Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: google/osv-scanner
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.4.0
Choose a base ref
...
head repository: google/osv-scanner
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.4.1
Choose a head ref
6 contributors

Commits on Sep 14, 2023

  1. Update experimental.md (#536) 

    There was a small formatting change. You can view the portion of the
docs
[here](https://hayleycd.github.io/osv-scanner/experimental/#specify-database-location)
    Hayley Denbraver authored Sep 14, 2023
    Copy the full SHA
    97e877a View commit details

Commits on Sep 19, 2023

  1. fix(deps): update osv-scanner minor (#539) 

    [![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/go-git/go-billy/v5](https://togithub.com/go-git/go-billy)
| require | minor | `v5.4.1` -> `v5.5.0` |
| [github.com/go-git/go-git/v5](https://togithub.com/go-git/go-git) |
require | minor | `v5.8.1` -> `v5.9.0` |
|
[github.com/owenrumney/go-sarif/v2](https://togithub.com/owenrumney/go-sarif)
| require | patch | `v2.2.0` -> `v2.2.2` |

---

### Release Notes

<details>
<summary>go-git/go-billy (github.com/go-git/go-billy/v5)</summary>

### [`v5.5.0`](https://togithub.com/go-git/go-billy/releases/tag/v5.5.0)

[Compare
Source](https://togithub.com/go-git/go-billy/compare/v5.4.1...v5.5.0)

#### What's Changed

- \*: Bump dependencies and go.mod to Go 1.18. Add codeQL workflow. by
[@&#8203;pjbgf](https://togithub.com/pjbgf) in
[https://github.com/go-git/go-billy/pull/30](https://togithub.com/go-git/go-billy/pull/30)
- osfs: Add new BoundOS type by
[@&#8203;pjbgf](https://togithub.com/pjbgf) in
[https://github.com/go-git/go-billy/pull/31](https://togithub.com/go-git/go-billy/pull/31)
- Re-introduce osfs.Default by
[@&#8203;pjbgf](https://togithub.com/pjbgf) in
[https://github.com/go-git/go-billy/pull/33](https://togithub.com/go-git/go-billy/pull/33)
- Revert back to upstream github.com/cyphar/filepath-securejoin by
[@&#8203;pjbgf](https://togithub.com/pjbgf) in
[https://github.com/go-git/go-billy/pull/34](https://togithub.com/go-git/go-billy/pull/34)

**Full Changelog**:
go-git/go-billy@v5.4.1...v5.5.0

</details>

<details>
<summary>go-git/go-git (github.com/go-git/go-git/v5)</summary>

### [`v5.9.0`](https://togithub.com/go-git/go-git/releases/tag/v5.9.0)

[Compare
Source](https://togithub.com/go-git/go-git/compare/v5.8.1...v5.9.0)

#### What's Changed

- git: worktree: add Amend option to CommitOptions by
[@&#8203;john-cai](https://togithub.com/john-cai) in
[https://github.com/go-git/go-git/pull/438](https://togithub.com/go-git/go-git/pull/438)
- git: worktree, reset ignored files that are part of the worktree:
Fixes [#&#8203;819](https://togithub.com/go-git/go-git/issues/819) by
[@&#8203;daolis](https://togithub.com/daolis) in
[https://github.com/go-git/go-git/pull/821](https://togithub.com/go-git/go-git/pull/821)
- plumbing: Do not swallow http message coming from VCS providers by
[@&#8203;matejrisek](https://togithub.com/matejrisek) in
[https://github.com/go-git/go-git/pull/835](https://togithub.com/go-git/go-git/pull/835)
- plumbing: transport, handle IPv6 while parsing endpoint. Fixes
[#&#8203;740](https://togithub.com/go-git/go-git/issues/740) by
[@&#8203;ninedraft](https://togithub.com/ninedraft) in
[https://github.com/go-git/go-git/pull/820](https://togithub.com/go-git/go-git/pull/820)
- \*: update goproxy dependency to fix CVE-2023-37788 vulnerability by
[@&#8203;svghadi](https://togithub.com/svghadi) in
[https://github.com/go-git/go-git/pull/832](https://togithub.com/go-git/go-git/pull/832)
- \*: bump dependencies and Go to 1.19 by
[@&#8203;pjbgf](https://togithub.com/pjbgf) in
[https://github.com/go-git/go-git/pull/837](https://togithub.com/go-git/go-git/pull/837)

#### New Contributors

- [@&#8203;svghadi](https://togithub.com/svghadi) made their first
contribution in
[https://github.com/go-git/go-git/pull/832](https://togithub.com/go-git/go-git/pull/832)
- [@&#8203;daolis](https://togithub.com/daolis) made their first
contribution in
[https://github.com/go-git/go-git/pull/821](https://togithub.com/go-git/go-git/pull/821)

**Full Changelog**:
go-git/go-git@v5.8.1...v5.9.0

</details>

<details>
<summary>owenrumney/go-sarif
(github.com/owenrumney/go-sarif/v2)</summary>

###
[`v2.2.2`](https://togithub.com/owenrumney/go-sarif/releases/tag/v2.2.2)

[Compare
Source](https://togithub.com/owenrumney/go-sarif/compare/v2.2.1...v2.2.2)

#### What's Changed

- fix: add omitempty annotation to messageStrings by
[@&#8203;owenrumney](https://togithub.com/owenrumney) in
[https://github.com/owenrumney/go-sarif/pull/68](https://togithub.com/owenrumney/go-sarif/pull/68)

**Full Changelog**:
owenrumney/go-sarif@v2.2.1...v2.2.2

###
[`v2.2.1`](https://togithub.com/owenrumney/go-sarif/releases/tag/v2.2.1)

[Compare
Source](https://togithub.com/owenrumney/go-sarif/compare/v2.2.0...v2.2.1)

#### What's Changed

- Bump github.com/stretchr/testify from 1.8.2 to 1.8.4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/owenrumney/go-sarif/pull/62](https://togithub.com/owenrumney/go-sarif/pull/62)
- Bump github.com/zclconf/go-cty from 1.13.1 to 1.13.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/owenrumney/go-sarif/pull/61](https://togithub.com/owenrumney/go-sarif/pull/61)
- support messageStrings property by
[@&#8203;masakura](https://togithub.com/masakura) in
[https://github.com/owenrumney/go-sarif/pull/63](https://togithub.com/owenrumney/go-sarif/pull/63)
- Bump github.com/zclconf/go-cty from 1.13.2 to 1.14.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/owenrumney/go-sarif/pull/65](https://togithub.com/owenrumney/go-sarif/pull/65)

#### New Contributors

- [@&#8203;masakura](https://togithub.com/masakura) made their first
contribution in
[https://github.com/owenrumney/go-sarif/pull/63](https://togithub.com/owenrumney/go-sarif/pull/63)

**Full Changelog**:
owenrumney/go-sarif@v2.2.0...v2.2.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on monday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/google/osv-scanner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi44My4wIiwidXBkYXRlZEluVmVyIjoiMzYuODMuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
    @renovate-bot
    renovate-bot authored Sep 19, 2023
    Copy the full SHA
    0d0535c View commit details

  2. Attempt at multiline action (#542) 

    Update the github actions to pass arguments in a multi line fashion to
allow much more customisability.
    @another-rex
    another-rex authored Sep 19, 2023
    Copy the full SHA
    b3f6168 View commit details

  3. chore(deps): update workflows (major) (#540) 

    [![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
major | `v3.6.0` -> `v4.0.0` |
| [actions/checkout](https://togithub.com/actions/checkout) | action |
major | `v3` -> `v4` |
| [docker/login-action](https://togithub.com/docker/login-action) |
action | major | `v2` -> `v3` |
|
[docker/setup-buildx-action](https://togithub.com/docker/setup-buildx-action)
| action | major | `v2` -> `v3` |
|
[docker/setup-qemu-action](https://togithub.com/docker/setup-qemu-action)
| action | major | `v2` -> `v3` |
|
[goreleaser/goreleaser-action](https://togithub.com/goreleaser/goreleaser-action)
| action | major | `v4.6.0` -> `v5.0.0` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v4.0.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v400)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.6.0...v4.0.0)

- [Support fetching without the --progress
option](https://togithub.com/actions/checkout/pull/1067)
-   [Update to node20](https://togithub.com/actions/checkout/pull/1436)

</details>

<details>
<summary>docker/login-action (docker/login-action)</summary>

### [`v3`](https://togithub.com/docker/login-action/compare/v2...v3)

[Compare
Source](https://togithub.com/docker/login-action/compare/v2...v3)

</details>

<details>
<summary>docker/setup-buildx-action
(docker/setup-buildx-action)</summary>

###
[`v3`](https://togithub.com/docker/setup-buildx-action/compare/v2...v3)

[Compare
Source](https://togithub.com/docker/setup-buildx-action/compare/v2...v3)

</details>

<details>
<summary>docker/setup-qemu-action (docker/setup-qemu-action)</summary>

###
[`v3`](https://togithub.com/docker/setup-qemu-action/compare/v2...v3)

[Compare
Source](https://togithub.com/docker/setup-qemu-action/compare/v2...v3)

</details>

<details>
<summary>goreleaser/goreleaser-action
(goreleaser/goreleaser-action)</summary>

###
[`v5.0.0`](https://togithub.com/goreleaser/goreleaser-action/releases/tag/v5.0.0)

[Compare
Source](https://togithub.com/goreleaser/goreleaser-action/compare/v4.6.0...v5.0.0)

##### What's Changed

- feat: node 20 as default runtime (requires [Actions Runner
v2.308.0](https://togithub.com/actions/runner/releases/tag/v2.308.0) or
later) by [@&#8203;crazy-max](https://togithub.com/crazy-max) in
[https://github.com/goreleaser/goreleaser-action/pull/432](https://togithub.com/goreleaser/goreleaser-action/pull/432)
- chore(deps): bump
[@&#8203;actions/core](https://togithub.com/actions/core) from 1.10.0 to
1.10.1 in
[https://github.com/goreleaser/goreleaser-action/pull/434](https://togithub.com/goreleaser/goreleaser-action/pull/434)

**Full Changelog**:
goreleaser/goreleaser-action@v4.6.0...v5.0.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on monday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/google/osv-scanner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi44My4wIiwidXBkYXRlZEluVmVyIjoiMzYuODMuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
    @renovate-bot
    renovate-bot authored Sep 19, 2023
    Copy the full SHA
    0c59a97 View commit details

  4. Fix action naming and scheduled scan parameters (#543) 

    - Fix missing the ./ in the scheduled scan. 
- Fix passing gh-annotations correctly
- Update naming of the actions to be more clear
    @another-rex
    another-rex authored Sep 19, 2023
    Copy the full SHA
    a659b3b View commit details

Commits on Sep 20, 2023

  1. Update SARIF format (#534) 

    Fixes #216 with a new format that separates out individual
vulnerabilities.

Each vulnerability is now it's own rule violation. The aliased
vulnerabilities are grouped together as one rule violation, with an ID
picked in this priority (CVE -> [Eco Specific] -> GHSA).
    @another-rex
    another-rex authored Sep 20, 2023
    Copy the full SHA
    26c9dfd View commit details

Commits on Sep 22, 2023

  1. Action docs (#541) 

    GitHub Actions Docs

[Preview](https://hayleycd.github.io/osv-scanner/github-action/)

---------

Signed-off-by: Hayley Denbraver <denbraver@google.com>
Co-authored-by: Rex P <106129829+another-rex@users.noreply.github.com>
    @another-rex
    Hayley Denbraver and another-rex authored Sep 22, 2023
    Copy the full SHA
    5971841 View commit details

Commits on Sep 25, 2023

  1. Minor readme update (#546) 

    - Use a nicer looking star history graph, 
- Add a code cov badge.
    @another-rex
    another-rex authored Sep 25, 2023
    Copy the full SHA
    4926e2f View commit details

Commits on Sep 26, 2023

  1. SARIF output fixes. (#547) 

    - Use relative path for URIs.
- Fix description/summary stability (due to map insertion order not
being preserved), and sort by `<ECOSYSTEM> < <GHSA> < <CVE>` for
extracting descriptions.
- Remove an extraneous period.


![image](https://github.com/google/osv-scanner/assets/759062/74d12906-d790-4d03-9830-c47ebc5106f8)
    @oliverchang
    oliverchang authored Sep 26, 2023
    Copy the full SHA
    3791c92 View commit details

  2. Add custom scan arguments (#552) 

    Default's are maintained.

After this is merged we need to add more detailed documentation on how
to use this as part of #516
    @another-rex
    another-rex authored Sep 26, 2023
    Copy the full SHA
    580206a View commit details

  3. chore(deps): update workflows (#538) 

    [![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
minor | `v4.0.0` -> `v4.1.0` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | patch | `v2.21.5` -> `v2.21.8` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v4.1.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v410)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.0.0...v4.1.0)

- [Add support for partial checkout
filters](https://togithub.com/actions/checkout/pull/1396)

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8)

###
[`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7)

###
[`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on monday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/google/osv-scanner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi44My4wIiwidXBkYXRlZEluVmVyIjoiMzYuOTcuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
    @renovate-bot
    renovate-bot authored Sep 26, 2023
    Copy the full SHA
    e1aac50 View commit details

  4. chore(deps): lock file maintenance (#545) 

    [![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Update | Change |
|---|---|
| lockFileMaintenance | All locks refreshed |

🔧 This Pull Request updates lock files to use the latest dependency
versions.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on monday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/google/osv-scanner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi45Ny4xIiwidXBkYXRlZEluVmVyIjoiMzYuOTcuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Co-authored-by: Rex P <106129829+another-rex@users.noreply.github.com>
    @renovate-bot @another-rex
    renovate-bot and another-rex authored Sep 26, 2023
    Copy the full SHA
    c92d083 View commit details

  5. chore(deps): update dependency jekyll-feed to v0.17.0 (#544) 

    [![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [jekyll-feed](https://togithub.com/jekyll/jekyll-feed) | `0.15.1` ->
`0.17.0` |
[![age](https://developer.mend.io/api/mc/badges/age/rubygems/jekyll-feed/0.17.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/rubygems/jekyll-feed/0.17.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/rubygems/jekyll-feed/0.15.1/0.17.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/rubygems/jekyll-feed/0.15.1/0.17.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>jekyll/jekyll-feed (jekyll-feed)</summary>

###
[`v0.17.0`](https://togithub.com/jekyll/jekyll-feed/blob/HEAD/History.markdown#0170--2022-10-14)

[Compare
Source](https://togithub.com/jekyll/jekyll-feed/compare/v0.16.0...v0.17.0)

##### Documentation

- Update CI status badge
([#&#8203;363](https://togithub.com/jekyll/jekyll-feed/issues/363))

##### Development Fixes

- Add Ruby 3.1 to the CI matrix
([#&#8203;365](https://togithub.com/jekyll/jekyll-feed/issues/365))

##### Minor Enhancements

- Allow disabling of jekyll-feed while in development
([#&#8203;370](https://togithub.com/jekyll/jekyll-feed/issues/370))

###
[`v0.16.0`](https://togithub.com/jekyll/jekyll-feed/blob/HEAD/History.markdown#0160--2022-01-03)

[Compare
Source](https://togithub.com/jekyll/jekyll-feed/compare/v0.15.1...v0.16.0)

##### Minor Enhancements

- Add support for `page.description` in front matter to become entry
`<summary>`
([#&#8203;297](https://togithub.com/jekyll/jekyll-feed/issues/297))

##### Bug Fixes

- Fold private methods into the `:render` method as local variables
([#&#8203;327](https://togithub.com/jekyll/jekyll-feed/issues/327))
- Check `post.categories` instead of `post.category`
([#&#8203;357](https://togithub.com/jekyll/jekyll-feed/issues/357))
- Switched xml_escape for `<![CDATA[]]>` for post content
([#&#8203;332](https://togithub.com/jekyll/jekyll-feed/issues/332))

##### Development Fixes

- Add Ruby 3.0 to CI
([#&#8203;337](https://togithub.com/jekyll/jekyll-feed/issues/337))
- Lock RuboCop to v1.18.x
([#&#8203;348](https://togithub.com/jekyll/jekyll-feed/issues/348))
- Add workflow to release gem via GH Action
([#&#8203;355](https://togithub.com/jekyll/jekyll-feed/issues/355))

##### Documentation

- Use `.atom` extension in documented examples since we write an Atom
feed ([#&#8203;359](https://togithub.com/jekyll/jekyll-feed/issues/359))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on monday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/google/osv-scanner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi45Ny4xIiwidXBkYXRlZEluVmVyIjoiMzYuOTcuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
    @renovate-bot
    renovate-bot authored Sep 26, 2023
    Copy the full SHA
    5862bfd View commit details

Commits on Sep 27, 2023

  1. test: add cases for extra coverage (#524)

    @G-Rath
    G-Rath authored Sep 27, 2023
    Copy the full SHA
    04113a0 View commit details

  2. ci: combine lint and test workflows (#554) 

    While working on other stuff I noticed how spread out the workflows are
- personally I find it's easier to maintain a small number of large
workflows than a large number of smaller ones, because jobs are often
shared; I guess an alternative way of framing its about focusing on the
actual _workflow_ rather than each action (i.e. you have a "checks"
workflow which runs all jobs for checking PRs, a "release" workflow
which has all the jobs you want to run for a release, etc).

I think there a few more improvements that could be made, but for now
this I've just merged the `test` and `lint` workflows as they feel the
most superfluous
    @G-Rath
    G-Rath authored Sep 27, 2023
    Copy the full SHA
    08b6fed View commit details

  3. chore: move scripts into the scripts directory (#555) 

    We spoke about this a few weeks ago but I never got around to actioning
it - overall I've tried to kept it light since this is more about
keeping things tidy than committing to a long-term structure.
    @G-Rath
    G-Rath authored Sep 27, 2023
    Copy the full SHA
    3010645 View commit details

  4. test: compare expected with actual rather than the other way around (#… 

    …556)

This isn't hiding anything, but it's semantically incorrect
    @G-Rath
    G-Rath authored Sep 27, 2023
    Copy the full SHA
    50832d6 View commit details

  5. Add new ecosystems, and a slice containing all of them. (#557) 

    Signed-off-by: Caleb Brown <calebbrown@google.com>
    @calebbrown
    calebbrown authored Sep 27, 2023
    Copy the full SHA
    195e57b View commit details

  6. test: use cmp.Diff for comparing output (#558) 

    This makes it easier to determine what is wrong in CLI tests by showing
an actual diff; while in most cases this is an improvement, I have found
it's sometimes useful to have the raw output printed so I've included an
env variable to allow switching easily with `cmp.Diff` being the
default.

In order to reduce the diff noise when a test does fail, this also
switches to replacing occurrences of the current working directory in
the _actual_ output with `<rootdir>`; this also means that the output
will be what should be in the test cases, rather than the absolute path
that people would have to replace with `<rootdir>`.

While this could be used throughout the whole test suite, I've just
applied this to the CLI tests for now because I think they've got the
most to gain whereas it'd be a lot of tedious work to switch to using it
everywhere; it should be easy to switch to using it in other places over
time.

I have also confirmed that `dedent` correctly handles both spaces and
tabs - you can mix and match them without issue (and in fact a few of
the tests are using spaces instead of tabs).
    @G-Rath
    G-Rath authored Sep 27, 2023
    Copy the full SHA
    8113801 View commit details

Commits on Sep 29, 2023

  1. ci: run tests on macos and in parallel when releasing (#560) 

    The test suite needs to be adjusted to handle OS-based differences
before it can be run on Windows, but in the meantime we can start
running on macOS; this also moves the linting step to be in parallel
when releasing too.
    @G-Rath
    G-Rath authored Sep 29, 2023
    Copy the full SHA
    12331be View commit details

Commits on Oct 2, 2023

  1. ci: use .go-version file (#564) 

    Even if folks don't use [`goenv`](https://github.com/go-nv/goenv) to
manage their Go versions, this means CI is reading from a single file
making it easier to update the version of Go being used across all
workflows.
    @G-Rath
    G-Rath authored Oct 2, 2023
    Copy the full SHA
    5f725bd View commit details

  2. Block release on vuln scan (#561) 

    `osv-scanner-reusable-scheduled` actually doesn't have anything to do
with having a schedule, so just removed the scheduled part from the
name.

This reusable workflow is now also used in the release pipeline to block
releases if there are vulnerabilities.
    @another-rex
    another-rex authored Oct 2, 2023
    Copy the full SHA
    fac0935 View commit details

  3. ci: ensure that actions/checkout is pinned (#563) 

    I'm surprised that renovate didn't flag these but oh well 🤷
    @G-Rath
    G-Rath authored Oct 2, 2023
    Copy the full SHA
    d683cfb View commit details

  4. ci: don't fetch the whole repository history when its not needed (#562) 

    These jobs shouldn't need the whole commit history, so this is just
wasting CPU cycles
    @G-Rath
    G-Rath authored Oct 2, 2023
    Copy the full SHA
    993bbed View commit details

Commits on Oct 3, 2023

  1. chore(deps): update alpine:3.18 docker digest to eece025 (#565) 

    [![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| alpine | final | digest | `7144f7b` -> `eece025` |

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on monday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/google/osv-scanner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4wLjMiLCJ1cGRhdGVkSW5WZXIiOiIzNy4wLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->
    @renovate-bot
    renovate-bot authored Oct 3, 2023
    Copy the full SHA
    85f01cf View commit details

  2. chore(deps): update golang:alpine docker digest to 4bc6541 (#566) 

    [![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `96634e5` -> `4bc6541` |

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on monday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/google/osv-scanner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4wLjMiLCJ1cGRhdGVkSW5WZXIiOiIzNy4wLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->
    @renovate-bot
    renovate-bot authored Oct 3, 2023
    Copy the full SHA
    d551c40 View commit details

  3. chore(deps): update github/codeql-action action to v2.21.9 (#567) 

    [![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | patch | `v2.21.8` -> `v2.21.9` |

---

### Release Notes

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on monday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/google/osv-scanner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4wLjMiLCJ1cGRhdGVkSW5WZXIiOiIzNy4wLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->
    @renovate-bot
    renovate-bot authored Oct 3, 2023
    Copy the full SHA
    2964602 View commit details

  4. chore(deps): update dependency jekyll-feed to v0.17.0 (#568) 

    [![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [jekyll-feed](https://togithub.com/jekyll/jekyll-feed) | `0.15.1` ->
`0.17.0` |
[![age](https://developer.mend.io/api/mc/badges/age/rubygems/jekyll-feed/0.17.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/rubygems/jekyll-feed/0.17.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/rubygems/jekyll-feed/0.15.1/0.17.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/rubygems/jekyll-feed/0.15.1/0.17.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>jekyll/jekyll-feed (jekyll-feed)</summary>

###
[`v0.17.0`](https://togithub.com/jekyll/jekyll-feed/blob/HEAD/History.markdown#0170--2022-10-14)

[Compare
Source](https://togithub.com/jekyll/jekyll-feed/compare/v0.16.0...v0.17.0)

##### Documentation

- Update CI status badge
([#&#8203;363](https://togithub.com/jekyll/jekyll-feed/issues/363))

##### Development Fixes

- Add Ruby 3.1 to the CI matrix
([#&#8203;365](https://togithub.com/jekyll/jekyll-feed/issues/365))

##### Minor Enhancements

- Allow disabling of jekyll-feed while in development
([#&#8203;370](https://togithub.com/jekyll/jekyll-feed/issues/370))

###
[`v0.16.0`](https://togithub.com/jekyll/jekyll-feed/blob/HEAD/History.markdown#0160--2022-01-03)

[Compare
Source](https://togithub.com/jekyll/jekyll-feed/compare/v0.15.1...v0.16.0)

##### Minor Enhancements

- Add support for `page.description` in front matter to become entry
`<summary>`
([#&#8203;297](https://togithub.com/jekyll/jekyll-feed/issues/297))

##### Bug Fixes

- Fold private methods into the `:render` method as local variables
([#&#8203;327](https://togithub.com/jekyll/jekyll-feed/issues/327))
- Check `post.categories` instead of `post.category`
([#&#8203;357](https://togithub.com/jekyll/jekyll-feed/issues/357))
- Switched xml_escape for `<![CDATA[]]>` for post content
([#&#8203;332](https://togithub.com/jekyll/jekyll-feed/issues/332))

##### Development Fixes

- Add Ruby 3.0 to CI
([#&#8203;337](https://togithub.com/jekyll/jekyll-feed/issues/337))
- Lock RuboCop to v1.18.x
([#&#8203;348](https://togithub.com/jekyll/jekyll-feed/issues/348))
- Add workflow to release gem via GH Action
([#&#8203;355](https://togithub.com/jekyll/jekyll-feed/issues/355))

##### Documentation

- Use `.atom` extension in documented examples since we write an Atom
feed ([#&#8203;359](https://togithub.com/jekyll/jekyll-feed/issues/359))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on monday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/google/osv-scanner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4wLjMiLCJ1cGRhdGVkSW5WZXIiOiIzNy4wLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->
    @renovate-bot
    renovate-bot authored Oct 3, 2023
    Copy the full SHA
    f4985f9 View commit details

Commits on Oct 4, 2023

  1. SARIF with fixed version (#559) 

    Add fixed version in help text + unit tests

Also add `osv-reporter` to scheduled scanning, this allows scheduled
scanning to also print out the vulnerability table as well as the SARIF.

Updated the unit tests to show a git like diff output for text
comparisons to make it easier to see where things changed from the last
snapshot. This does pull in 1 additional dependency however:
github.com/hexops/gotextdiff
    @another-rex
    another-rex authored Oct 4, 2023
    Copy the full SHA
    b4397d3 View commit details

Commits on Oct 5, 2023

  1. 1.4.1 release and changelog (#571)

    @another-rex
    another-rex authored Oct 5, 2023
    Copy the full SHA
    087cc42 View commit details

  2. Fix goreleaser and update changelog (#572) 

    Correctly use reusable action this time.
    @another-rex
    another-rex authored Oct 5, 2023
    Copy the full SHA
    788eab2 View commit details

  3. Allow release scanning to upload SARIF file. (#573) 

    Testing these fixes per merge, it runs correctly now, just need
permission to upload the scan SARIF results.
    @another-rex
    another-rex authored Oct 5, 2023
    Copy the full SHA
    c509779 View commit details
Showing with 2,841 additions and 459 deletions.
  1. +22 −4 .github/workflows/{lint.yaml → checks.yml}
  2. +4 −4 .github/workflows/codeql-analysis.yml
  3. +55 −10 .github/workflows/goreleaser.yml
  4. +1 −1 .github/workflows/link-check-on-push.yml
  5. +3 −3 .github/workflows/link-check.yml
  6. +2 −3 .github/workflows/osv-scanner-pr.yml
  7. +24 −14 .github/workflows/osv-scanner-reusable-pr.yml
  8. +28 −9 .github/workflows/{osv-scanner-reusable-scheduled.yml → osv-scanner-reusable.yml}
  9. +5 −4 .github/workflows/osv-scanner-scheduled.yml
  10. +2 −2 .github/workflows/scorecards.yml
  11. +1 −1 .github/workflows/test-action/action.yml
  12. +0 −45 .github/workflows/test.yml
  13. +1 −0 .go-version
  14. +1 −1 .goreleaser.yml
  15. +13 −2 CHANGELOG.md
  16. +12 −9 CONTRIBUTING.md
  17. +2 −2 Dockerfile
  18. +3 −2 README.md
  19. +2 −2 action.dockerfile
  20. +3 −16 actions/reporter/action.yml
  21. +7 −18 actions/scanner/action.yml
  22. +19 −4 cmd/osv-reporter/main.go
  23. +40 −0 cmd/osv-reporter/main_test.go
  24. +5 −6 cmd/osv-scanner/main.go
  25. +221 −154 cmd/osv-scanner/main_test.go
  26. +2 −0 codecov.yml
  27. +7 −5 docs/Gemfile.lock
  28. +1 −1 docs/contribute.md
  29. +3 −3 docs/experimental.md
  30. +86 −0 docs/github-action.md
  31. +14 −12 go.mod
  32. +33 −13 go.sum
  33. +1 −1 goreleaser.dockerfile
  34. +2 −2 internal/ci/fixtures/vulns/test-vuln-diff-a-a-1.json
  35. +2 −2 internal/ci/fixtures/vulns/test-vuln-diff-a-b.json
  36. +3 −3 internal/ci/fixtures/vulns/test-vuln-diff-c-b.json
  37. +2 −2 internal/ci/fixtures/vulns/test-vuln-results-a-1.json
  38. +2 −2 internal/ci/fixtures/vulns/test-vuln-results-a.json
  39. +3 −3 internal/ci/fixtures/vulns/test-vuln-results-b.json
  40. +1 −1 internal/ci/fixtures/vulns/test-vuln-results-c.json
  41. +5 −5 internal/local/zip_test.go
  42. +138 −0 internal/output/fixtures/sarif-output.md
  43. +495 −0 internal/output/fixtures/test-vuln-results-a-grouped.json
  44. +292 −0 internal/output/fixtures/test-vuln-results-a.json
  45. +122 −0 internal/output/fixtures/test-vuln-results-a.sarif
  46. +206 −0 internal/output/fixtures/vuln-grouped.json
  47. +27 −1 internal/output/githubannotation.go
  48. +50 −0 internal/output/identifiers.go
  49. +81 −0 internal/output/identifiers_test.go
  50. +132 −0 internal/output/result.go
  51. +62 −0 internal/output/result_test.go
  52. +239 −51 internal/output/sarif.go
  53. +30 −0 internal/output/sarif_internal_test.go
  54. +35 −0 internal/output/sarif_test.go
  55. +31 −31 internal/sourceanalysis/fixtures-go/govulncheckinput.json
  56. +39 −0 internal/testutility/utility.go
  57. +4 −0 internal/version/version.go
  58. +117 −0 pkg/config/config_internal_test.go
  59. +14 −0 pkg/lockfile/extract_test.go
  60. +14 −0 pkg/lockfile/parse_test.go
  61. +31 −0 pkg/models/constants.go
  62. +7 −3 pkg/models/results.go
  63. +1 −1 pkg/osvscanner/optional_enricher.go
  64. +14 −1 pkg/reporter/format_test.go
  65. +5 −0 scripts/build.sh
  66. +5 −0 scripts/build_snapshot.sh
  67. +7 −0 scripts/generate_coverage_report.sh
  68. 0 { → scripts}/run_lints.sh
  69. 0 { → scripts}/run_tests.sh
26 changes: 22 additions & 4 deletions .github/workflows/lint.yaml → .github/workflows/checks.yml
View file
Original file line number Diff line number Diff line change
@@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

name: lint
name: Checks

on:
push:
@@ -32,14 +32,32 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
persist-credentials: false
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: '1.19'
go-version-file: .go-version
check-latest: true
- name: Run lint action
uses: ./.github/workflows/lint-action
tests:
name: Run unit tests
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Check out code
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version-file: .go-version
check-latest: true
- name: Run test action
uses: ./.github/workflows/test-action
8 changes: 4 additions & 4 deletions .github/workflows/codeql-analysis.yml
View file
Original file line number Diff line number Diff line change
@@ -40,11 +40,11 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
@@ -55,7 +55,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
uses: github/codeql-action/autobuild@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
@@ -69,4 +69,4 @@ jobs:
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
65 changes: 55 additions & 10 deletions .github/workflows/goreleaser.yml
View file
Original file line number Diff line number Diff line change
@@ -7,43 +7,88 @@ on:

permissions:
contents: read # to fetch code (actions/checkout)
# Require writing security events to upload SARIF file to security tab
security-events: write

jobs:
osv-scan:
uses: ./.github/workflows/osv-scanner-reusable.yml
with:
# Only scan the top level go.mod file without recursively scanning directories since
# this is pipeline is about releasing the go module and binary
scan-args: |-
--skip-git
./
lint:
name: golangci-lint
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version-file: .go-version
check-latest: true
- name: Run lint action
uses: ./.github/workflows/lint-action
tests:
name: Run unit tests
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Check out code
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version-file: .go-version
check-latest: true
- name: Run test action
uses: ./.github/workflows/test-action
goreleaser:
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
permissions:
contents: write # for goreleaser/goreleaser-action to create a GitHub release
packages: write # for goreleaser/goreleaser-action to publish docker images
runs-on: ubuntu-latest
needs:
- lint
- tests
- osv-scan
env:
# Required for buildx on docker 19.x
DOCKER_CLI_EXPERIMENTAL: "enabled"
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: 1.19
go-version-file: .go-version
check-latest: true
- name: Run Tests
uses: ./.github/workflows/test-action
- name: Run Lints
uses: ./.github/workflows/lint-action
- uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2
- uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2
- uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3
- uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3
- name: ghcr-login
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run GoReleaser
id: run-goreleaser
uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4.6.0
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
with:
version: latest
args: release --rm-dist
2 changes: 1 addition & 1 deletion .github/workflows/link-check-on-push.yml
View file
Original file line number Diff line number Diff line change
@@ -7,7 +7,7 @@ jobs:
markdown-link-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: gaurav-nelson/github-action-markdown-link-check@a996638015fbc9ef96beef1a41bbad7df8e06154
with:
use-quiet-mode: "yes"
6 changes: 3 additions & 3 deletions .github/workflows/link-check.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Check markdown links on schedule

on:
on:
schedule:
- cron: '45 22 * * 1,4'
permissions: # added using https://github.com/step-security/secure-repo
@@ -9,8 +9,8 @@ jobs:
markdown-link-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: gaurav-nelson/github-action-markdown-link-check@a996638015fbc9ef96beef1a41bbad7df8e06154
with:
use-quiet-mode: "yes"
# Documentation available here: https://github.com/marketplace/actions/markdown-link-check
# Documentation available here: https://github.com/marketplace/actions/markdown-link-check
5 changes: 2 additions & 3 deletions .github/workflows/osv-scanner-pr.yml
View file
Original file line number Diff line number Diff line change
@@ -12,11 +12,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.

name: osv-scanner
name: OSV-Scanner PR Scan

on:
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
merge_group:
branches: [ main ]
@@ -25,5 +24,5 @@ on:
permissions: read-all

jobs:
scan-pr-attempt:
scan-pr:
uses: "./.github/workflows/osv-scanner-reusable-pr.yml"
38 changes: 24 additions & 14 deletions .github/workflows/osv-scanner-reusable-pr.yml
View file
Original file line number Diff line number Diff line change
@@ -12,16 +12,24 @@
# See the License for the specific language governing permissions and
# limitations under the License.

name: OSV-Scanner PR scanning
name: OSV-Scanner PR scanning reusable

on:
workflow_call:
inputs:
scan-args:
description: "Custom osv-scanner arguments (See https://google.github.io/osv-scanner/usage/ for options, you cannot set --format or --output)"
type: string
default: |-
-r
--skip-git
./
jobs:
scan-pr:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
# Do persist credentials, as we need it for the git checkout later
@@ -31,25 +39,28 @@ jobs:
uses: google/osv-scanner/actions/scanner@main
continue-on-error: true
with:
results-format: json
results-file: old-results.json
to-scan: .
scan-args: |-
--format=json
--output=old-results.json
${{ inputs.scan-args }}
- name: "Checkout current branch"
run: git checkout $GITHUB_SHA
- name: "Run scanner on new code"
uses: google/osv-scanner/actions/scanner@main
with:
results-format: json
results-file: new-results.json
to-scan: .
scan-args: |-
--format=json
--output=new-results.json
${{ inputs.scan-args }}
continue-on-error: true
- name: "Run osv-scanner-reporter"
uses: google/osv-scanner/actions/reporter@main
with:
output-sarif-file: final-results.sarif
old-results: old-results.json
new-results: new-results.json
gh-annotations: true
scan-args: |-
--output=final-results.sarif
--old=old-results.json
--new=new-results.json
--gh-annotations=true
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
@@ -76,7 +87,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
if: '!cancelled()'
uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
uses: github/codeql-action/upload-sarif@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
with:
sarif_file: final-results.sarif

37 changes: 28 additions & 9 deletions ...kflows/osv-scanner-reusable-scheduled.yml → .github/workflows/osv-scanner-reusable.yml
View file
Original file line number Diff line number Diff line change
@@ -12,36 +12,55 @@
# See the License for the specific language governing permissions and
# limitations under the License.

name: OSV-Scanner Scheduled scanning
name: OSV-Scanner scanning reusable

on:
workflow_call:
inputs:
scan-args:
description: "Custom osv-scanner arguments (See https://google.github.io/osv-scanner/usage/ for options, you cannot set --format or --output)"
type: string
default: |-
-r
--skip-git
./
results-file-name:
description: "File name of the result SARIF file"
type: string
default: results.sarif

jobs:
scan-scheduled:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: "Run scanner"
uses: google/osv-scanner/actions/scanner@main
with:
results-format: sarif
results-file: results.sarif
to-scan: .
recursive-scan: true
scan-args: |-
--output=results.json
--format=json
${{ inputs.scan-args }}
- name: "Run osv-scanner-reporter"
uses: google/osv-scanner/actions/reporter@main
with:
scan-args: |-
--output=${{ inputs.results-file-name }}
--new=results.json
--gh-annotations=false
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
if: '!cancelled()'
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: SARIF file
path: results.sarif
path: ${{ inputs.results-file-name }}
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
if: '!cancelled()'
uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
uses: github/codeql-action/upload-sarif@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
with:
sarif_file: results.sarif
sarif_file: ${{ inputs.results-file-name }}

9 changes: 5 additions & 4 deletions .github/workflows/osv-scanner-scheduled.yml
View file
Original file line number Diff line number Diff line change
@@ -12,19 +12,20 @@
# See the License for the specific language governing permissions and
# limitations under the License.

name: osv-scanner
name: OSV-Scanner Scheduled Scan

on:
schedule:
- cron: '12 12 * * 1'
push:
branches: [ "main" ]

# Declare default permissions as read only.
permissions:
permissions:
# Require writing security events to upload SARIF file to security tab
security-events: write
# Only need to read contents
contents: read

jobs:
scan-scheduled:
uses: "./.github/workflows/osv-scanner-reusable-scheduled.yml"
uses: "./.github/workflows/osv-scanner-reusable.yml"
Loading