search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.01k stars 337 forks source link

Invoke `MavenResolverExtrator` when scanning pom.xml #1028

Closed cuixq closed 1 week ago

cuixq commented 3 weeks ago

https://github.com/google/osv-scanner/issues/35

In this PR, MavenResolverExtrator is invoked when scanning pom.xml to report vulnerabilities in transitive dependencies. However, the default Maven extractor is still being used with offline mode.

codecov-commenter commented 3 weeks ago

Codecov Report

Attention: Patch coverage is 66.66667% with 11 lines in your changes missing coverage. Please review.

Project coverage is 65.30%. Comparing base (ace9154) to head (5e603d7).

Files Patch % Lines
pkg/osvscanner/osvscanner.go 70.96% 6 Missing and 3 partials :warning:
internal/resolution/datasource/maven_registry.go 0.00% 2 Missing :warning:
Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #1028 +/- ## ========================================== + Coverage 65.28% 65.30% +0.01% ========================================== Files 150 150 Lines 12498 12525 +27 ========================================== + Hits 8159 8179 +20 - Misses 3879 3882 +3 - Partials 460 464 +4 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

G-Rath commented 3 weeks ago

sorry, after posting my review and seeing all my comments together it's very clear they're all just a single comment 😅:

comparing locally is different from comparing offline - only the latter requires the former; we should continue checking if we're offline, not if we're comparing locally

cuixq commented 2 weeks ago

@another-rex @G-Rath PTAL- thanks!

cuixq commented 1 week ago

I updated the fixtures with the example in the blog post.