼────────────────────────────┤ +│ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ path/to/my/second/lockfile │ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼────────────────────────────┤ +│ Uncalled vulnerabilities │ │ │ │ │ │ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼────────────────────────────┤ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfile │ +╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴────────────────────────────╯ +╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────────╮ +│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ +├───────────────────┼───────────┼─────────┼─────────┼───────────────────────────┤ +│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ +│ MIT │ npm │ mine1 │ 1.3.5 │ path/to/my/third/lockfile │ +│ Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfile │ +╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯ + +--- + [TestPrintTableResults_LongTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ @@ -118,6 +139,36 @@ --- +[TestPrintTableResults_LongTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] +╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────────────╮ +│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ +├───────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────────────┤ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ +╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────────────────╯ +╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────────╮ +│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ +├───────────────────┼───────────┼─────────┼─────────┼───────────────────────────┤ +│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ +╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯ + +--- + +[TestPrintTableResults_LongTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] +╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────────────╮ +│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────────────┤ +│ Uncalled vulnerabilities │ │ │ │ │ │ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────────────┤ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ +╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────────────────╯ +╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────────╮ +│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ +├───────────────────┼───────────┼─────────┼─────────┼───────────────────────────┤ +│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ +╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯ + +--- + [TestPrintTableResults_LongTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ @@ -203,6 +254,23 @@ --- +[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] +╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬────────────────────────────╮ +│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼────────────────────────────┤ +│ https://osv.dev/OSV-5 │ │ Packagist │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ path/to/my/first/lockfile │ +│ https://osv.dev/OSV-2 │ │ NuGet │ mine2 │ 3.2.5 │ path/to/my/second/lockfile │ +│ https://osv.dev/OSV-3 │ │ Packagist │ mine3 │ 0.4.1 │ path/to/my/second/lockfile │ +│ https://osv.dev/OSV-5 │ │ Packagist │ mine3 │ 0.4.1 │ path/to/my/second/lockfile │ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼────────────────────────────┤ +│ Uncalled vulnerabilities │ │ │ │ │ │ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼────────────────────────────┤ +│ https://osv.dev/OSV-1 │ │ Packagist │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ +╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴────────────────────────────╯ + +--- + [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_no_packages - 1] --- @@ -219,6 +287,39 @@ --- +[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] +╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────────────╮ +│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────────────┤ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────────────┤ +│ Uncalled vulnerabilities │ │ │ │ │ │ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────────────┤ +│ https://osv.dev/GHSA-123 │ │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ +╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────────────────╯ + +--- + +[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] +╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────────────╮ +│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ +├───────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────────────┤ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ +╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────────────────╯ + +--- + +[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] +╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────────────╮ +│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────────────┤ +│ Uncalled vulnerabilities │ │ │ │ │ │ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────────────┤ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ +╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────────────────╯ + +--- + [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ @@ -237,6 +338,18 @@ --- +[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] +╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────────────╮ +│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────────────┤ +│ Uncalled vulnerabilities │ │ │ │ │ │ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────────────────┤ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ +│ https://osv.dev/GHSA-123 │ │ │ │ │ │ +╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────────────────╯ + +--- + [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability - 1] ╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ @@ -377,6 +490,27 @@ --- +[TestPrintTableResults_NoTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] ++--------------------------+------+-----------+---------+---------+----------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++--------------------------+------+-----------+---------+---------+----------------------------+ +| https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | path/to/my/second/lockfile | ++--------------------------+------+-----------+---------+---------+----------------------------+ +| Uncalled vulnerabilities | | | | | | ++--------------------------+------+-----------+---------+---------+----------------------------+ +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | path/to/my/third/lockfile | ++--------------------------+------+-----------+---------+---------+----------------------------+ ++-------------------+-----------+---------+---------+---------------------------+ +| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++-------------------+-----------+---------+---------+---------------------------+ +| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +| MIT | npm | mine1 | 1.3.5 | path/to/my/third/lockfile | +| Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/third/lockfile | ++-------------------+-----------+---------+---------+---------------------------+ + +--- + [TestPrintTableResults_NoTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] +-----------------------+------+-----------+---------+---------+----------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | @@ -395,6 +529,36 @@ --- +[TestPrintTableResults_NoTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] ++-----------------------+------+-----------+---------+---------+---------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++-----------------------+------+-----------+---------+---------+---------------------------+ +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | ++-----------------------+------+-----------+---------+---------+---------------------------+ ++-------------------+-----------+---------+---------+---------------------------+ +| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++-------------------+-----------+---------+---------+---------------------------+ +| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | ++-------------------+-----------+---------+---------+---------------------------+ + +--- + +[TestPrintTableResults_NoTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] ++--------------------------+------+-----------+---------+---------+---------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++--------------------------+------+-----------+---------+---------+---------------------------+ +| Uncalled vulnerabilities | | | | | | ++--------------------------+------+-----------+---------+---------+---------------------------+ +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | ++--------------------------+------+-----------+---------+---------+---------------------------+ ++-------------------+-----------+---------+---------+---------------------------+ +| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++-------------------+-----------+---------+---------+---------------------------+ +| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | ++-------------------+-----------+---------+---------+---------------------------+ + +--- + [TestPrintTableResults_NoTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] +-----------------------+------+-----------+---------+---------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | @@ -480,6 +644,23 @@ --- +[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] ++--------------------------+------+-----------+---------+---------+----------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++--------------------------+------+-----------+---------+---------+----------------------------+ +| https://osv.dev/OSV-5 | | Packagist | mine1 | 1.2.3 | path/to/my/first/lockfile | +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | path/to/my/first/lockfile | +| https://osv.dev/OSV-2 | | NuGet | mine2 | 3.2.5 | path/to/my/second/lockfile | +| https://osv.dev/OSV-3 | | Packagist | mine3 | 0.4.1 | path/to/my/second/lockfile | +| https://osv.dev/OSV-5 | | Packagist | mine3 | 0.4.1 | path/to/my/second/lockfile | ++--------------------------+------+-----------+---------+---------+----------------------------+ +| Uncalled vulnerabilities | | | | | | ++--------------------------+------+-----------+---------+---------+----------------------------+ +| https://osv.dev/OSV-1 | | Packagist | mine1 | 1.2.3 | path/to/my/first/lockfile | ++--------------------------+------+-----------+---------+---------+----------------------------+ + +--- + [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_no_packages - 1] --- @@ -496,6 +677,39 @@ --- +[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] ++--------------------------+------+-----------+---------+---------+---------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++--------------------------+------+-----------+---------+---------+---------------------------+ +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | ++--------------------------+------+-----------+---------+---------+---------------------------+ +| Uncalled vulnerabilities | | | | | | ++--------------------------+------+-----------+---------+---------+---------------------------+ +| https://osv.dev/GHSA-123 | | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | ++--------------------------+------+-----------+---------+---------+---------------------------+ + +--- + +[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] ++-----------------------+------+-----------+---------+---------+---------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++-----------------------+------+-----------+---------+---------+---------------------------+ +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | ++-----------------------+------+-----------+---------+---------+---------------------------+ + +--- + +[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] ++--------------------------+------+-----------+---------+---------+---------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++--------------------------+------+-----------+---------+---------+---------------------------+ +| Uncalled vulnerabilities | | | | | | ++--------------------------+------+-----------+---------+---------+---------------------------+ +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | ++--------------------------+------+-----------+---------+---------+---------------------------+ + +--- + [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] +-----------------------+------+-----------+---------+---------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | @@ -514,6 +728,18 @@ --- +[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] ++--------------------------+------+-----------+---------+---------+---------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++--------------------------+------+-----------+---------+---------+---------------------------+ +| Uncalled vulnerabilities | | | | | | ++--------------------------+------+-----------+---------+---------+---------------------------+ +| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +| https://osv.dev/GHSA-123 | | | | | | ++--------------------------+------+-----------+---------+---------+---------------------------+ + +--- + [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability - 1] +--------------------------+------+-----------+---------+---------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | @@ -654,6 +880,27 @@ --- +[TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] +╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬─────────── ≈ +│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ +│ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ path/to/my ≈ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ +│ Uncalled vulnerabilities │ │ │ │ │ ≈ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ path/to/my ≈ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ path/to/my ≈ +╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈ +╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ +│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ +├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ +│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ +│ MIT │ npm │ mine1 │ 1.3.5 │ path/to/my/third/lockfil ≈ +│ Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfil ≈ +╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ + +--- + [TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ @@ -672,6 +919,36 @@ --- +[TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] +╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ +│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ +├───────────────────────┼──────┼───────────┼─────────┼─────────┼────────────── ≈ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ path/to/my/fi ≈ +╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈ +╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ +│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ +├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ +│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ +╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ + +--- + +[TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] +╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬─────────── ≈ +│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ +│ Uncalled vulnerabilities │ │ │ │ │ ≈ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ path/to/my ≈ +╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈ +╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ +│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ +├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ +│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ +╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ + +--- + [TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ @@ -757,6 +1034,23 @@ --- +[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] +╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬─────────── ≈ +│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ +│ https://osv.dev/OSV-5 │ │ Packagist │ mine1 │ 1.2.3 │ path/to/my ≈ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ path/to/my ≈ +│ https://osv.dev/OSV-2 │ │ NuGet │ mine2 │ 3.2.5 │ path/to/my ≈ +│ https://osv.dev/OSV-3 │ │ Packagist │ mine3 │ 0.4.1 │ path/to/my ≈ +│ https://osv.dev/OSV-5 │ │ Packagist │ mine3 │ 0.4.1 │ path/to/my ≈ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ +│ Uncalled vulnerabilities │ │ │ │ │ ≈ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ +│ https://osv.dev/OSV-1 │ │ Packagist │ mine1 │ 1.2.3 │ path/to/my ≈ +╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈ + +--- + [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_no_packages - 1] --- @@ -773,6 +1067,39 @@ --- +[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] +╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬─────────── ≈ +│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ path/to/my ≈ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ +│ Uncalled vulnerabilities │ │ │ │ │ ≈ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ +│ https://osv.dev/GHSA-123 │ │ npm │ mine1 │ 1.2.3 │ path/to/my ≈ +╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈ + +--- + +[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] +╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ +│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ +├───────────────────────┼──────┼───────────┼─────────┼─────────┼────────────── ≈ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ path/to/my/fi ≈ +╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈ + +--- + +[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] +╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬─────────── ≈ +│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ +│ Uncalled vulnerabilities │ │ │ │ │ ≈ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ path/to/my ≈ +╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈ + +--- + [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ @@ -791,6 +1118,18 @@ --- +[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] +╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬─────────── ≈ +│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ +│ Uncalled vulnerabilities │ │ │ │ │ ≈ +├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ +│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ path/to/my ≈ +│ https://osv.dev/GHSA-123 │ │ │ │ │ ≈ +╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈ + +--- + [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability - 1] ╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬─────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ diff --git a/internal/output/helpers_test.go b/internal/output/helpers_test.go index 5f570eca8b4..aee289e8d52 100644 --- a/internal/output/helpers_test.go +++ b/internal/output/helpers_test.go @@ -178,6 +178,121 @@ func testOutputWithVulnerabilities(t *testing.T, run outputTestRunner) { }, }, }, + { + name: "one source with one package and one called vulnerability", + args: outputTestCaseArgs{ + vulnResult: &models.VulnerabilityResults{ + Results: []models.PackageSource{ + { + Source: models.SourceInfo{Path: "path/to/my/first/lockfile"}, + Packages: []models.PackageVulns{ + { + Package: models.PackageInfo{ + Name: "mine1", + Version: "1.2.3", + Ecosystem: "npm", + }, + Groups: []models.GroupInfo{{ + IDs: []string{"OSV-1"}, + ExperimentalAnalysis: map[string]models.AnalysisInfo{ + "OSV-1": {Called: true}, + }, + }}, + Vulnerabilities: models.Vulnerabilities{ + { + ID: "OSV-1", + Summary: "Something scary!", + Severity: []models.Severity{{Type: "high", Score: "1"}}, + }, + }, + }, + }, + }, + }, + }, + }, + }, + { + name: "one source with one package and one uncalled vulnerability", + args: outputTestCaseArgs{ + vulnResult: &models.VulnerabilityResults{ + Results: []models.PackageSource{ + { + Source: models.SourceInfo{Path: "path/to/my/first/lockfile"}, + Packages: []models.PackageVulns{ + { + Package: models.PackageInfo{ + Name: "mine1", + Version: "1.2.3", + Ecosystem: "npm", + }, + Groups: []models.GroupInfo{{ + IDs: []string{"OSV-1"}, + ExperimentalAnalysis: map[string]models.AnalysisInfo{ + "OSV-1": {Called: false}, + }, + }}, + Vulnerabilities: models.Vulnerabilities{ + { + ID: "OSV-1", + Summary: "Something scary!", + Severity: []models.Severity{{Type: "high", Score: "1"}}, + }, + }, + }, + }, + }, + }, + }, + }, + }, + { + name: "one source with one package, one uncalled vulnerability, and one called vulnerability", + args: outputTestCaseArgs{ + vulnResult: &models.VulnerabilityResults{ + Results: []models.PackageSource{ + { + Source: models.SourceInfo{Path: "path/to/my/first/lockfile"}, + Packages: []models.PackageVulns{ + { + Package: models.PackageInfo{ + Name: "mine1", + Version: "1.2.3", + Ecosystem: "npm", + }, + Groups: []models.GroupInfo{ + { + IDs: []string{"OSV-1"}, + ExperimentalAnalysis: map[string]models.AnalysisInfo{ + "OSV-1": {Called: true}, + }, + }, + { + IDs: []string{"GHSA-123"}, + ExperimentalAnalysis: map[string]models.AnalysisInfo{ + "GHSA-123": {Called: false}, + }, + }, + }, + Vulnerabilities: models.Vulnerabilities{ + { + ID: "OSV-1", + Summary: "Something scary!", + Severity: []models.Severity{{Type: "high", Score: "1"}}, + }, + { + ID: "GHSA-123", + Summary: "Something scarier!", + Severity: []models.Severity{{Type: "high", Score: "1"}}, + }, + }, + }, + }, + }, + }, + }, + }, + }, { name: "one source with one package and one vulnerability (dev)", args: outputTestCaseArgs{ @@ -296,6 +411,47 @@ func testOutputWithVulnerabilities(t *testing.T, run outputTestRunner) { }, }, }, + { + name: "one source with one package and two aliases of a single uncalled vulnerability", + args: outputTestCaseArgs{ + vulnResult: &models.VulnerabilityResults{ + Results: []models.PackageSource{ + { + Source: models.SourceInfo{Path: "path/to/my/first/lockfile"}, + Packages: []models.PackageVulns{ + { + Package: models.PackageInfo{ + Name: "mine1", + Version: "1.2.3", + Ecosystem: "npm", + }, + Groups: []models.GroupInfo{{ + IDs: []string{"OSV-1", "GHSA-123"}, + Aliases: []string{"OSV-1", "GHSA-123"}, + ExperimentalAnalysis: map[string]models.AnalysisInfo{ + "OSV-1": {Called: false}, + }, + }}, + Vulnerabilities: models.Vulnerabilities{ + { + ID: "OSV-1", + Summary: "Something scary!", + Severity: []models.Severity{{Type: "high", Score: "1"}}, + }, + { + ID: "GHSA-123", + Summary: "Something scary!", + Aliases: []string{"OSV-1"}, + Severity: []models.Severity{{Type: "high", Score: "1"}}, + }, + }, + }, + }, + }, + }, + }, + }, + }, { name: "two sources with packages, one vulnerability", args: outputTestCaseArgs{ @@ -713,6 +869,118 @@ func testOutputWithVulnerabilities(t *testing.T, run outputTestRunner) { }, }, }, + { + name: "multiple sources with a mixed count of packages across ecosystems, and multiple vulnerabilities, but some uncalled", + args: outputTestCaseArgs{ + vulnResult: &models.VulnerabilityResults{ + Results: []models.PackageSource{ + { + Source: models.SourceInfo{Path: "path/to/my/first/lockfile"}, + Packages: []models.PackageVulns{ + { + Package: models.PackageInfo{ + Name: "mine1", + Version: "1.2.3", + Ecosystem: "Packagist", + }, + Groups: []models.GroupInfo{ + { + IDs: []string{"OSV-1"}, + ExperimentalAnalysis: map[string]models.AnalysisInfo{ + "OSV-1": {Called: false}, + }, + }, + { + IDs: []string{"OSV-5"}, + ExperimentalAnalysis: map[string]models.AnalysisInfo{ + "OSV-5": {Called: true}, + }, + }, + }, + Vulnerabilities: models.Vulnerabilities{ + { + ID: "OSV-1", + Summary: "Something scary!", + Severity: []models.Severity{{Type: "high", Score: "1"}}, + }, + { + ID: "OSV-5", + Summary: "Something scarier!", + Severity: []models.Severity{{Type: "extreme", Score: "1"}}, + }, + }, + }, + { + Package: models.PackageInfo{ + Name: "mine1", + Version: "1.2.2", + Ecosystem: "npm", + }, + Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, + Vulnerabilities: models.Vulnerabilities{ + { + ID: "OSV-1", + Summary: "Something scary!", + Severity: []models.Severity{{Type: "high", Score: "1"}}, + }, + }, + }, + }, + }, + { + Source: models.SourceInfo{Path: "path/to/my/second/lockfile"}, + Packages: []models.PackageVulns{ + { + Package: models.PackageInfo{ + Name: "mine2", + Version: "3.2.5", + Ecosystem: "NuGet", + }, + DepGroups: []string{"dev"}, + Groups: []models.GroupInfo{{IDs: []string{"OSV-2"}}}, + Vulnerabilities: models.Vulnerabilities{ + { + ID: "OSV-2", + Summary: "Something less scary!", + Severity: []models.Severity{{Type: "low", Score: "1"}}, + }, + }, + }, + { + Package: models.PackageInfo{ + Name: "mine3", + Version: "0.4.1", + Ecosystem: "Packagist", + }, + DepGroups: []string{"build"}, + Groups: []models.GroupInfo{ + { + IDs: []string{"OSV-3"}, + ExperimentalAnalysis: map[string]models.AnalysisInfo{ + "OSV-3": {Called: true}, + }, + }, + {IDs: []string{"OSV-5"}}, + }, + Vulnerabilities: models.Vulnerabilities{ + { + ID: "OSV-3", + Summary: "Something mildly scary!", + Severity: []models.Severity{{Type: "medium", Score: "1"}}, + }, + { + ID: "OSV-5", + Summary: "Something scarier!", + Severity: []models.Severity{{Type: "extreme", Score: "1"}}, + }, + }, + }, + }, + }, + }, + }, + }, + }, { name: "one source with vulnerabilities, some missing content", args: outputTestCaseArgs{ @@ -1400,6 +1668,80 @@ func testOutputWithMixedIssues(t *testing.T, run outputTestRunner) { }, }, }, + { + name: "one source with one package, one called vulnerability, and one license violation", + args: outputTestCaseArgs{ + vulnResult: &models.VulnerabilityResults{ + ExperimentalAnalysisConfig: experimentalAnalysisConfig, + Results: []models.PackageSource{ + { + Source: models.SourceInfo{Path: "path/to/my/first/lockfile"}, + Packages: []models.PackageVulns{ + { + Package: models.PackageInfo{ + Name: "mine1", + Version: "1.2.3", + Ecosystem: "npm", + }, + Groups: []models.GroupInfo{{ + IDs: []string{"OSV-1"}, + ExperimentalAnalysis: map[string]models.AnalysisInfo{ + "OSV-1": {Called: true}, + }, + }}, + Vulnerabilities: models.Vulnerabilities{ + { + ID: "OSV-1", + Summary: "Something scary!", + Severity: []models.Severity{{Type: "high", Score: "1"}}, + }, + }, + Licenses: []models.License{"MIT"}, + LicenseViolations: []models.License{"MIT"}, + }, + }, + }, + }, + }, + }, + }, + { + name: "one source with one package, one uncalled vulnerability, and one license violation", + args: outputTestCaseArgs{ + vulnResult: &models.VulnerabilityResults{ + ExperimentalAnalysisConfig: experimentalAnalysisConfig, + Results: []models.PackageSource{ + { + Source: models.SourceInfo{Path: "path/to/my/first/lockfile"}, + Packages: []models.PackageVulns{ + { + Package: models.PackageInfo{ + Name: "mine1", + Version: "1.2.3", + Ecosystem: "npm", + }, + Groups: []models.GroupInfo{{ + IDs: []string{"OSV-1"}, + ExperimentalAnalysis: map[string]models.AnalysisInfo{ + "OSV-1": {Called: false}, + }, + }}, + Vulnerabilities: models.Vulnerabilities{ + { + ID: "OSV-1", + Summary: "Something scary!", + Severity: []models.Severity{{Type: "high", Score: "1"}}, + }, + }, + Licenses: []models.License{"MIT"}, + LicenseViolations: []models.License{"MIT"}, + }, + }, + }, + }, + }, + }, + }, { name: "two sources with packages, one vulnerability, one license violation", args: outputTestCaseArgs{ @@ -1544,6 +1886,117 @@ func testOutputWithMixedIssues(t *testing.T, run outputTestRunner) { }, }, }, + { + name: "multiple sources with a mixed count of packages, some called vulnerabilities and license violations", + args: outputTestCaseArgs{ + vulnResult: &models.VulnerabilityResults{ + ExperimentalAnalysisConfig: experimentalAnalysisConfig, + Results: []models.PackageSource{ + { + Source: models.SourceInfo{Path: "path/to/my/first/lockfile"}, + Packages: []models.PackageVulns{ + { + Package: models.PackageInfo{ + Name: "mine1", + Version: "1.2.3", + Ecosystem: "npm", + }, + Groups: []models.GroupInfo{{ + IDs: []string{"OSV-1"}, + ExperimentalAnalysis: map[string]models.AnalysisInfo{ + "OSV-1": {Called: false}, + }, + }}, + Vulnerabilities: models.Vulnerabilities{ + { + ID: "OSV-1", + Summary: "Something scary!", + Severity: []models.Severity{{Type: "high", Score: "1"}}, + }, + }, + Licenses: []models.License{"MIT"}, + LicenseViolations: []models.License{"MIT"}, + }, + }, + }, + { + Source: models.SourceInfo{Path: "path/to/my/second/lockfile"}, + Packages: []models.PackageVulns{ + { + Package: models.PackageInfo{ + Name: "mine2", + Version: "3.2.5", + Ecosystem: "npm", + }, + Groups: []models.GroupInfo{{ + IDs: []string{"OSV-2"}, + ExperimentalAnalysis: map[string]models.AnalysisInfo{ + "OSV-2": {Called: true}, + }, + }}, + Vulnerabilities: models.Vulnerabilities{ + { + ID: "OSV-2", + Summary: "Something less scary!", + Severity: []models.Severity{{Type: "low", Score: "1"}}, + }, + }, + Licenses: []models.License{"ISC"}, + LicenseViolations: []models.License{}, + }, + { + Package: models.PackageInfo{ + Name: "mine3", + Version: "0.4.1", + Ecosystem: "npm", + }, + Vulnerabilities: models.Vulnerabilities{}, + Licenses: []models.License{"ISC"}, + LicenseViolations: []models.License{}, + }, + }, + }, + { + Source: models.SourceInfo{Path: "path/to/my/third/lockfile"}, + Packages: []models.PackageVulns{ + { + Package: models.PackageInfo{ + Name: "mine1", + Version: "1.3.5", + Ecosystem: "npm", + }, + Vulnerabilities: models.Vulnerabilities{}, + Licenses: []models.License{"MIT"}, + LicenseViolations: []models.License{"MIT"}, + }, + { + Package: models.PackageInfo{ + Name: "mine1", + Version: "1.2.3", + Ecosystem: "npm", + }, + Groups: []models.GroupInfo{{ + IDs: []string{"OSV-1"}, + ExperimentalAnalysis: map[string]models.AnalysisInfo{ + "OSV-1": {Called: false}, + }, + }}, + Vulnerabilities: models.Vulnerabilities{ + { + ID: "OSV-1", + Summary: "Something scary!", + Severity: []models.Severity{{Type: "high", Score: "1"}}, + }, + }, + Licenses: []models.License{"Apache-2.0"}, + LicenseViolations: []models.License{"Apache-2.0"}, + }, + }, + }, + }, + }, + }, + }, } for _, tt := range tests { tt := tt