Test OSV-Scanner PR #1
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
another-rex
commented
Jul 11, 2023
another-rex
commented
Jul 17, 2023
another-rex
added a commit
to google/osv-scanner
that referenced
this pull request
Jul 31, 2023
This PR features: - Refactors the format flag's internal logic so that we can don't need to repeat the format types so much, and we can test when we add a new format entry if we forgot anything. - Adds a new format "sarif", which returns a SARIF report (closes #216 ) - Adds a Github Action `action.yaml` and it's specialized dockerfile `action.dockerfile`. This docker image runs a bash script wrapping osv-scanner, first by preprocessing the input so the last argument will be split by new line, allowing the workflow user to pass in multiple directories/files they wish to scan. The script also changes exit codes 127 and 128 to 0 as they contain errors that the user can't really do anything about. - Adds two reusable workflows using this new github action for this repo - Reusable PR workflow, for using to check if PRs introduce new vulnerabilities. - Reusable Scheduled workflow, for use to regularly check for new vulns applying to your existing vulns. - Adds an experimental flag: `--experimental-diff`, which will only output the difference between a previous run and this run of the osv-scanner. This is for use in the PR workflow. - Sorts the grouped ID output. Closes #57 Currently the reusable workflow has to point to a specific action which cannot be relative (otherwise it would point to the wrong action when reused in another repo). This means right now it's pointed to this fork/branch instead of the master branch, this will need to be updated once this PR is merged. Example of what workflow sarif output looks like:  Here is an example of the PR reusable workflow working: another-rex/scorecard-check-osv-e2e#1 That PR adds an additional vulnerability, which causes it to fail. You can see that only the new vuln is showing up in the code scanning report: https://github.com/another-rex/scorecard-check-osv-e2e/security/code-scanning/1 TODO after this PR is merged: - Change links that point to this PR branch to point to main (and/or a tagged commit of main) - Add support for annotations - Add documentation (this is for later, as we want to dogfood it in our own repos first before broadcasting this widely) --------- Signed-off-by: Rex P <rexpan@google.com>
another-rex
commented
Sep 26, 2023
another-rex
commented
Sep 26, 2023
another-rex
commented
Sep 26, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.