feat: replace "skip-git" with "include-git", making git repository scanning not the default

.github/workflows/osv-scanner-reusable-pr.yml

@@ -26,7 +26,6 @@ on:
         type: string
         default: |-
           -r
-          --skip-git
           ./
       results-file-name:
         description: "File name of the result SARIF file"

.github/workflows/osv-scanner-reusable.yml

@@ -26,7 +26,6 @@ on:
         type: string
         default: |-
           -r
-          --skip-git
           ./
       results-file-name:
         description: "File name of the result SARIF file"

.github/workflows/osv-scanner-unified-action.yml

@@ -38,7 +38,6 @@ jobs:
     with:
       # Just scan the root directory and docs, since everything else is fixtures
       scan-args: |-
-        --skip-git
         ./
         ./docs/
   scan-pr:
@@ -52,6 +51,5 @@ jobs:
     with:
       # Just scan the root directory and docs, since everything else is fixtures
       scan-args: |-
-        --skip-git
         ./
         ./docs/

.github/workflows/prerelease-check.yml

@@ -27,7 +27,6 @@ jobs:
       # Only scan the top level go.mod file without recursively scanning directories since
       # this is pipeline is about releasing the go module and binary
       scan-args: |-
-        --skip-git
         ./
 
   format:

actions/scanner/action.yml

@@ -5,7 +5,6 @@ inputs:
   scan-args:
     description: "Arguments to osv-scanner, separated by new line"
     default: |-
-      --skip-git
       --recursive
       ./
 runs:

cmd/osv-scanner/fixtures/sbom-insecure/osv-scanner.toml

@@ -1,64 +1,3 @@
-[[IgnoredVulns]]
-id = "GO-2022-0274"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GO-2022-0493"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GHSA-vpvm-3wq2-2wvm"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GHSA-m8cg-xc2p-r3fc"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GHSA-g2j6-57v7-gm8c"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GHSA-f3fp-gc8g-vw66"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "DLA-3008-1"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "DLA-3012-1"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "DLA-3022-1"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "DLA-3051-1"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "CVE-2022-37434"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "CVE-2018-25032"
-# ignoreUntil = n/a
-reason = "This is an intentionally vulnerable test sbom"
-
-[[IgnoredVulns]]
-id = "GHSA-xr7r-f8xq-vfvv"
-# ignoreUntil = n/a
+[[PackageOverrides]]
+ignore = true
 reason = "This is an intentionally vulnerable test sbom"

cmd/osv-scanner/scan/main.go

@@ -74,8 +74,8 @@ func Command(stdout, stderr io.Writer, r *reporter.Reporter) *cli.Command {
 				TakesFile: true,
 			},
 			&cli.BoolFlag{
-				Name:  "skip-git",
-				Usage: "skip scanning git repositories",
+				Name:  "include-git",
+				Usage: "include scanning git repositories",
 				Value: false,
 			},
 			&cli.BoolFlag{
@@ -226,7 +226,7 @@ func action(context *cli.Context, stdout, stderr io.Writer) (reporter.Reporter,
 		SBOMPaths:            context.StringSlice("sbom"),
 		DockerContainerNames: context.StringSlice("docker"),
 		Recursive:            context.Bool("recursive"),
-		SkipGit:              context.Bool("skip-git"),
+		IncludeGit:           context.Bool("include-git"),
 		NoIgnore:             context.Bool("no-ignore"),
 		ConfigOverridePath:   context.String("config"),
 		DirectoryPaths:       context.Args().Slice(),

docs/github-action.md

@@ -138,7 +138,6 @@ jobs:
       # Only scan the top level go.mod file without recursively scanning directories since
       # this is pipeline is about releasing the go module and binary
       scan-args: |-
-        --skip-git
         ./
     permissions:
       # Require writing security events to upload SARIF file to security tab
@@ -167,7 +166,6 @@ The GitHub Actions have the following optional inputs:
   Default:
   ```bash
     --recursive # Recursively scan subdirectories
-    --skip-git=true # Skip commit scanning to focus on dependencies
     ./ # Start the scan from the root of the repository
   ```
 - `results-file-name`: This is the name of the final SARIF file uploaded to Github.
@@ -202,7 +200,6 @@ jobs:
     with:
       scan-args: |-
         --recursive
-        --skip-git=true
         ./
 ```
 

go.mod

@@ -44,7 +44,10 @@ require (
 
 require (
 	dario.cat/mergo v1.0.0 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
+	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/Microsoft/hcsshim v0.11.5 // indirect
 	github.com/ProtonMail/go-crypto v1.0.0 // indirect
 	github.com/alecthomas/chroma/v2 v2.14.0 // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect
@@ -54,18 +57,34 @@ require (
 	github.com/charmbracelet/x/ansi v0.2.3 // indirect
 	github.com/charmbracelet/x/term v0.2.0 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
+	github.com/containerd/cgroups v1.1.0 // indirect
+	github.com/containerd/containerd v1.7.18 // indirect
+	github.com/containerd/continuity v0.4.2 // indirect
+	github.com/containerd/errdefs v0.1.0 // indirect
+	github.com/containerd/fifo v1.1.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
+	github.com/containerd/ttrpc v1.2.4 // indirect
+	github.com/containerd/typeurl/v2 v2.1.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/dlclark/regexp2 v1.11.0 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.1 // indirect
+	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
+	github.com/erikvarga/go-rpmdb v0.0.0-20240208180226-b97e041ef9af // indirect
+	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/gkampitakis/ciinfo v0.3.0 // indirect
 	github.com/gkampitakis/go-diff v1.3.2 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/google/osv-scalibr v0.1.4-0.20241016092100-7e7f0c6a01ec // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
@@ -77,13 +96,22 @@ require (
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mattn/go-sqlite3 v1.14.22 // indirect
 	github.com/microcosm-cc/bluemonday v1.0.27 // indirect
+	github.com/moby/locker v1.0.1 // indirect
+	github.com/moby/sys/mountinfo v0.6.2 // indirect
+	github.com/moby/sys/sequential v0.5.0 // indirect
+	github.com/moby/sys/signal v0.7.0 // indirect
+	github.com/moby/sys/user v0.1.0 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.15.3-0.20240618155329-98d742f6907a // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/opencontainers/runtime-spec v1.1.0 // indirect
+	github.com/opencontainers/selinux v1.11.0 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
@@ -99,11 +127,21 @@ require (
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
 	github.com/yuin/goldmark v1.7.4 // indirect
 	github.com/yuin/goldmark-emoji v1.0.3 // indirect
+	go.etcd.io/bbolt v1.3.10 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 // indirect
+	go.opentelemetry.io/otel v1.19.0 // indirect
+	go.opentelemetry.io/otel/metric v1.19.0 // indirect
+	go.opentelemetry.io/otel/trace v1.19.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.28.0 // indirect
 	golang.org/x/sys v0.26.0 // indirect
 	golang.org/x/text v0.19.0 // indirect
 	golang.org/x/tools v0.26.0 // indirect
+	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
+	google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )