Comparing changes

This is a bit nicer semantically imo and it also means the report is slightly smaller which is good. I've not bothered dealing with the trailing `, ` when there are multiple IDs as it seems like that would be a lot more work relative to the other changes so I don't think it's worth it

I think this gives an overall better output, and it lets us drop a couple of dependencies Before: <img width="1580" alt="image" src="https://github.com/google/osv-scanner/assets/3151613/42732db7-2aec-4066-be80-ca8cac370882"> After: <img width="1592" alt="image" src="https://github.com/google/osv-scanner/assets/3151613/08b0eb34-50ee-4604-850b-88316c5784c9">

Put tests that require additional dependencies beyond the go toolchain behind the CI flag to not force all developers to install all dependencies (this becomes more important as more source analysis support is added).

- Fix github action documentation to have correct examples - Update jekyll feed dependency, which renovate bot fails to do for some reason - Set the upload-tag-name to actually upload the verification along with the release using the new pipeline. (This is because the new pipeline no longer runs "on" a commit, so cannot automatically pick up the tag. This actually causes bigger problems in that we can't verify the tag (see slsa-framework/slsa-github-generator#1947))

Fixes #588

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://togithub.com/github/codeql-action) | action | patch | `v2.22.3` -> `v2.22.4` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | patch | `v2.3.0` -> `v2.3.1` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.4`](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.1`](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner).

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [jekyll-feed](https://togithub.com/jekyll/jekyll-feed) | `0.15.1` -> `0.17.0` | [![age](https://developer.mend.io/api/mc/badges/age/rubygems/jekyll-feed/0.17.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/rubygems/jekyll-feed/0.17.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/rubygems/jekyll-feed/0.15.1/0.17.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/rubygems/jekyll-feed/0.15.1/0.17.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>jekyll/jekyll-feed (jekyll-feed)</summary> ### [`v0.17.0`](https://togithub.com/jekyll/jekyll-feed/blob/HEAD/History.markdown#0170--2022-10-14) [Compare Source](https://togithub.com/jekyll/jekyll-feed/compare/v0.16.0...v0.17.0) ##### Documentation - Update CI status badge ([#363](https://togithub.com/jekyll/jekyll-feed/issues/363)) ##### Development Fixes - Add Ruby 3.1 to the CI matrix ([#365](https://togithub.com/jekyll/jekyll-feed/issues/365)) ##### Minor Enhancements - Allow disabling of jekyll-feed while in development ([#370](https://togithub.com/jekyll/jekyll-feed/issues/370)) ### [`v0.16.0`](https://togithub.com/jekyll/jekyll-feed/blob/HEAD/History.markdown#0160--2022-01-03) [Compare Source](https://togithub.com/jekyll/jekyll-feed/compare/v0.15.1...v0.16.0) ##### Minor Enhancements - Add support for `page.description` in front matter to become entry `<summary>` ([#297](https://togithub.com/jekyll/jekyll-feed/issues/297)) ##### Bug Fixes - Fold private methods into the `:render` method as local variables ([#327](https://togithub.com/jekyll/jekyll-feed/issues/327)) - Check `post.categories` instead of `post.category` ([#357](https://togithub.com/jekyll/jekyll-feed/issues/357)) - Switched xml_escape for `<![CDATA[]]>` for post content ([#332](https://togithub.com/jekyll/jekyll-feed/issues/332)) ##### Development Fixes - Add Ruby 3.0 to CI ([#337](https://togithub.com/jekyll/jekyll-feed/issues/337)) - Lock RuboCop to v1.18.x ([#348](https://togithub.com/jekyll/jekyll-feed/issues/348)) - Add workflow to release gem via GH Action ([#355](https://togithub.com/jekyll/jekyll-feed/issues/355)) ##### Documentation - Use `.atom` extension in documented examples since we write an Atom feed ([#359](https://togithub.com/jekyll/jekyll-feed/issues/359)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner).

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://togithub.com/github/codeql-action) | action | patch | `v2.22.4` -> `v2.22.5` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.5`](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner).

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/go-git/go-git/v5](https://togithub.com/go-git/go-git) | require | minor | `v5.9.0` -> `v5.10.0` | | [github.com/ianlancetaylor/demangle](https://togithub.com/ianlancetaylor/demangle) | require | digest | `eabc099` -> `e2daf7b` | | [github.com/jedib0t/go-pretty/v6](https://togithub.com/jedib0t/go-pretty) | require | patch | `v6.4.8` -> `v6.4.9` | --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.10.0`](https://togithub.com/go-git/go-git/releases/tag/v5.10.0) [Compare Source](https://togithub.com/go-git/go-git/compare/v5.9.0...v5.10.0) #### What's Changed - PlainInitOptions.Bare and allow using InitOptions with PlainInitWithOptions by [@ThinkChaos](https://togithub.com/ThinkChaos) in [https://github.com/go-git/go-git/pull/782](https://togithub.com/go-git/go-git/pull/782) - Worktree, apply ProxyOption on Pull by [@nodivbyzero](https://togithub.com/nodivbyzero) in [https://github.com/go-git/go-git/pull/840](https://togithub.com/go-git/go-git/pull/840) - Repository: add clone --shared feature by [@enverbisevac](https://togithub.com/enverbisevac) in [https://github.com/go-git/go-git/pull/860](https://togithub.com/go-git/go-git/pull/860) - build: Add github workflow to check commit message format by [@pjbgf](https://togithub.com/pjbgf) in [https://github.com/go-git/go-git/pull/867](https://togithub.com/go-git/go-git/pull/867) - Improve handling of remote errors by [@makkes](https://togithub.com/makkes) in [https://github.com/go-git/go-git/pull/866](https://togithub.com/go-git/go-git/pull/866) - build(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/go-git/go-git/pull/873](https://togithub.com/go-git/go-git/pull/873) - plumbing: commitgraph, Add generation v2 support by [@zeripath](https://togithub.com/zeripath) in [https://github.com/go-git/go-git/pull/869](https://togithub.com/go-git/go-git/pull/869) - plumbing: protocol/packp, Add validation for decodeLine by [@pjbgf](https://togithub.com/pjbgf) in [https://github.com/go-git/go-git/pull/868](https://togithub.com/go-git/go-git/pull/868) - plumbing: parse the encoding header of the commit object by [@liwenqiu](https://togithub.com/liwenqiu) in [https://github.com/go-git/go-git/pull/761](https://togithub.com/go-git/go-git/pull/761) - plumbing: commitgraph, allow SHA256 commit-graphs by [@zeripath](https://togithub.com/zeripath) in [https://github.com/go-git/go-git/pull/853](https://togithub.com/go-git/go-git/pull/853) - plumbing: commitgraph, Allow reading commit-graph chains by [@zeripath](https://togithub.com/zeripath) in [https://github.com/go-git/go-git/pull/854](https://togithub.com/go-git/go-git/pull/854) - plumbing/object: Support mergetag in merge commits by [@adityasaky](https://togithub.com/adityasaky) in [https://github.com/go-git/go-git/pull/847](https://togithub.com/go-git/go-git/pull/847) #### New Contributors - [@nodivbyzero](https://togithub.com/nodivbyzero) made their first contribution in [https://github.com/go-git/go-git/pull/840](https://togithub.com/go-git/go-git/pull/840) - [@adityasaky](https://togithub.com/adityasaky) made their first contribution in [https://github.com/go-git/go-git/pull/847](https://togithub.com/go-git/go-git/pull/847) - [@hezhizhen](https://togithub.com/hezhizhen) made their first contribution in [https://github.com/go-git/go-git/pull/836](https://togithub.com/go-git/go-git/pull/836) - [@0x34d](https://togithub.com/0x34d) made their first contribution in [https://github.com/go-git/go-git/pull/855](https://togithub.com/go-git/go-git/pull/855) - [@liwenqiu](https://togithub.com/liwenqiu) made their first contribution in [https://github.com/go-git/go-git/pull/761](https://togithub.com/go-git/go-git/pull/761) - [@enverbisevac](https://togithub.com/enverbisevac) made their first contribution in [https://github.com/go-git/go-git/pull/860](https://togithub.com/go-git/go-git/pull/860) - [@makkes](https://togithub.com/makkes) made their first contribution in [https://github.com/go-git/go-git/pull/866](https://togithub.com/go-git/go-git/pull/866) **Full Changelog**: go-git/go-git@v5.9.0...v5.10.0 </details> <details> <summary>jedib0t/go-pretty (github.com/jedib0t/go-pretty/v6)</summary> ### [`v6.4.9`](https://togithub.com/jedib0t/go-pretty/releases/tag/v6.4.9) [Compare Source](https://togithub.com/jedib0t/go-pretty/compare/v6.4.8...v6.4.9) ### Bug-Fixes - **table** - do not merge content cells with empty ones ([#280](https://togithub.com/jedib0t/go-pretty/issues/280)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner).

Resolves #588 Follows up #610 Because of how PNPM structures its lockfile, aliases are already supported there

Using https://github.com/charlesneimog/pd-server (at cf3f15a) as the example: With submodules not initialized: ``` $ go run ./cmd/osv-scanner -r ../pd-server/ Scanning dir ../pd-server/ Scanning /home/apollock/pd-server/ at commit cf3f15a841ca21b53c6de654c9981a30ae0b590c Scanning submodule src/cpp-httplib at commit 227d2c20509f85a394133e2be6d0b0fc1fda54b2 Scanning submodule pd-lib-builder at commit 5c2e137f7a7a03f4007494954ccb3e23753e7807 Scanning submodule src/json at commit 4c6cde72e533158e044252718c013a48bcff346c Scanning submodule src/websocketpp at commit 1b11fd301531e6df35a6107c1e8665b1e77a2d8e ╭────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬──────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼──────────────────────────────┤ │ https://osv.dev/CVE-2023-26130 │ 8.8 │ GIT │ 227d2c20509f85a394133e2be6d0b0fc1fda54b2 │ ../pd-server/src/cpp-httplib │ ╰────────────────────────────────┴──────┴───────────┴───────────────────────────────────────────┴──────────────────────────────╯ exit status 1 ``` With submodules initialized: ``` $ go run ./cmd/osv-scanner -r ../pd-server/ Scanning dir ../pd-server/ Scanning /home/apollock/pd-server/ at commit cf3f15a841ca21b53c6de654c9981a30ae0b590c Scanning submodule src/cpp-httplib at commit 227d2c20509f85a394133e2be6d0b0fc1fda54b2 Scanning submodule pd-lib-builder at commit 5c2e137f7a7a03f4007494954ccb3e23753e7807 Scanning submodule src/json at commit 4c6cde72e533158e044252718c013a48bcff346c Scanning submodule src/websocketpp at commit 1b11fd301531e6df35a6107c1e8665b1e77a2d8e Scanned /home/apollock/pd-server/src/json/docs/mkdocs/requirements.txt file and found 49 packages Scanned /home/apollock/pd-server/src/json/tools/serve_header/requirements.txt file and found 2 packages ╭─────────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬────────────────────────────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├─────────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼────────────────────────────────────────────────────┤ │ https://osv.dev/CVE-2023-26130 │ 8.8 │ GIT │ 227d2c20509f85a394133e2be6d0b0fc1fda54b2 │ ../pd-server/src/cpp-httplib │ │ https://osv.dev/GHSA-xqr8-7jwr-rhp7 │ 7.5 │ PyPI │ certifi │ 2022.12.7 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-135 │ │ │ │ │ │ │ https://osv.dev/GHSA-v3c5-jqr6-7qm8 │ 7.5 │ PyPI │ future │ 0.18.2 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2022-42991 │ │ │ │ │ │ │ https://osv.dev/GHSA-cwvm-v4w8-q58c │ 6.5 │ PyPI │ gitpython │ 3.1.29 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-165 │ │ │ │ │ │ │ https://osv.dev/GHSA-hcpj-qp55-gfph │ 8.1 │ PyPI │ gitpython │ 3.1.29 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2022-42992 │ │ │ │ │ │ │ https://osv.dev/GHSA-pr76-5cm5-w9cj │ 9.8 │ PyPI │ gitpython │ 3.1.29 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-137 │ │ │ │ │ │ │ https://osv.dev/GHSA-wfm5-v35h-vwf4 │ 7.8 │ PyPI │ gitpython │ 3.1.29 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-161 │ │ │ │ │ │ │ https://osv.dev/GHSA-mrwq-x4v8-fh7p │ 5.5 │ PyPI │ pygments │ 2.13.0 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-117 │ │ │ │ │ │ │ https://osv.dev/GHSA-jh85-wwv9-24hv │ 7.5 │ PyPI │ pymdown-extensions │ 9.9 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/GHSA-j8r2-6x86-q33q │ 6.1 │ PyPI │ requests │ 2.28.1 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-74 │ │ │ │ │ │ │ https://osv.dev/GHSA-hj3f-6gcp-jg8j │ 6.1 │ PyPI │ tornado │ 6.2 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-75 │ │ │ │ │ │ │ https://osv.dev/GHSA-qppv-j76h-2rpx │ │ PyPI │ tornado │ 6.2 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/GHSA-g4mx-q9vg-27p4 │ 4.2 │ PyPI │ urllib3 │ 1.26.13 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-212 │ │ │ │ │ │ │ https://osv.dev/GHSA-v845-jxx5-vc9f │ 8.1 │ PyPI │ urllib3 │ 1.26.13 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │ │ https://osv.dev/PYSEC-2023-192 │ │ │ │ │ │ ╰─────────────────────────────────────┴──────┴───────────┴─────────────────────┴─────────────────────┴────────────────────────────────────────────────────╯ exit status 1 ```

as it's very likely to be found in a lot of circumstances (e.g. running in CI). See #620 for more context.

Was representing the relative root of the repo as `./.` which, if the .gitignore file matched `.*`, caused the whole directory to be ignored.

Fix permissions in Github actions PR example.

this is in preparation for the license scanning feature. the queries are structured around making requests to the osv API, we also will want to make requests to the deps.dev api. #501

Fixes #612. Tested on https://github.com/opencv/opencv We need to set up an e2e test for this as well (maybe add some submodules + vendored libs to https://github.com/ossf-tests/scorecard-check-osv-e2e). ``` Scanning dir /tmp/opencv Scanning /tmp/opencv/ at commit e9e6b1e22c1a966a81aca1217b16a51fe7311b3b Scanning directory for vendored libs: /tmp/opencv/3rdparty Scanning potential vendored dir: /tmp/opencv/3rdparty/carotene Scanning potential vendored dir: /tmp/opencv/3rdparty/cpufeatures Scanning potential vendored dir: /tmp/opencv/3rdparty/ffmpeg Scanning potential vendored dir: /tmp/opencv/3rdparty/flatbuffers Scanning potential vendored dir: /tmp/opencv/3rdparty/include Scanning potential vendored dir: /tmp/opencv/3rdparty/ippicv Scanning potential vendored dir: /tmp/opencv/3rdparty/ittnotify Scanning potential vendored dir: /tmp/opencv/3rdparty/libjasper Scanning potential vendored dir: /tmp/opencv/3rdparty/libjpeg Identified /tmp/opencv/3rdparty/libjpeg as https://github.com/libjpeg-turbo/libjpeg-turbo at 9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf. Scanning potential vendored dir: /tmp/opencv/3rdparty/libjpeg-turbo Identified /tmp/opencv/3rdparty/libjpeg-turbo as https://github.com/libjpeg-turbo/libjpeg-turbo at c5f269eb9665435271c05fbcaf8721fa58e9eafa. Scanning potential vendored dir: /tmp/opencv/3rdparty/libpng Identified /tmp/opencv/3rdparty/libpng as https://github.com/gemini-testing/png-img at 4a9d62598d369566680300c96ec0a22f1dec48c3. Scanning potential vendored dir: /tmp/opencv/3rdparty/libspng Scanning potential vendored dir: /tmp/opencv/3rdparty/libtiff Identified /tmp/opencv/3rdparty/libtiff as https://gitlab.com/libtiff/libtiff at 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99. Scanning potential vendored dir: /tmp/opencv/3rdparty/libtim-vx Scanning potential vendored dir: /tmp/opencv/3rdparty/libwebp Identified /tmp/opencv/3rdparty/libwebp as https://chromium.googlesource.com/webm/libwebp at fd7bb21c0cb56e8a82e9bfa376164b842f433f3b. Scanning potential vendored dir: /tmp/opencv/3rdparty/openexr Identified /tmp/opencv/3rdparty/openexr as https://github.com/AcademySoftwareFoundation/openexr at 0ac2ea34c8f3134148a5df4052e40f155b76f6fb. Scanning potential vendored dir: /tmp/opencv/3rdparty/openjpeg Identified /tmp/opencv/3rdparty/openjpeg as https://github.com/uclouvain/openjpeg at a5891555eb49ed7cc26b2901ea680acda136d811. Scanning potential vendored dir: /tmp/opencv/3rdparty/openvx Scanning potential vendored dir: /tmp/opencv/3rdparty/protobuf Identified /tmp/opencv/3rdparty/protobuf as https://github.com/protocolbuffers/protobuf at 7c40b2df1fdf6f414c1c18c789715a9c948a0725. Scanning potential vendored dir: /tmp/opencv/3rdparty/quirc Scanning potential vendored dir: /tmp/opencv/3rdparty/tbb Scanning potential vendored dir: /tmp/opencv/3rdparty/zlib Identified /tmp/opencv/3rdparty/zlib as https://github.com/madler/zlib at 04f42ceca40f73e2978b50e93806c2a18c1281fc. Scanning directory for vendored libs: /tmp/opencv/modules/core/3rdparty Scanning potential vendored dir: /tmp/opencv/modules/core/3rdparty/SoftFloat Scanning directory for vendored libs: /tmp/opencv/modules/features2d/3rdparty Scanning potential vendored dir: /tmp/opencv/modules/features2d/3rdparty/mscr Scanned /tmp/opencv/platforms/maven/opencv/pom.xml file and found 0 packages Failed to resolve version of org.ops4j.pax.exam:pax-exam-container-karaf: property "pax.exam.version" could not be found for "org.opencv:opencv-it" Failed to resolve version of org.ops4j.pax.exam:pax-exam-junit4: property "pax.exam.version" could not be found for "org.opencv:opencv-it" Failed to resolve version of ${project.groupId}:opencv: property "project.version" could not be found for "org.opencv:opencv-it" Scanned /tmp/opencv/platforms/maven/opencv-it/pom.xml file and found 12 packages Scanned /tmp/opencv/platforms/maven/pom.xml file and found 0 packages Scanned /tmp/opencv/samples/dnn/dnn_model_runner/dnn_conversion/requirements.txt file and found 11 packages ╭─────────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬───────────────────────────────────────────────────────────────────────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├─────────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼───────────────────────────────────────────────────────────────────────────────── ≈ │ https://osv.dev/OSV-2022-394 │ │ GIT │ e9e6b1e22c1a966a81aca1217b16a51fe7311b3b │ ../../../../../../tmp/opencv ≈ │ https://osv.dev/OSV-2023-444 │ │ GIT │ e9e6b1e22c1a966a81aca1217b16a51fe7311b3b │ ../../../../../../tmp/opencv ≈ │ https://osv.dev/CVE-2021-29390 │ 7.1 │ GIT │ 9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf │ ../../../../../../tmp/opencv/3rdparty/libjpeg ≈ │ https://osv.dev/CVE-2021-46822 │ 5.5 │ GIT │ 9fc018fd1aa9598f21c9bc4d8d53c0cef007bdcf │ ../../../../../../tmp/opencv/3rdparty/libjpeg ≈ │ https://osv.dev/CVE-2022-1056 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-1210 │ 6.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-1354 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-1355 │ 6.1 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-1622 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-1623 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-3970 │ 8.8 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2022-40090 │ 6.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-1916 │ 6.1 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-25433 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-25434 │ 8.8 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-25435 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-26965 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-26966 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-2731 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-2908 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-30775 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-3576 │ 5.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-3618 │ 6.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-40745 │ 6.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-41175 │ 6.5 │ GIT │ 4862b0d7bcc786304ff4e8c31e8d5ccfb868fb99 │ ../../../../../../tmp/opencv/3rdparty/libtiff ≈ │ https://osv.dev/CVE-2023-4863 │ 8.8 │ GIT │ fd7bb21c0cb56e8a82e9bfa376164b842f433f3b │ ../../../../../../tmp/opencv/3rdparty/libwebp ≈ │ https://osv.dev/CVE-2018-18443 │ 4.3 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2018-18444 │ 8.8 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11758 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11759 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11760 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11761 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11762 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11763 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11764 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-11765 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-15304 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-15305 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-15306 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-16587 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-16588 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2020-16589 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20298 │ 7.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20299 │ 7.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20300 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20302 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20303 │ 6.1 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-20304 │ 7.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-23169 │ 8.8 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-23215 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-26260 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-26945 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-3598 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-3605 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-3933 │ 5.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/CVE-2021-3941 │ 6.5 │ GIT │ 0ac2ea34c8f3134148a5df4052e40f155b76f6fb │ ../../../../../../tmp/opencv/3rdparty/openexr ≈ │ https://osv.dev/OSV-2022-416 │ │ GIT │ a5891555eb49ed7cc26b2901ea680acda136d811 │ ../../../../../../tmp/opencv/3rdparty/openjpeg ≈ │ https://osv.dev/CVE-2021-22569 │ 5.5 │ GIT │ 7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ ../../../../../../tmp/opencv/3rdparty/protobuf ≈ │ https://osv.dev/CVE-2022-3509 │ 7.5 │ GIT │ 7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ ../../../../../../tmp/opencv/3rdparty/protobuf ≈ │ https://osv.dev/CVE-2022-3510 │ 7.5 │ GIT │ 7c40b2df1fdf6f414c1c18c789715a9c948a0725 │ ../../../../../../tmp/opencv/3rdparty/protobuf ≈ │ https://osv.dev/CVE-2023-45853 │ 9.8 │ GIT │ 04f42ceca40f73e2978b50e93806c2a18c1281fc │ ../../../../../../tmp/opencv/3rdparty/zlib ``` --------- Co-authored-by: Rex P <106129829+another-rex@users.noreply.github.com>

Commits on Nov 2, 2023

Prepare for v1.4.3 release (#629 )

cuixq authored Nov 2, 2023

View commit details

Copy full SHA for 6316373

Browse repository at this point

6316373

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comparing changes

Open a pull request

Commits on Oct 25, 2023

Commits on Oct 26, 2023

Commits on Oct 27, 2023

Commits on Oct 29, 2023

Commits on Oct 30, 2023

Commits on Oct 31, 2023

Commits on Nov 1, 2023

Commits on Nov 2, 2023

This comparison is taking too long to generate.