From c1409f3f5a22482a4687555b66cab6b060cd4b03 Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Wed, 9 Oct 2024 09:50:15 +1300 Subject: [PATCH] feat: replace "skip-git" with "include-git", making git repository scanning not the default BREAKING CHANGE: don't scan git repositories by default, replacing "--skip-git" with "--include-git" --- .github/workflows/osv-scanner-reusable-pr.yml | 1 - .github/workflows/osv-scanner-reusable.yml | 1 - .github/workflows/osv-scanner-unified-action.yml | 2 -- .github/workflows/prerelease-check.yml | 1 - actions/scanner/action.yml | 1 - cmd/osv-scanner/scan/main.go | 6 +++--- docs/github-action.md | 3 --- pkg/osvscanner/osvscanner.go | 10 +++++----- 8 files changed, 8 insertions(+), 17 deletions(-) diff --git a/.github/workflows/osv-scanner-reusable-pr.yml b/.github/workflows/osv-scanner-reusable-pr.yml index 7a4c72a0f5..6dc7ed6751 100644 --- a/.github/workflows/osv-scanner-reusable-pr.yml +++ b/.github/workflows/osv-scanner-reusable-pr.yml @@ -26,7 +26,6 @@ on: type: string default: |- -r - --skip-git ./ results-file-name: description: "File name of the result SARIF file" diff --git a/.github/workflows/osv-scanner-reusable.yml b/.github/workflows/osv-scanner-reusable.yml index 365e5db012..33cee166e3 100644 --- a/.github/workflows/osv-scanner-reusable.yml +++ b/.github/workflows/osv-scanner-reusable.yml @@ -26,7 +26,6 @@ on: type: string default: |- -r - --skip-git ./ results-file-name: description: "File name of the result SARIF file" diff --git a/.github/workflows/osv-scanner-unified-action.yml b/.github/workflows/osv-scanner-unified-action.yml index 7ae55267a3..a755d6f509 100644 --- a/.github/workflows/osv-scanner-unified-action.yml +++ b/.github/workflows/osv-scanner-unified-action.yml @@ -38,7 +38,6 @@ jobs: with: # Just scan the root directory and docs, since everything else is fixtures scan-args: |- - --skip-git ./ ./docs/ scan-pr: @@ -52,6 +51,5 @@ jobs: with: # Just scan the root directory and docs, since everything else is fixtures scan-args: |- - --skip-git ./ ./docs/ diff --git a/.github/workflows/prerelease-check.yml b/.github/workflows/prerelease-check.yml index c902b2d7d3..9bb4c11308 100644 --- a/.github/workflows/prerelease-check.yml +++ b/.github/workflows/prerelease-check.yml @@ -27,7 +27,6 @@ jobs: # Only scan the top level go.mod file without recursively scanning directories since # this is pipeline is about releasing the go module and binary scan-args: |- - --skip-git ./ format: diff --git a/actions/scanner/action.yml b/actions/scanner/action.yml index 43755e87cc..49fdb07448 100644 --- a/actions/scanner/action.yml +++ b/actions/scanner/action.yml @@ -5,7 +5,6 @@ inputs: scan-args: description: "Arguments to osv-scanner, separated by new line" default: |- - --skip-git --recursive ./ runs: diff --git a/cmd/osv-scanner/scan/main.go b/cmd/osv-scanner/scan/main.go index ad44158e02..91207718d2 100644 --- a/cmd/osv-scanner/scan/main.go +++ b/cmd/osv-scanner/scan/main.go @@ -74,8 +74,8 @@ func Command(stdout, stderr io.Writer, r *reporter.Reporter) *cli.Command { TakesFile: true, }, &cli.BoolFlag{ - Name: "skip-git", - Usage: "skip scanning git repositories", + Name: "include-git", + Usage: "include scanning git repositories", Value: false, }, &cli.BoolFlag{ @@ -226,7 +226,7 @@ func action(context *cli.Context, stdout, stderr io.Writer) (reporter.Reporter, SBOMPaths: context.StringSlice("sbom"), DockerContainerNames: context.StringSlice("docker"), Recursive: context.Bool("recursive"), - SkipGit: context.Bool("skip-git"), + IncludeGit: context.Bool("include-git"), NoIgnore: context.Bool("no-ignore"), ConfigOverridePath: context.String("config"), DirectoryPaths: context.Args().Slice(), diff --git a/docs/github-action.md b/docs/github-action.md index 3460e43aba..602e307bef 100644 --- a/docs/github-action.md +++ b/docs/github-action.md @@ -138,7 +138,6 @@ jobs: # Only scan the top level go.mod file without recursively scanning directories since # this is pipeline is about releasing the go module and binary scan-args: |- - --skip-git ./ permissions: # Require writing security events to upload SARIF file to security tab @@ -167,7 +166,6 @@ The GitHub Actions have the following optional inputs: Default: ```bash --recursive # Recursively scan subdirectories - --skip-git=true # Skip commit scanning to focus on dependencies ./ # Start the scan from the root of the repository ``` - `results-file-name`: This is the name of the final SARIF file uploaded to Github. @@ -202,7 +200,6 @@ jobs: with: scan-args: |- --recursive - --skip-git=true ./ ``` diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index c4c9c929cf..0b92404eb2 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -42,7 +42,7 @@ type ScannerActions struct { DirectoryPaths []string GitCommits []string Recursive bool - SkipGit bool + IncludeGit bool NoIgnore bool DockerContainerNames []string ConfigOverridePath string @@ -114,7 +114,7 @@ const ( // - Any lockfiles with scanLockfile // - Any SBOM files with scanSBOMFile // - Any git repositories with scanGit -func scanDir(r reporter.Reporter, dir string, skipGit bool, recursive bool, useGitIgnore bool, compareOffline bool, transitiveAct TransitiveScanningActions) ([]scannedPackage, error) { +func scanDir(r reporter.Reporter, dir string, includeGit bool, recursive bool, useGitIgnore bool, compareOffline bool, transitiveAct TransitiveScanningActions) ([]scannedPackage, error) { var ignoreMatcher *gitIgnoreMatcher if useGitIgnore { var err error @@ -158,7 +158,7 @@ func scanDir(r reporter.Reporter, dir string, skipGit bool, recursive bool, useG } } - if !skipGit && info.IsDir() && info.Name() == ".git" { + if includeGit && info.IsDir() && info.Name() == ".git" { pkgs, err := scanGit(r, filepath.Dir(path)+"/") if err != nil { r.Infof("scan failed for git repository, %s: %v\n", path, err) @@ -857,7 +857,7 @@ func DoScan(actions ScannerActions, r reporter.Reporter) (models.VulnerabilityRe } if actions.CompareOffline { - actions.SkipGit = true + actions.IncludeGit = false if len(actions.ScanLicensesAllowlist) > 0 || actions.ScanLicensesSummary { return models.VulnerabilityResults{}, errors.New("cannot retrieve licenses locally") @@ -932,7 +932,7 @@ func DoScan(actions ScannerActions, r reporter.Reporter) (models.VulnerabilityRe for _, dir := range actions.DirectoryPaths { r.Infof("Scanning dir %s\n", dir) - pkgs, err := scanDir(r, dir, actions.SkipGit, actions.Recursive, !actions.NoIgnore, actions.CompareOffline, actions.TransitiveScanningActions) + pkgs, err := scanDir(r, dir, actions.IncludeGit, actions.Recursive, !actions.NoIgnore, actions.CompareOffline, actions.TransitiveScanningActions) if err != nil { return models.VulnerabilityResults{}, err }