Show ecosystem and version even if git is shown if the info exists. (#…

…736) Fixes #735 Also update composer.lock in our integration tests fixture to contain a vulnerability to catch this issue in the future.
google · Jan 9, 2024 · f1412ee · f1412ee
1 parent 7afc701
commit f1412ee
Show file tree

Hide file tree

Showing 3 changed files with 133 additions and 24 deletions.
diff --git a/cmd/osv-scanner/fixtures/locks-insecure/composer.lock b/cmd/osv-scanner/fixtures/locks-insecure/composer.lock
diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go
@@ -642,12 +642,13 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) {
 			wantStdout: `
 				Scanned <rootdir>/fixtures/locks-insecure/my-package-lock.json file as a package-lock.json and found 1 package
 				Scanning dir ./fixtures/locks-insecure
-				Scanned <rootdir>/fixtures/locks-insecure/composer.lock file and found 0 packages
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
-				| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE   | VERSION | SOURCE                                       |
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
-				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | fixtures/locks-insecure/my-package-lock.json |
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
+				Scanned <rootdir>/fixtures/locks-insecure/composer.lock file and found 1 package
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
+				| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE          | VERSION | SOURCE                                       |
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
+				| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8  | Packagist | league/flysystem | 1.0.8   | fixtures/locks-insecure/composer.lock        |
+				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html        | 0.0.1   | fixtures/locks-insecure/my-package-lock.json |
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
 			`,
 			wantStderr: "",
 		},
@@ -665,13 +666,14 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) {
 				Scanned <rootdir>/fixtures/locks-insecure/my-package-lock.json file as a package-lock.json and found 1 package
 				Scanned <rootdir>/fixtures/locks-insecure/my-yarn.lock file as a yarn.lock and found 1 package
 				Scanning dir ./fixtures/locks-insecure
-				Scanned <rootdir>/fixtures/locks-insecure/composer.lock file and found 0 packages
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
-				| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE   | VERSION | SOURCE                                       |
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
-				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | fixtures/locks-insecure/my-package-lock.json |
-				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | fixtures/locks-insecure/my-yarn.lock         |
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
+				Scanned <rootdir>/fixtures/locks-insecure/composer.lock file and found 1 package
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
+				| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE          | VERSION | SOURCE                                       |
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
+				| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8  | Packagist | league/flysystem | 1.0.8   | fixtures/locks-insecure/composer.lock        |
+				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html        | 0.0.1   | fixtures/locks-insecure/my-package-lock.json |
+				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html        | 0.0.1   | fixtures/locks-insecure/my-yarn.lock         |
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
 			`,
 			wantStderr: "",
 		},
@@ -688,13 +690,14 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) {
 				Scanned <rootdir>/fixtures/locks-insecure/my-yarn.lock file as a yarn.lock and found 1 package
 				Scanned <rootdir>/fixtures/locks-insecure/my-package-lock.json file as a package-lock.json and found 1 package
 				Scanning dir ./fixtures/locks-insecure
-				Scanned <rootdir>/fixtures/locks-insecure/composer.lock file and found 0 packages
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
-				| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE   | VERSION | SOURCE                                       |
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
-				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | fixtures/locks-insecure/my-package-lock.json |
-				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html | 0.0.1   | fixtures/locks-insecure/my-yarn.lock         |
-				+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
+				Scanned <rootdir>/fixtures/locks-insecure/composer.lock file and found 1 package
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
+				| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE          | VERSION | SOURCE                                       |
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
+				| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8  | Packagist | league/flysystem | 1.0.8   | fixtures/locks-insecure/composer.lock        |
+				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html        | 0.0.1   | fixtures/locks-insecure/my-package-lock.json |
+				| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5  | npm       | ansi-html        | 0.0.1   | fixtures/locks-insecure/my-yarn.lock         |
+				+-------------------------------------+------+-----------+------------------+---------+----------------------------------------------+
 			`,
 			wantStderr: "",
 		},

diff --git a/pkg/osvscanner/vulnerability_result.go b/pkg/osvscanner/vulnerability_result.go
@@ -29,25 +29,28 @@ func buildVulnerabilityResults(
 	for i, rawPkg := range packages {
 		includePackage := actions.ShowAllPackages
 		var pkg models.PackageVulns
+
 		if rawPkg.Commit != "" {
 			pkg.Package.Commit = rawPkg.Commit
 			pkg.Package.Name = rawPkg.Name
-			// pkg.Package.Ecosystem = "GIT"
 		} else if rawPkg.PURL != "" {
 			var err error
 			pkg.Package, err = models.PURLToPackage(rawPkg.PURL)
+
 			if err != nil {
 				r.PrintErrorf("Failed to parse purl: %s, with error: %s", rawPkg.PURL, err)
-
 				continue
 			}
-		} else {
+		}
+
+		if rawPkg.Version != "" && rawPkg.Ecosystem != "" {
 			pkg.Package = models.PackageInfo{
 				Name:      rawPkg.Name,
 				Version:   rawPkg.Version,
 				Ecosystem: string(rawPkg.Ecosystem),
 			}
 		}
+
 		pkg.DepGroups = rawPkg.DepGroups
 
 		if len(vulnsResp.Results[i].Vulns) > 0 {