osv-scanner exit with 0 event with vulnerabilities

[iurisilvio]

$ ./osv-scanner package-lock.json; echo $?
Scanning dir package-lock.json
Scanned /[redacted]/package-lock.json file and found 2257 packages
╭─────────────────────────┬───────────┬──────────────────────┬─────────┬───────────────────────────────────────────────────╮
│ SOURCE                  │ ECOSYSTEM │ AFFECTED PACKAGE     │ VERSION │ OSV URL (ID IN BOLD)                              │
├─────────────────────────┼───────────┼──────────────────────┼─────────┼───────────────────────────────────────────────────┤
│ package-lock.json       │ npm       │ decode-uri-component │ 0.2.0   │ https://osv.dev/vulnerability/GHSA-w573-4hg7-7wgq │
╰─────────────────────────┴───────────┴──────────────────────┴─────────┴───────────────────────────────────────────────────╯
0

[thomasleplus]

I was just thinking the same thing but I think that what would be useful is to have a way to fail the scan on certain conditions, e.g. if there is a CVE with a CVSS score above a certain threshold. But even if the scanner failed for all CVEs to begin with, one could always ignore individual vulnerabilities. It's just less convenient than a rule-based approach.

[iurisilvio]

Based on #7, the expected behavior was to exit with 1 on vulnerabilities, but it is not properly tested.