feat: Use lockfile scalibr interface

cmd/osv-scanner/__snapshots__/main_test.snap

@@ -320,9 +320,9 @@ Scanning dir ./fixtures/maven-transitive
 Scanned <rootdir>/fixtures/maven-transitive/pom.xml file and found 3 packages
 Package npm/ansi-html/0.0.1 has been filtered out because: (no reason given)
 Package npm/balanced-match/1.0.2 has been filtered out because: (no reason given)
+Package Maven/org.apache.logging.log4j:log4j-web/2.14.1 has been filtered out because: it makes the table output really really long
 Package Maven/org.apache.logging.log4j:log4j-api/2.14.1 has been filtered out because: it makes the table output really really long
 Package Maven/org.apache.logging.log4j:log4j-core/2.14.1 has been filtered out because: it makes the table output really really long
-Package Maven/org.apache.logging.log4j:log4j-web/2.14.1 has been filtered out because: it makes the table output really really long
 Filtered 5 ignored package/s from the scan.
 overriding license for package Alpine/alpine-baselayout-data/3.4.0-r0 with MIT
 overriding license for package Alpine/alpine-baselayout/3.4.0-r0 with MIT
@@ -2264,7 +2264,7 @@ No issues found
 ---
 
 [TestRun_LockfileWithExplicitParseAs/empty_works_as_an_escape_(no_fixture_because_it's_not_valid_on_Windows) - 2]
-open <rootdir>/path/to/my:file: no such file or directory
+stat <rootdir>/path/to/my:file: no such file or directory
 
 ---
 
@@ -2273,7 +2273,7 @@ open <rootdir>/path/to/my:file: no such file or directory
 ---
 
 [TestRun_LockfileWithExplicitParseAs/empty_works_as_an_escape_(no_fixture_because_it's_not_valid_on_Windows)#01 - 2]
-open <rootdir>/path/to/my:project/package-lock.json: no such file or directory
+stat <rootdir>/path/to/my:project/package-lock.json: no such file or directory
 
 ---
 
@@ -2340,7 +2340,7 @@ No issues found
 ---
 
 [TestRun_LockfileWithExplicitParseAs/parse-as_takes_priority,_even_if_it's_wrong - 2]
-(extracting as package-lock.json) could not extract from <rootdir>/fixtures/locks-many/yarn.lock: invalid character '#' looking for beginning of value
+(extracting as package-lock.json) could not extract from "<rootdir>/fixtures/locks-many/yarn.lock": invalid character '#' looking for beginning of value
 
 ---
 

cmd/osv-scanner/fixtures/locks-requirements/my-requirements.txt

@@ -1 +1 @@
-flask
+flask==1.0.0

cmd/osv-scanner/fixtures/locks-requirements/requirements-dev.txt

@@ -1 +1 @@
-black
+black==1.0.0

cmd/osv-scanner/fixtures/locks-requirements/requirements.txt

@@ -1,3 +1,3 @@
-flask
-flask-cors
+flask==1.0.0
+flask-cors==1.0.0
 pandas==0.23.4

cmd/osv-scanner/fixtures/locks-requirements/the_requirements_for_test.txt

@@ -1 +1 @@
-pytest
+pytest==1.0.0

cmd/osv-scanner/fixtures/sbom-insecure/osv-scanner.toml

@@ -1,64 +1,3 @@
-[[IgnoredVulns]]
-id = "GO-2022-0274"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GO-2022-0493"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GHSA-vpvm-3wq2-2wvm"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GHSA-m8cg-xc2p-r3fc"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GHSA-g2j6-57v7-gm8c"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GHSA-f3fp-gc8g-vw66"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "DLA-3008-1"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "DLA-3012-1"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "DLA-3022-1"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "DLA-3051-1"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "CVE-2022-37434"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "CVE-2018-25032"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GHSA-xr7r-f8xq-vfvv"
-# ignoreUntil = n/a
+[[PackageOverrides]]
+ignore = true
 reason = "This is an intentionally vulnerable test sbom"

go.mod

@@ -13,12 +13,12 @@ require (
  github.com/charmbracelet/bubbletea v1.1.1
  github.com/charmbracelet/glamour v0.8.0
  github.com/charmbracelet/lipgloss v0.13.0
- github.com/dghubble/trie v0.1.0
  github.com/gkampitakis/go-snaps v0.5.7
  github.com/go-git/go-billy/v5 v5.5.0
  github.com/go-git/go-git/v5 v5.12.0
  github.com/google/go-cmp v0.6.0
  github.com/google/go-containerregistry v0.20.2
+ github.com/google/osv-scalibr v0.1.4-0.20241014113419-c36dd4d15223
  github.com/ianlancetaylor/demangle v0.0.0-20240912202439-0a2b6291aafd
  github.com/jedib0t/go-pretty/v6 v6.6.0
  github.com/muesli/reflow v0.3.0
@@ -31,7 +31,6 @@ require (
  github.com/tidwall/sjson v1.2.5
  github.com/urfave/cli/v2 v2.27.5
  golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c
- golang.org/x/mod v0.21.0
  golang.org/x/net v0.30.0
  golang.org/x/sync v0.8.0
  golang.org/x/term v0.25.0
@@ -44,7 +43,7 @@ require (
 
 require (
  dario.cat/mergo v1.0.0 // indirect
- github.com/Microsoft/go-winio v0.6.1 // indirect
+ github.com/Microsoft/go-winio v0.6.2 // indirect
  github.com/ProtonMail/go-crypto v1.0.0 // indirect
  github.com/alecthomas/chroma/v2 v2.14.0 // indirect
  github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect
@@ -58,8 +57,6 @@ require (
  github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
  github.com/cyphar/filepath-securejoin v0.2.4 // indirect
  github.com/dlclark/regexp2 v1.11.0 // indirect
- github.com/docker/distribution v2.8.3+incompatible // indirect
- github.com/docker/docker-credential-helpers v0.8.1 // indirect
  github.com/emirpasic/gods v1.18.1 // indirect
  github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
  github.com/gkampitakis/ciinfo v0.3.0 // indirect
@@ -82,14 +79,13 @@ require (
  github.com/muesli/cancelreader v0.2.2 // indirect
  github.com/muesli/termenv v0.15.3-0.20240618155329-98d742f6907a // indirect
  github.com/opencontainers/go-digest v1.0.0 // indirect
- github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
+ github.com/opencontainers/image-spec v1.1.0 // indirect
  github.com/pjbgf/sha1cd v0.3.0 // indirect
  github.com/rivo/uniseg v0.4.7 // indirect
  github.com/rogpeppe/go-internal v1.12.0 // indirect
  github.com/russross/blackfriday/v2 v2.1.0 // indirect
  github.com/sahilm/fuzzy v0.1.1 // indirect
  github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
- github.com/sirupsen/logrus v1.9.3 // indirect
  github.com/skeema/knownhosts v1.2.2 // indirect
  github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect
  github.com/tidwall/match v1.1.1 // indirect
@@ -100,6 +96,7 @@ require (
  github.com/yuin/goldmark v1.7.4 // indirect
  github.com/yuin/goldmark-emoji v1.0.3 // indirect
  golang.org/x/crypto v0.28.0 // indirect
+ golang.org/x/mod v0.21.0 // indirect
  golang.org/x/sys v0.26.0 // indirect
  golang.org/x/text v0.19.0 // indirect
  golang.org/x/tools v0.26.0 // indirect

go.sum

@@ -13,8 +13,8 @@ github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2
 github.com/CycloneDX/cyclonedx-go v0.9.1 h1:yffaWOZsv77oTJa/SdVZYdgAgFioCeycBUKkqS2qzQM=
 github.com/CycloneDX/cyclonedx-go v0.9.1/go.mod h1:NE/EWvzELOFlG6+ljX/QeMlVt9VKcTwu8u0ccsACEsw=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
-github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0kC2U78=
 github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/alecthomas/assert/v2 v2.7.0 h1:QtqSACNS3tF7oasA8CU6A6sXZSBDqnm7RfpLl9bZqbE=
@@ -69,8 +69,6 @@ github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxG
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dghubble/trie v0.1.0 h1:kJnjBLFFElBwS60N4tkPvnLhnpcDxbBjIulgI8CpNGM=
-github.com/dghubble/trie v0.1.0/go.mod h1:sOmnzfBNH7H92ow2292dDFWNsVQuh/izuD7otCYb1ak=
 github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI=
 github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE=
@@ -111,6 +109,8 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo=
 github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8=
+github.com/google/osv-scalibr v0.1.4-0.20241014113419-c36dd4d15223 h1:Yie21Xk5WBewZFHnt9AI27EZMbEjbwzvXwv5HM9AUDE=
+github.com/google/osv-scalibr v0.1.4-0.20241014113419-c36dd4d15223/go.mod h1:MbEYB+PKqEGjwMdpcoO5DWpi0+57jYgYcw2jlRy8O9Q=
 github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
 github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
@@ -161,8 +161,8 @@ github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
 github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8=
-github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
 github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U=
 github.com/owenrumney/go-sarif/v2 v2.3.3 h1:ubWDJcF5i3L/EIOER+ZyQ03IfplbSU1BLOE26uKQIIU=
 github.com/owenrumney/go-sarif/v2 v2.3.3/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w=