Minor fixes (#6)

* Add name field to sarif rule output (google#600) Fixes google#599 * fix: trim leading and trailing newlines off SARIF output (google#606) I don't know a lot about SARIF so maybe these are required but that would be surprising to me whereas trimming these off make it a bit consistent for editors and such. Obviously if these are required then lets close this PR * Update release pipeline (google#602) Update the release pipeline to have it be manually triggered, and create a tag itself if checks and scans are successful. It looks something like this: ![image](https://github.com/google/osv-scanner/assets/106129829/8258a7d3-3438-46f7-82cd-49c2b4056ecf) The release doc has been updated to follow this new workflow. * chore: don't trim trailing whitespace on fixture snapshots (google#608) This makes it easier to work with for IDEs * Prepare for 1.4.2 release (google#609) * Update jekyll feed, for some reason renovatebot can't figure out how to update this * Fix documentation for github action * Set upload tag name --------- Co-authored-by: Gareth Jones <Jones258@Gmail.com>
another-rex · Oct 26, 2023 · 803e35a · 803e35a
1 parent c54cbde
commit 803e35a
Show file tree

Hide file tree

Showing 11 changed files with 31 additions and 17 deletions.
diff --git a/.editorconfig b/.editorconfig
@@ -14,3 +14,6 @@ indent_size = 2
 
 [*.go]
 indent_style = tab
+
+[internal/output/fixtures/*.md]
+trim_trailing_whitespace = false
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
@@ -140,3 +140,4 @@ jobs:
       base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
       upload-assets: true # upload to a new release
       draft-release: true # upload to a new draft release
+      upload-tag-name: "${{ inputs.version }}"
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,11 @@
+# v1.4.2:
+
+### Fixes
+- [Bug #574](https://github.com/google/osv-scanner/issues/574)
+  Support versions with build metadata in `yarn.lock` files
+- [Bug #599](https://github.com/google/osv-scanner/issues/599)
+  Add name field to sarif rule output
+
 # v1.4.1:
 
 ### Features

diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go
@@ -401,6 +401,7 @@ func TestRun(t *testing.T) {
                       "rules": [
                         {
                           "id": "CVE-2021-23424",
+                          "name": "CVE-2021-23424",
                           "shortDescription": {
                             "text": "CVE-2021-23424: Uncontrolled Resource Consumption in ansi-html"
                           },
@@ -734,7 +735,7 @@ func TestRun_GithubActions(t *testing.T) {
 			name:         "scanning osv-scanner custom format output json",
 			args:         []string{"", "-L", "osv-scanner:./fixtures/locks-insecure/osv-scanner-flutter-deps.json", "--format=sarif"},
 			wantExitCode: 1,
-			wantStdout: `
+			wantStdout: fmt.Sprint(`
         {
           "version": "2.1.0",
           "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
@@ -747,6 +748,7 @@ func TestRun_GithubActions(t *testing.T) {
                   "rules": [
                     {
                       "id": "CVE-2023-39137",
+                      "name": "CVE-2023-39137",
                       "shortDescription": {
                         "text": "CVE-2023-39137"
                       },
@@ -764,6 +766,7 @@ func TestRun_GithubActions(t *testing.T) {
                     },
                     {
                       "id": "CVE-2023-39139",
+                      "name": "CVE-2023-39139",
                       "shortDescription": {
                         "text": "CVE-2023-39139"
                       },
@@ -780,7 +783,7 @@ func TestRun_GithubActions(t *testing.T) {
                       }
                     }
                   ],
-                  "version": "1.4.1"
+                  "version": "`, version.OSVVersion, `"
                 }
               },
               "artifacts": [
@@ -829,7 +832,7 @@ func TestRun_GithubActions(t *testing.T) {
               ]
             }
           ]
-        }`,
+        }`),
 			wantStderr: `
 				Scanned <rootdir>/fixtures/locks-insecure/osv-scanner-flutter-deps.json file as a osv-scanner and found 3 packages
 			`,

diff --git a/docs/Gemfile b/docs/Gemfile
@@ -14,7 +14,7 @@ source "https://rubygems.org"
 gem "github-pages", "~> 228", group: :jekyll_plugins
 # If you have any plugins, put them here!
 group :jekyll_plugins do
-  gem "jekyll-feed", "~> 0.12"
+  gem "jekyll-feed", "~> 0.17"
 end
 
 # Windows and JRuby does not include zoneinfo files, so bundle the tzinfo-data gem

diff --git a/docs/github-action.md b/docs/github-action.md
@@ -83,8 +83,8 @@ jobs:
     uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable.yml"
     with:
       scan-args: |-
-        ./path/to/lockfile1
-        requirements.txt:./path/to/python-lockfile2.txt
+        --lockfile=./path/to/lockfile1
+        --lockfile=requirements.txt:./path/to/python-lockfile2.txt
 ```
 ##### Default arguments
 ```yml

diff --git a/internal/output/fixtures/sarif-commit-output.md b/internal/output/fixtures/sarif-commit-output.md
@@ -1,4 +1,3 @@
-
 **Your dependency is vulnerable to [OSV-2023-72](https://osv.dev/list?q=OSV-2023-72)**.
 
 
@@ -58,4 +57,3 @@ Add or append these values to the following config files to ignore this vulnerab
 id = "OSV-2023-72"
 reason = "Your reason for ignoring this vulnerability"
 ```
-
diff --git a/internal/output/fixtures/sarif-output.md b/internal/output/fixtures/sarif-output.md
@@ -1,4 +1,3 @@
-
 **Your dependency is vulnerable to [CVE-2022-24713](https://osv.dev/list?q=CVE-2022-24713)**
 (Also published as:  [RUSTSEC-2022-0013](https://osv.dev/vulnerability/RUSTSEC-2022-0013),  [GHSA-m5pq-gvj9-9vr8](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8), ).
 
@@ -138,4 +137,3 @@ Add or append these values to the following config files to ignore this vulnerab
 id = "CVE-2022-24713"
 reason = "Your reason for ignoring this vulnerability"
 ```
-
diff --git a/internal/output/fixtures/test-vuln-results-a.sarif b/internal/output/fixtures/test-vuln-results-a.sarif
diff --git a/internal/output/sarif.go b/internal/output/sarif.go
@@ -165,7 +165,7 @@ func stripGitHubWorkspace(path string) string {
 
 // createSARIFHelpText returns the text for SARIF rule's help field
 func createSARIFHelpText(gv *groupedSARIFFinding) string {
-	backtickSARIFTemplate := strings.ReplaceAll(SARIFTemplate, `""`, "`")
+	backtickSARIFTemplate := strings.ReplaceAll(strings.TrimSpace(SARIFTemplate), `""`, "`")
 	helpTextTemplate, err := template.New("helpText").Parse(backtickSARIFTemplate)
 	if err != nil {
 		log.Panicf("failed to parse sarif help text template: %v", err)
@@ -274,6 +274,7 @@ func PrintSARIFReport(vulnResult *models.VulnerabilityResults, outputWriter io.W
 		}
 
 		rule := run.AddRule(gv.DisplayID).
+			WithName(gv.DisplayID).
 			WithShortDescription(sarif.NewMultiformatMessageString(shortDescription)).
 			WithFullDescription(sarif.NewMultiformatMessageString(longDescription).WithMarkdown(longDescription)).
 			WithMarkdownHelp(helpText).

diff --git a/internal/version/version.go b/internal/version/version.go
@@ -1,4 +1,4 @@
 package version
 
 // OSVVersion is the current release version, you should update this variable when doing a release
-var OSVVersion = "1.4.1"
+var OSVVersion = "1.4.2"