Github action

.github/workflows/osv-scanner-pr.yml

@@ -0,0 +1,58 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: OSV-Scanner PR scanning
+
+# env:
+#   # Generator
+#   BUILDER_BINARY: slsa-generator-generic-linux-amd64 # Name of the binary in the release assets.
+#   BUILDER_DIR: internal/builders/generic # Source directory if we compile the builder.
+
+# defaults:
+#   run:
+#     shell: bash
+
+on:
+  workflow_call:
+
+jobs:
+  scan-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v37
+
+          # To compare changes between the current commit and the last pushed remote commit set `since_last_remote_commit: true`. e.g
+          # with:
+          #   since_last_remote_commit: true 
+
+      - name: List all changed files
+        run: |
+          echo ${{ steps.changed-files.outputs.all_changed_files }}
+          echo ------------
+          for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
+            echo "$file was changed"
+          done
+      - name: "Run scanner"
+        uses: ./ # Uses ./action.yaml
+        with:
+          results-format: sarif
+          results-file: results.sarif
+          to-scan: ${{ steps.changed-files.outputs.all_changed_files }}
+

.github/workflows/osv-scanner.yml

@@ -0,0 +1,75 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: osv-scanner
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  merge_group:
+    branches: [ main ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  scan-pr-attempt:
+    uses: "./.github/workflows/osv-scanner-pr.yml"
+  # scan:
+  #   name: OSV-Scanner scan
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     # Needed to upload the results to code-scanning dashboard.
+  #     security-events: write
+  #     # Needed to publish results and get a badge (see publish_results below).
+  #     id-token: write
+  #     # Uncomment the permissions below if installing in a private repository.
+  #     # contents: read
+  #     # actions: read
+
+  #   steps:
+  #     - name: "Checkout code"
+  #       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+  #       with:
+  #         persist-credentials: false
+
+  #     - name: "Run scanner"
+  #       uses: ./ # Uses ./action.yaml
+  #       with:
+  #         results-format: sarif
+  #         results-file: results.sarif
+  #         to-scan: |-
+  #           ./
+  #           ./cmd/osv-scanner/fixtures/locks-many/
+
+
+  #     # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+  #     # format to the repository Actions tab.
+  #     - name: "Upload artifact"
+  #       if: '!cancelled()'
+  #       uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+  #       with:
+  #         name: SARIF file
+  #         path: results.sarif
+  #         retention-days: 5
+
+  #     # Upload the results to GitHub's code scanning dashboard.
+  #     - name: "Upload to code-scanning"
+  #       if: '!cancelled()'
+  #       uses: github/codeql-action/upload-sarif@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e # v2.20.0
+  #       with:
+  #         sarif_file: results.sarif

action.dockerfile

@@ -0,0 +1,42 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM golang:alpine@sha256:fd9d9d7194ec40a9a6ae89fcaef3e47c47de7746dd5848ab5343695dbbd09f8c
+
+RUN mkdir /src
+WORKDIR /src
+
+COPY ./go.mod /src/go.mod
+COPY ./go.sum /src/go.sum
+RUN go mod download
+
+COPY ./ /src/
+RUN go build -o osv-scanner ./cmd/osv-scanner/
+
+FROM alpine:3.17@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126
+RUN apk --no-cache add \
+    ca-certificates \
+    git \
+    bash
+
+# Allow git to run on mounted directories
+RUN git config --global --add safe.directory '*'
+
+WORKDIR /root/
+COPY --from=0 /src/osv-scanner ./
+COPY ./exit_code_redirect.sh ./
+
+ENV PATH="${PATH}:/root"
+
+ENTRYPOINT ["bash", "/root/exit_code_redirect.sh"]

action.yml

@@ -3,19 +3,26 @@ name: 'osv-scanner'
 description: 'Scans your directory against the OSV database (Experimental)'
 inputs:
   to-scan:
-    description: 'Directory to scan'
-    required: true
-    default: '/github/workspace'
-  version:
-    description: 'osv-scanner version to use'
+    description: 'Directories to scan'
+    required: false
+    default: "./"
+  results-file:
+    description: 'OUTPUT: Path to file to store results'
     required: true
-  arch:
-    description: 'osv-scanner architecture'
+  results-format:
+    description: 'Output result format'
+    required: false
+    default: 'sarif'
+  recursive-search:
+    description: 'Recursively scan though subdirectories'
     required: false
-    default: 'amd64'
+    default: false
 runs:
   using: 'docker'
-  image: 'ghcr.io/google/osv-scanner:${{ inputs.version }}-${{ inputs.arch }}'
+  image: 'action.dockerfile'
   args:
     - '--skip-git'
+    - '--output=${{ inputs.results-file }}'
+    - '--format=${{ inputs.results-format }}'
+    - '--recursive=${{ inputs.recursive-search}}'
     - ${{ inputs.to-scan }}

cmd/osv-scanner/fixtures/locks-many/osv-scanner.toml

@@ -0,0 +1,4 @@
+[[IgnoredVulns]]
+id = "GHSA-whgm-jr23-g3j9"
+# ignore_until = 2022-11-09
+reason = "Test manifest file"

cmd/osv-scanner/fixtures/osv-scanner-empty-config.toml

@@ -0,0 +1 @@
+# An empty config file to override the ignore config

cmd/osv-scanner/main.go

@@ -1,14 +1,17 @@
 package main
 
 import (
+	"bytes"
 	"errors"
 	"fmt"
 	"io"
 	"os"
+	"strings"
 
 	"github.com/google/osv-scanner/pkg/osv"
 	"github.com/google/osv-scanner/pkg/osvscanner"
 	"github.com/google/osv-scanner/pkg/reporter"
+	"golang.org/x/exp/slices"
 
 	"github.com/urfave/cli/v2"
 )
@@ -25,7 +28,7 @@ func run(args []string, stdout, stderr io.Writer) int {
 
 	cli.VersionPrinter = func(ctx *cli.Context) {
 		// Use the app Writer and ErrWriter since they will be the writers to keep parallel tests consistent
-		r = reporter.NewTableReporter(ctx.App.Writer, ctx.App.ErrWriter, false)
+		r = reporter.NewTableReporter(ctx.App.Writer, ctx.App.ErrWriter, false, 0)
 		r.PrintText(fmt.Sprintf("osv-scanner version: %s\ncommit: %s\nbuilt at: %s\n", ctx.App.Version, commit, date))
 	}
 
@@ -68,21 +71,22 @@ func run(args []string, stdout, stderr io.Writer) int {
 				Usage:   "sets the output format",
 				Value:   "table",
 				Action: func(context *cli.Context, s string) error {
-					switch s {
-					case
-						"table",
-						"json", //nolint:goconst
-						"markdown":
+					if slices.Contains(reporter.Format(), s) {
 						return nil
 					}
 
-					return fmt.Errorf("unsupported output format \"%s\" - must be one of: \"table\", \"json\", \"markdown\"", s)
+					return fmt.Errorf("unsupported output format \"%s\" - must be one of: %s", s, strings.Join(reporter.Format(), ", "))
 				},
 			},
 			&cli.BoolFlag{
 				Name:  "json",
 				Usage: "sets output to json (deprecated, use --format json instead)",
 			},
+			&cli.StringFlag{
+				Name:      "output",
+				Usage:     "saves the result to the given file path",
+				TakesFile: true,
+			},
 			&cli.BoolFlag{
 				Name:  "skip-git",
 				Usage: "skip scanning git repositories",
@@ -113,15 +117,15 @@ func run(args []string, stdout, stderr io.Writer) int {
 				format = "json"
 			}
 
-			switch format {
-			case "json":
-				r = reporter.NewJSONReporter(stdout, stderr)
-			case "table":
-				r = reporter.NewTableReporter(stdout, stderr, false)
-			case "markdown":
-				r = reporter.NewTableReporter(stdout, stderr, true)
-			default:
-				return fmt.Errorf("%v is not a valid format", format)
+			outputPath := context.String("output")
+			outputBuffer := &bytes.Buffer{}
+			if outputPath != "" {
+				stdout = outputBuffer
+			}
+
+			var err error
+			if r, err = reporter.GetReporter(format, stdout, stderr, outputPath != ""); err != nil {
+				return err
 			}
 
 			vulnResult, err := osvscanner.DoScan(osvscanner.ScannerActions{
@@ -147,13 +151,26 @@ func run(args []string, stdout, stderr io.Writer) int {
 				return fmt.Errorf("failed to write output: %w", errPrint)
 			}
 
+			if outputPath != "" {
+				file, err := os.Create(outputPath)
+				if err != nil {
+					return fmt.Errorf("failed to create output file: %w", err)
+				}
+
+				_, err = file.Write(outputBuffer.Bytes())
+				if err != nil {
+					return fmt.Errorf("failed to write to output file: %w", err)
+				}
+			}
+
+			// Could be nil, VulnerabilitiesFoundErr, or OnlyUncalledVulnerabilitiesFoundErr
 			return err
 		},
 	}
 
 	if err := app.Run(args); err != nil {
 		if r == nil {
-			r = reporter.NewTableReporter(stdout, stderr, false)
+			r = reporter.NewTableReporter(stdout, stderr, false, 0)
 		}
 		if errors.Is(err, osvscanner.VulnerabilitiesFoundErr) {
 			return 1