The dependency-scan job now runs osv-scanner honestly (no mutes), but the C++ trees contain no package sources the tool reads - the dispatch-run baseline (run 27302003890) scanned zero sources. The gate currently verifies only "no manifests appeared with known vulns".
To give it real input: generate an SBOM (CycloneDX or SPDX) covering the FetchContent dependencies in cmake/dependencies.cmake (gsl-lite, SDL3, GoogleTest, benchmark, curl, fluidsynth, mt32emu) plus the vendored DOSBox-X engine snapshot, and scan it with osv-scanner --sbom.
Exit criterion: the scan step consumes the SBOM, the exit-128 tolerance branch is removed from ci.yml, and a seeded known-vulnerable SBOM entry fails the job.
Context: openspec change ci-stabilize-mandatory-lanes design D5; CI-THESIS.md R1.
The dependency-scan job now runs osv-scanner honestly (no mutes), but the C++ trees contain no package sources the tool reads - the dispatch-run baseline (run 27302003890) scanned zero sources. The gate currently verifies only "no manifests appeared with known vulns".
To give it real input: generate an SBOM (CycloneDX or SPDX) covering the FetchContent dependencies in cmake/dependencies.cmake (gsl-lite, SDL3, GoogleTest, benchmark, curl, fluidsynth, mt32emu) plus the vendored DOSBox-X engine snapshot, and scan it with
osv-scanner --sbom.Exit criterion: the scan step consumes the SBOM, the exit-128 tolerance branch is removed from ci.yml, and a seeded known-vulnerable SBOM entry fails the job.
Context: openspec change ci-stabilize-mandatory-lanes design D5; CI-THESIS.md R1.