Skip to content

fix: Update osv-scanner.json git queries #2460

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
another-rex merged 2 commits into from
Jan 12, 2026
Merged

fix: Update osv-scanner.json git queries #2460

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1c1bae7
Update git queries
another-rex Jan 12, 2026
0361fdc
Actually add the test file
another-rex Jan 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions cmd/osv-scanner/scan/source/__snapshots__/command_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3024,6 +3024,61 @@ Scanned <rootdir>/testdata/locks-insecure/osv-scanner-flutter-deps.json file and

---

[TestCommand_GithubActions/scanning_osv-scanner_custom_format_with_git_tag - 1]
Scanned <rootdir>/testdata/locks-insecure/osv-scanner-custom-git-tag.json file and found 1 package
Total 1 package affected by 38 known vulnerabilities (4 Critical, 14 High, 20 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.


+--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |
+--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+
| https://osv.dev/CVE-2016-2177 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2016-2182 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2021-3449 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2022-2097 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2022-2274 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2022-3358 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2022-3602 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2022-3786 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2022-3996 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2022-4203 | 4.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2022-4304 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2022-4450 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2023-0215 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2023-0217 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2023-0286 | 7.4 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2023-0464 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2023-0465 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2023-0466 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2023-1255 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2023-2650 | 6.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2023-2975 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2023-3446 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2023-3817 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2023-4807 | 7.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2023-5363 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2023-5678 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2023-6129 | 6.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2023-6237 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2024-0727 | 5.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2024-13176 | 4.1 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2024-2511 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2024-4603 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2024-4741 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2024-5535 | 9.1 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2024-6119 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2024-9143 | 4.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
+--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+

---

[TestCommand_GithubActions/scanning_osv-scanner_custom_format_with_git_tag - 2]

---

[TestCommand_HtmlFile - 1]
Scanning dir ./testdata/locks-many/composer.lock
Scanned <rootdir>/testdata/locks-many/composer.lock file and found 1 package
Expand Down
5 changes: 5 additions & 0 deletions cmd/osv-scanner/scan/source/command_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -934,6 +934,11 @@ func TestCommand_GithubActions(t *testing.T) {
Args: []string{"", "source", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json"},
Exit: 1,
},
{
Name: "scanning osv-scanner custom format with git tag",
Args: []string{"", "source", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-custom-git-tag.json"},
Comment thread
another-rex marked this conversation as resolved.
Exit: 1,
},
{
Name: "scanning osv-scanner custom format output json",
Args: []string{"", "source", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json", "--format=sarif"},
Expand Down
4 changes: 2 additions & 2 deletions cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3875,7 +3875,7 @@ interactions:
},
{
"id": "DEBIAN-CVE-2025-9714",
"modified": "2025-11-20T10:18:28.938756Z"
"modified": "2026-01-10T14:08:12.148171Z"
},
{
"id": "DLA-3012-1",
Expand Down Expand Up @@ -4142,7 +4142,7 @@ interactions:
},
{
"id": "DEBIAN-CVE-2024-13176",
"modified": "2026-01-04T18:14:22.536487Z"
"modified": "2026-01-10T14:06:53.941794Z"
},
{
"id": "DEBIAN-CVE-2024-2511",
Expand Down
8 changes: 4 additions & 4 deletions cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2055,7 +2055,7 @@ interactions:
},
{
"id": "DEBIAN-CVE-2025-9714",
"modified": "2025-11-20T10:18:28.938756Z"
"modified": "2026-01-10T14:08:12.148171Z"
},
{
"id": "DLA-3012-1",
Expand Down Expand Up @@ -2322,7 +2322,7 @@ interactions:
},
{
"id": "DEBIAN-CVE-2024-13176",
"modified": "2026-01-04T18:14:22.536487Z"
"modified": "2026-01-10T14:06:53.941794Z"
},
{
"id": "DEBIAN-CVE-2024-2511",
Expand Down Expand Up @@ -4517,7 +4517,7 @@ interactions:
},
{
"id": "DEBIAN-CVE-2025-9714",
"modified": "2025-11-20T10:18:28.938756Z"
"modified": "2026-01-10T14:08:12.148171Z"
},
{
"id": "DLA-3012-1",
Expand Down Expand Up @@ -4784,7 +4784,7 @@ interactions:
},
{
"id": "DEBIAN-CVE-2024-13176",
"modified": "2026-01-04T18:14:22.536487Z"
"modified": "2026-01-10T14:06:53.941794Z"
},
{
"id": "DEBIAN-CVE-2024-2511",
Expand Down
200 changes: 200 additions & 0 deletions cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,3 +121,203 @@ interactions:
status: 200 OK
code: 200
duration: 0s
- id: 2
request:
proto: HTTP/1.1
proto_major: 1
proto_minor: 1
content_length: 169
host: api.osv.dev
body: |
{
"queries": [
{
"package": {
"ecosystem": "GIT",
"name": "github.com/openssl/openssl"
},
"version": "openssl-3.0.4"
}
]
}
headers:
Content-Type:
- application/json
X-Test-Name:
- TestCommand_GithubActions/scanning_osv-scanner_custom_format_with_git_tag
url: https://api.osv.dev/v1/querybatch
method: POST
response:
proto: HTTP/2.0
proto_major: 2
proto_minor: 0
content_length: 2458
body: |
{
"results": [
{
"vulns": [
{
"id": "CVE-2016-2177",
"modified": "2025-12-09T16:46:12.318619Z"
},
{
"id": "CVE-2016-2182",
"modified": "2025-12-09T16:46:26.631815Z"
},
{
"id": "CVE-2021-3449",
"modified": "2025-12-10T10:07:59.632202Z"
},
{
"id": "CVE-2022-2097",
"modified": "2025-11-20T11:58:52.675121Z"
},
{
"id": "CVE-2022-2274",
"modified": "2025-11-20T12:02:14.751377Z"
},
{
"id": "CVE-2022-3358",
"modified": "2025-11-20T12:07:23.511908Z"
},
{
"id": "CVE-2022-3602",
"modified": "2025-12-06T07:03:58.914583Z"
},
{
"id": "CVE-2022-3786",
"modified": "2025-12-10T10:09:17.892841Z"
},
{
"id": "CVE-2022-3996",
"modified": "2025-11-20T12:10:00.375284Z"
},
{
"id": "CVE-2022-4203",
"modified": "2025-11-20T12:11:14.835736Z"
},
{
"id": "CVE-2022-4304",
"modified": "2025-11-20T12:10:27.150998Z"
},
{
"id": "CVE-2022-4450",
"modified": "2025-11-20T12:10:56.411256Z"
},
{
"id": "CVE-2023-0215",
"modified": "2025-11-20T12:12:12.402377Z"
},
{
"id": "CVE-2023-0217",
"modified": "2025-11-20T12:12:13.492583Z"
},
{
"id": "CVE-2023-0286",
"modified": "2025-11-20T12:12:17.064221Z"
},
{
"id": "CVE-2023-0464",
"modified": "2025-11-20T12:12:18.734998Z"
},
{
"id": "CVE-2023-0465",
"modified": "2025-11-20T12:12:19.093875Z"
},
{
"id": "CVE-2023-0466",
"modified": "2025-11-20T12:12:19.957706Z"
},
{
"id": "CVE-2023-1255",
"modified": "2025-11-20T12:12:40.724347Z"
},
{
"id": "CVE-2023-2650",
"modified": "2025-11-20T12:16:52.866359Z"
},
{
"id": "CVE-2023-2975",
"modified": "2025-11-20T12:17:30.162527Z"
},
{
"id": "CVE-2023-3446",
"modified": "2025-11-20T12:18:13.491842Z"
},
{
"id": "CVE-2023-3817",
"modified": "2025-11-20T12:19:02.198369Z"
},
{
"id": "CVE-2023-4807",
"modified": "2025-11-20T12:22:30.032710Z"
},
{
"id": "CVE-2023-5363",
"modified": "2025-12-05T03:06:05.983850Z"
},
{
"id": "CVE-2023-5678",
"modified": "2025-12-05T03:10:25.366442Z"
},
{
"id": "CVE-2023-6129",
"modified": "2025-11-20T12:22:57.734531Z"
},
{
"id": "CVE-2023-6237",
"modified": "2025-11-20T12:23:07.333431Z"
},
{
"id": "CVE-2024-0727",
"modified": "2025-11-20T12:23:31.205630Z"
},
{
"id": "CVE-2024-13176",
"modified": "2025-11-20T12:24:35.236055Z"
},
{
"id": "CVE-2024-2511",
"modified": "2025-11-20T12:26:42.817521Z"
},
{
"id": "CVE-2024-4603",
"modified": "2025-11-20T12:28:59.998868Z"
},
{
"id": "CVE-2024-4741",
"modified": "2025-11-20T12:31:20.836244Z"
},
{
"id": "CVE-2024-5535",
"modified": "2025-11-20T12:32:28.603392Z"
},
{
"id": "CVE-2024-6119",
"modified": "2025-12-05T12:32:36.014822Z"
},
{
"id": "CVE-2024-9143",
"modified": "2025-11-20T12:29:52.602673Z"
},
{
"id": "CVE-2025-9230",
"modified": "2025-11-20T12:41:41.279262Z"
},
{
"id": "CVE-2025-9232",
"modified": "2025-11-20T12:41:41.107151Z"
}
]
}
]
}
headers:
Content-Length:
- "2458"
Content-Type:
- application/json
status: 200 OK
code: 200
duration: 0s
16 changes: 16 additions & 0 deletions cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner-custom-git-tag.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{
"results": [
{
"source": {},
"packages": [
{
"package": {
"name": "github.com/openssl/openssl",
"version": "openssl-3.0.4",
"ecosystem": "GIT"
}
}
]
}
]
}
Loading