Merge branch 'main' into gr-patch-config

michaelkedar · Aug 20, 2024 · bb26aeb · bb26aeb
2 parents f79946d + 62a848e
commit bb26aeb
Show file tree

Hide file tree

Showing 17 changed files with 480 additions and 300 deletions.
diff --git a/.github/workflows/lint-action/action.yml b/.github/workflows/lint-action/action.yml
@@ -22,4 +22,4 @@ runs:
       uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
       with:
         # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-        version: v1.59.1
+        version: v1.60.1
diff --git a/cmd/osv-scanner/fix/noninteractive.go b/cmd/osv-scanner/fix/noninteractive.go
@@ -121,7 +121,7 @@ func autoRelock(ctx context.Context, r reporter.Reporter, opts osvFixOptions, ma
 
 	if errs := res.Errors(); len(errs) > 0 {
 		r.Warnf("WARNING: encountered %d errors during dependency resolution:\n", len(errs))
-		r.Warnf(resolutionErrorString(res, errs))
+		r.Warnf("%s", resolutionErrorString(res, errs))
 	}
 
 	res.FilterVulns(opts.MatchVuln)
@@ -272,7 +272,7 @@ func autoOverride(ctx context.Context, r reporter.Reporter, opts osvFixOptions,
 
 	if errs := res.Errors(); len(errs) > 0 {
 		r.Warnf("WARNING: encountered %d errors during dependency resolution:\n", len(errs))
-		r.Warnf(resolutionErrorString(res, errs))
+		r.Warnf("%s", resolutionErrorString(res, errs))
 	}
 
 	res.FilterVulns(opts.MatchVuln)

diff --git a/internal/image/extractor.go b/internal/image/extractor.go
@@ -55,7 +55,7 @@ func extractArtifactDeps(path string, layer *imgLayer) (lockfile.Lockfile, error
 		f.Close()
 
 		if err != nil {
-			if errors.Is(lockfile.ErrIncompatibleFileFormat, err) {
+			if errors.Is(err, lockfile.ErrIncompatibleFileFormat) {
 				continue
 			}
 

diff --git a/internal/image/scan.go b/internal/image/scan.go
@@ -99,7 +99,7 @@ func traceOrigin(img *Image, scannedLockfiles *ScanResults) {
 
 			// Look at the layer before the current layer
 			oldFileNode, err := img.layers[layerIdx-1].getFileNode(file.FilePath)
-			if errors.Is(fs.ErrNotExist, err) || (err == nil && oldFileNode.isWhiteout) {
+			if errors.Is(err, fs.ErrNotExist) || (err == nil && oldFileNode.isWhiteout) {
 				// Did not exist in the layer before
 
 				// All entries in sourceLayerIdx would have been set in the previous loop, or just above the loop

diff --git a/internal/manifest/maven.go b/internal/manifest/maven.go
@@ -169,7 +169,7 @@ func MergeMavenParents(ctx context.Context, mavenClient datasource.MavenRegistry
 			if err := xml.NewDecoder(f).Decode(&proj); err != nil {
 				return fmt.Errorf("failed to unmarshal project: %w", err)
 			}
-			if mavenProjectKey(proj) == current.ProjectKey && proj.Packaging == "pom" {
+			if MavenProjectKey(proj) == current.ProjectKey && proj.Packaging == "pom" {
 				// Only mark parent is found when the identifiers and packaging are exptected.
 				parentFound = true
 			}
@@ -188,13 +188,13 @@ func MergeMavenParents(ctx context.Context, mavenClient datasource.MavenRegistry
 				// A parent project should only be of "pom" packaging type.
 				return fmt.Errorf("invalid packaging for parent project %s", proj.Packaging)
 			}
-			if mavenProjectKey(proj) != current.ProjectKey {
+			if MavenProjectKey(proj) != current.ProjectKey {
 				// The identifiers in parent does not match what we want.
 				return fmt.Errorf("parent identifiers mismatch: %v, expect %v", proj.ProjectKey, current.ProjectKey)
 			}
 		}
 		// Empty JDK and ActivationOS indicates merging the default profiles.
-		if err := result.MergeProfiles("", maven.ActivationOS{}); err != nil {
+		if err := proj.MergeProfiles("", maven.ActivationOS{}); err != nil {
 			return err
 		}
 		result.MergeParent(proj)
@@ -204,9 +204,9 @@ func MergeMavenParents(ctx context.Context, mavenClient datasource.MavenRegistry
 	return result.Interpolate()
 }
 
-// mavenProjectKey returns a project key with empty groupId/version
+// MavenProjectKey returns a project key with empty groupId/version
 // filled by corresponding fields in parent.
-func mavenProjectKey(proj maven.Project) maven.ProjectKey {
+func MavenProjectKey(proj maven.Project) maven.ProjectKey {
 	if proj.GroupID == "" {
 		proj.GroupID = proj.Parent.GroupID
 	}

diff --git a/internal/output/vertical.go b/internal/output/vertical.go
@@ -152,7 +152,7 @@ func printVerticalLicenseViolations(result models.PackageSource, out io.Writer)
 		fmt.Fprintf(out,
 			"    %s (%s)\n",
 			text.FgYellow.Sprintf("%s@%s", pkg.Package.Name, pkg.Package.Version),
-			text.FgCyan.Sprintf(strings.Join(violations, ", ")),
+			text.FgCyan.Sprintf("%s", strings.Join(violations, ", ")),
 		)
 	}
 

diff --git a/internal/resolution/manifest/fixtures/maven/parent/pom.xml b/internal/resolution/manifest/fixtures/maven/parent/pom.xml
@@ -25,6 +25,14 @@
     <aaa.version>1.1.1</aaa.version>
   </properties>
 
+  <dependencies>
+    <dependency>
+      <groupId>org.example</groupId>
+      <artifactId>ddd</artifactId>
+      <version>1.2.3</version>
+    </dependency>
+  </dependencies>
+
   <dependencyManagement>
     <dependencies>
       <dependency>