Merge branch 'google:main' into main

README.md

@@ -12,6 +12,23 @@ OSV-Scanner provides an officially supported frontend to the [OSV database](http
 
 The above all results in fewer, more actionable vulnerability notifications, which reduces the time needed to resolve them.
 
+## Table of Contents
+- [OSV-Scanner](#osv-scanner)
+  - [Table of Contents](#table-of-contents)
+  - [Installing](#installing)
+    - [Installation Process](#installation-process)
+    - [SemVer Adherence](#semver-adherence)
+  - [Usage](#usage)
+    - [Scan a directory](#scan-a-directory)
+    - [Input an SBOM](#input-an-sbom)
+    - [Input a lockfile](#input-a-lockfile)
+    - [Scanning a Debian based docker image packages](#scanning-a-debian-based-docker-image-packages)
+  - [Configure OSV-Scanner](#configure-osv-scanner)
+    - [Ignore vulnerabilities by ID](#ignore-vulnerabilities-by-id)
+  - [JSON output](#json-output)
+    - [Output Format](#output-format)
+
+
 ## Installing
 
 
@@ -131,12 +148,13 @@ reason = "No external http servers are written in Go lang."
 By default osv-scanner outputs a human readable table. To have osv-scanner output JSON instead, pass the `--json` flag when calling osv-scanner. 
 
 ### Output Format
-```json
+```json5
 {
   "results": [
     {
       "packageSource": {
         "path": "/absolute/path/to/go.mod",
+        // One of: lockfile, sbom, git, docker
         "type": "lockfile"
       },
       "packages": [
@@ -163,6 +181,8 @@ By default osv-scanner outputs a human readable table. To have osv-scanner outpu
               // ... Full OSV
             }
           ],
+          // Grouping based on aliases, if two vulnerability share the same alias, or alias each other,
+          // they are considered the same vulnerability, and is grouped here under the id field.
           "groups": [
             {
               "ids": [

cmd/osv-scanner/main.go

@@ -87,22 +87,21 @@ func run(args []string, stdout, stderr io.Writer) int {
 				DirectoryPaths:       context.Args().Slice(),
 			}, r)
 
-			if err != nil {
-				return err
+			if errPrint := r.PrintResult(&vulnResult); errPrint != nil {
+				return fmt.Errorf("failed to write output: %v", errPrint)
 			}
-
-			if err := r.PrintResult(&vulnResult); err != nil {
-				return fmt.Errorf("failed to write output: %v", err)
-			}
-
-			return nil
+			return err
 		},
 	}
 
 	if err := app.Run(args); err != nil {
 		if r == nil {
 			r = output.NewReporter(stdout, stderr, false)
 		}
+		if errors.Is(err, osvscanner.VulnerabilitiesFoundErr) {
+			return 1
+		}
+
 		if errors.Is(err, osvscanner.NoPackagesFoundErr) {
 			r.PrintError(fmt.Sprintf("No package sources found, --help for usage information.\n"))
 			return 128

pkg/osvscanner/osvscanner.go

@@ -31,6 +31,7 @@ type ScannerActions struct {
 
 // Error for when no packages is found during a scan.
 var NoPackagesFoundErr = errors.New("no packages found in scan")
+var VulnerabilitiesFoundErr = errors.New("vulnerabilities found")
 
 // scanDir walks through the given directory to try to find any relevant files
 // These include:
@@ -339,5 +340,11 @@ func DoScan(actions ScannerActions, r *output.Reporter) (models.VulnerabilityRes
 		return models.VulnerabilityResults{}, fmt.Errorf("failed to hydrate OSV response: %v", err)
 	}
 
-	return groupResponseBySource(r, query, hydratedResp), nil
+	vulnerabilityResults := groupResponseBySource(r, query, hydratedResp)
+	// if vulnerability exists it should return error
+	if len(vulnerabilityResults.Results) > 0 {
+		return vulnerabilityResults, VulnerabilitiesFoundErr
+	}
+
+	return vulnerabilityResults, nil
 }