From c2bd45ef971a48d186526d609146d572cc5ec07c Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Fri, 3 May 2024 15:15:36 +1200 Subject: [PATCH] fix: ensure the sarif output has a stable order (#938) This stabilizes the order in the SARIF output so that it is deterministic, as #937 proved it was not. --- internal/output/__snapshots__/sarif_test.snap | 1214 +++++++++++++++++ internal/output/result.go | 24 + internal/output/sarif.go | 12 +- 3 files changed, 1241 insertions(+), 9 deletions(-) diff --git a/internal/output/__snapshots__/sarif_test.snap b/internal/output/__snapshots__/sarif_test.snap index 2a70e024726..0a3e141c826 100755 --- a/internal/output/__snapshots__/sarif_test.snap +++ b/internal/output/__snapshots__/sarif_test.snap @@ -137,3 +137,1217 @@ } --- + +[TestPrintSARIFReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.7.2" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.7.2" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithLicenseViolations/multiple_sources_with_no_packages - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.7.2" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithLicenseViolations/no_sources - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.7.2" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithLicenseViolations/one_source_with_no_packages - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.7.2" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.7.2" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.7.2" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.7.2" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.7.2" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + }, + { + "id": "OSV-2", + "name": "OSV-2", + "shortDescription": { + "text": "OSV-2: Something less scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-2" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.7.2" + } + }, + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + }, + { + "location": { + "uri": "path/to/my/third/lockfile" + }, + "length": -1 + }, + { + "location": { + "uri": "path/to/my/second/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/third/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-2", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/second/lockfile" + } + } + } + ] + } + ] + } + ] +} + +--- + +[TestPrintSARIFReport_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.7.2" + } + }, + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + } + ] + } + ] +} + +--- + +[TestPrintSARIFReport_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.7.2" + } + }, + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + } + ] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.2 |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.2 |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + }, + { + "id": "OSV-2", + "name": "OSV-2", + "shortDescription": { + "text": "OSV-2: Something less scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-2" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + }, + { + "id": "OSV-3", + "name": "OSV-3", + "shortDescription": { + "text": "OSV-3: Something mildly scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-3" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/list?q=OSV-3)**.\n\n## [OSV-3](https://osv.dev/vulnerability/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/list?q=OSV-3)**.\n\n## [OSV-3](https://osv.dev/vulnerability/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + }, + { + "id": "OSV-5", + "name": "OSV-5", + "shortDescription": { + "text": "OSV-5: Something scarier!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-5" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/list?q=OSV-5)**.\n\n## [OSV-5](https://osv.dev/vulnerability/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/list?q=OSV-5)**.\n\n## [OSV-5](https://osv.dev/vulnerability/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.7.2" + } + }, + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + }, + { + "location": { + "uri": "path/to/my/second/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.2' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-2", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/second/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-3", + "ruleIndex": 2, + "level": "warning", + "message": { + "text": "Package 'mine3@0.4.1' is vulnerable to 'OSV-3'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/second/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-5", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-5'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-5", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Package 'mine3@0.4.1' is vulnerable to 'OSV-5'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/second/lockfile" + } + } + } + ] + } + ] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.7.2" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n| :path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + }, + { + "id": "OSV-2", + "name": "OSV-2", + "shortDescription": { + "text": "OSV-2: Something less scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-2" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.7.2" + } + }, + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + }, + { + "location": { + "uri": "path/to/my/third/lockfile" + }, + "length": -1 + }, + { + "location": { + "uri": "path/to/my/second/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/third/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-2", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/second/lockfile" + } + } + } + ] + } + ] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_no_packages - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.7.2" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/no_sources - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.7.2" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/one_source_with_no_packages - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.7.2" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [], + "version": "1.7.2" + } + }, + "results": [] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.7.2" + } + }, + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + } + ] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1", + "GHSA-123" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**\n(Also published as: [GHSA-123](https://osv.dev/vulnerability/GHSA-123), ).\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n## [GHSA-123](https://osv.dev/vulnerability/GHSA-123)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**\n(Also published as: [GHSA-123](https://osv.dev/vulnerability/GHSA-123), ).\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n## [GHSA-123](https://osv.dev/vulnerability/GHSA-123)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.7.2" + } + }, + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1' (also known as 'GHSA-123')." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1' (also known as 'GHSA-123')." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + } + ] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1" + }, + "fullDescription": { + "text": "This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!", + "markdown": "This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!" + }, + "deprecatedIds": [ + "OSV-1" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + }, + { + "id": "OSV-2", + "name": "OSV-2", + "shortDescription": { + "text": "OSV-2" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-2" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine3 | 0.10.2-rc |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/list?q=OSV-2)**.\n\n## [OSV-2](https://osv.dev/vulnerability/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine3 | 0.10.2-rc |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.7.2" + } + }, + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + }, + { + "ruleId": "OSV-2", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Package 'mine3@0.10.2-rc' is vulnerable to 'OSV-2'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + } + ] + } + ] +} + +--- + +[TestPrintSARIFReport_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1] +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://github.com/google/osv-scanner", + "name": "osv-scanner", + "rules": [ + { + "id": "OSV-1", + "name": "OSV-1", + "shortDescription": { + "text": "OSV-1: Something scary!" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "deprecatedIds": [ + "OSV-1" + ], + "help": { + "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", + "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/list?q=OSV-1)**.\n\n## [OSV-1](https://osv.dev/vulnerability/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| :path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" + } + } + ], + "version": "1.7.2" + } + }, + "artifacts": [ + { + "location": { + "uri": "path/to/my/first/lockfile" + }, + "length": -1 + } + ], + "results": [ + { + "ruleId": "OSV-1", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "path/to/my/first/lockfile" + } + } + } + ] + } + ] + } + ] +} + +--- diff --git a/internal/output/result.go b/internal/output/result.go index 080a3422813..eb361815731 100644 --- a/internal/output/result.go +++ b/internal/output/result.go @@ -3,8 +3,10 @@ package output import ( "encoding/json" "slices" + "strings" "github.com/google/osv-scanner/pkg/models" + "golang.org/x/exp/maps" ) type pkgWithSource struct { @@ -15,6 +17,28 @@ type pkgWithSource struct { // Custom implementation of this unique set map to allow it to serialize to JSON type pkgSourceSet map[pkgWithSource]struct{} +// StableKeys returns the pkgWithSource keys in a deterministic order +func (pss *pkgSourceSet) StableKeys() []pkgWithSource { + pkgWithSrcKeys := maps.Keys(*pss) + + slices.SortFunc(pkgWithSrcKeys, func(a, b pkgWithSource) int { + // compare based on each field in descending priority + for _, fn := range []func() int{ + func() int { return strings.Compare(a.Source.Path, b.Source.Path) }, + func() int { return strings.Compare(a.Package.Name, b.Package.Name) }, + func() int { return strings.Compare(a.Package.Version, b.Package.Version) }, + } { + if r := fn(); r != 0 { + return r + } + } + + return 0 + }) + + return pkgWithSrcKeys +} + func (pss *pkgSourceSet) MarshalJSON() ([]byte, error) { res := []pkgWithSource{} diff --git a/internal/output/sarif.go b/internal/output/sarif.go index ef63ddd407e..c3a069f8e57 100644 --- a/internal/output/sarif.go +++ b/internal/output/sarif.go @@ -15,7 +15,6 @@ import ( "github.com/google/osv-scanner/pkg/models" "github.com/jedib0t/go-pretty/v6/table" "github.com/owenrumney/go-sarif/v2/sarif" - "golang.org/x/exp/maps" ) type HelpTemplateData struct { @@ -196,13 +195,7 @@ func createSARIFHelpText(gv *groupedSARIFFinding) string { helpText := strings.Builder{} - pkgWithSrcKeys := maps.Keys(gv.PkgSource) - slices.SortFunc(pkgWithSrcKeys, func(a, b pkgWithSource) int { - // This doesn't take into account multiple packages within the same source file - // which will still be non deterministic. But since that is a rare edge case, - // no need to add significant extra logic here to make it deterministic. - return strings.Compare(a.Source.Path, b.Source.Path) - }) + pkgWithSrcKeys := gv.PkgSource.StableKeys() affectedPackagePaths := []string{} for _, pws := range pkgWithSrcKeys { @@ -282,7 +275,8 @@ func PrintSARIFReport(vulnResult *models.VulnerabilityResults, outputWriter io.W WithTextHelp(helpText) rule.DeprecatedIds = gv.AliasedIDList - for pws := range gv.PkgSource { + + for _, pws := range gv.PkgSource.StableKeys() { artifactPath := stripGitHubWorkspace(pws.Source.Path) if filepath.IsAbs(artifactPath) { // this only errors if the file path is not absolute,