google · oliverchang · Jan 17, 2025 · Jan 17, 2025
diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap
@@ -932,68 +932,6 @@ Scanned <rootdir>/fixtures/call-analysis-go-project/go.mod file and found 4 pack
 
 ---
 
-[TestRun_Docker/Fake_alpine_image - 1]
-Pulling docker image ("alpine:non-existent-tag")...
-
----
-
-[TestRun_Docker/Fake_alpine_image - 2]
-Docker command exited with code ("/usr/bin/docker pull -q alpine:non-existent-tag"): 1
-STDERR:
-> Error response from daemon: manifest for alpine:non-existent-tag not found: manifest unknown: manifest unknown
-failed to run docker command
-
----
-
-[TestRun_Docker/Fake_image_entirely - 1]
-Pulling docker image ("this-image-definitely-does-not-exist-abcde")...
-
----
-
-[TestRun_Docker/Fake_image_entirely - 2]
-Docker command exited with code ("/usr/bin/docker pull -q this-image-definitely-does-not-exist-abcde"): 1
-STDERR:
-> Error response from daemon: pull access denied for this-image-definitely-does-not-exist-abcde, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
-failed to run docker command
-
----
-
-[TestRun_Docker/Real_Alpine_image - 1]
-Pulling docker image ("alpine:3.18.9")...
-Saving docker image ("alpine:3.18.9") to temporary file...
-Scanning image...
-No issues found
-
----
-
-[TestRun_Docker/Real_Alpine_image - 2]
-
----
-
-[TestRun_Docker/Real_empty_image - 1]
-Pulling docker image ("hello-world")...
-Saving docker image ("hello-world") to temporary file...
-Scanning image...
-
----
-
-[TestRun_Docker/Real_empty_image - 2]
-No package sources found, --help for usage information.
-
----
-
-[TestRun_Docker/Real_empty_image_with_tag - 1]
-Pulling docker image ("hello-world:linux")...
-Saving docker image ("hello-world:linux") to temporary file...
-Scanning image...
-
----
-
-[TestRun_Docker/Real_empty_image_with_tag - 2]
-No package sources found, --help for usage information.
-
----
-
 [TestRun_GithubActions/scanning_osv-scanner_custom_format - 1]
 Scanned <rootdir>/fixtures/locks-insecure/osv-scanner-flutter-deps.json file as a osv-scanner and found 3 packages
 +--------------------------------+------+-----------+----------------------------+----------------------------+-------------------------------------------------------+
@@ -2001,6 +1939,7 @@ Loaded OSS-Fuzz local db from <tempdir>/osv-scanner/OSS-Fuzz/all.zip
 | https://osv.dev/DLA-3684-1          |      | Debian    | tzdata                         | 2021a-0+deb9u3                     | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/DLA-3788-1          |      | Debian    | tzdata                         | 2021a-0+deb9u3                     | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/DLA-3972-1          |      | Debian    | tzdata                         | 2021a-0+deb9u3                     | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DLA-4016-1          |      | Debian    | ucf                            | 3.0036                             | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/CVE-2016-2779       | 7.8  | Debian    | util-linux                     | 2.29.2-1+deb9u1                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/DSA-5055-1          | 5.5  | Debian    | util-linux                     | 2.29.2-1+deb9u1                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/DSA-5650-1          |      | Debian    | util-linux                     | 2.29.2-1+deb9u1                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
@@ -2199,6 +2138,7 @@ Loaded OSS-Fuzz local db from <tempdir>/osv-scanner/OSS-Fuzz/all.zip
 | https://osv.dev/DLA-3684-1          |      | Debian    | tzdata                         | 2021a-0+deb9u3                     | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/DLA-3788-1          |      | Debian    | tzdata                         | 2021a-0+deb9u3                     | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/DLA-3972-1          |      | Debian    | tzdata                         | 2021a-0+deb9u3                     | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DLA-4016-1          |      | Debian    | ucf                            | 3.0036                             | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/CVE-2016-2779       | 7.8  | Debian    | util-linux                     | 2.29.2-1+deb9u1                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/DSA-5055-1          | 5.5  | Debian    | util-linux                     | 2.29.2-1+deb9u1                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
 | https://osv.dev/DSA-5650-1          |      | Debian    | util-linux                     | 2.29.2-1+deb9u1                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
@@ -2690,194 +2630,6 @@ Scanned <rootdir>/fixtures/maven-transitive/pom.xml file and found 3 packages
 
 ---
 
-[TestRun_OCIImage/Alpine_3.10_image_tar_with_3.18_version_file - 1]
-Scanning image ../../internal/image/fixtures/test-alpine.tar
-Total 1 packages affected by 2 vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
-2 vulnerabilities have fixes available.
-
-Alpine:v3.18
-+----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-alpine. |
-| tar:/lib/apk/db/installed                                |
-+---------+-------------------+---------------+------------+
-| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
-+---------+-------------------+---------------+------------+
-| zlib    | 1.2.11-r1         | Fix Available |          2 |
-+---------+-------------------+---------------+------------+
-
-For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
-You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.
-
----
-
-[TestRun_OCIImage/Alpine_3.10_image_tar_with_3.18_version_file - 2]
-
----
-
-[TestRun_OCIImage/Invalid_path - 1]
-Scanning image ./fixtures/oci-image/no-file-here.tar
-
----
-
-[TestRun_OCIImage/Invalid_path - 2]
-failed to load image ./fixtures/oci-image/no-file-here.tar: open ./fixtures/oci-image/no-file-here.tar: no such file or directory
-
----
-
-[TestRun_OCIImage/scanning_node_modules_using_npm_with_no_packages - 1]
-Scanning image ../../internal/image/fixtures/test-node_modules-npm-empty.tar
-Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
-4 vulnerabilities have fixes available.
-
-Alpine:v3.19
-+----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-npm-empty.tar:/lib/apk/db/installed                |
-+---------+-------------------+---------------+------------+
-| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
-+---------+-------------------+---------------+------------+
-| busybox | 1.36.1-r15        | Fix Available |          4 |
-+---------+-------------------+---------------+------------+
-
-For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
-You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.
-
----
-
-[TestRun_OCIImage/scanning_node_modules_using_npm_with_no_packages - 2]
-
----
-
-[TestRun_OCIImage/scanning_node_modules_using_npm_with_some_packages - 1]
-Scanning image ../../internal/image/fixtures/test-node_modules-npm-full.tar
-Total 3 packages affected by 6 vulnerabilities (2 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
-5 vulnerabilities have fixes available.
-
-npm
-+--------------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_module |
-| s-npm-full.tar:/prod/app/node_modules/.package-lock.json     |
-+----------+-------------------+------------------+------------+
-| PACKAGE  | INSTALLED VERSION | FIX AVAILABLE    | VULN COUNT |
-+----------+-------------------+------------------+------------+
-| cryo     | 0.0.6             | No fix available |          1 |
-| minimist | 0.0.8             | Fix Available    |          1 |
-+----------+-------------------+------------------+------------+
-Alpine:v3.19
-+----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-npm-full.tar:/lib/apk/db/installed                 |
-+---------+-------------------+---------------+------------+
-| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
-+---------+-------------------+---------------+------------+
-| busybox | 1.36.1-r15        | Fix Available |          4 |
-+---------+-------------------+---------------+------------+
-
-For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
-You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.
-
----
-
-[TestRun_OCIImage/scanning_node_modules_using_npm_with_some_packages - 2]
-
----
-
-[TestRun_OCIImage/scanning_node_modules_using_pnpm_with_no_packages - 1]
-Scanning image ../../internal/image/fixtures/test-node_modules-pnpm-empty.tar
-Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
-4 vulnerabilities have fixes available.
-
-Alpine:v3.19
-+----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-pnpm-empty.tar:/lib/apk/db/installed               |
-+---------+-------------------+---------------+------------+
-| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
-+---------+-------------------+---------------+------------+
-| busybox | 1.36.1-r15        | Fix Available |          4 |
-+---------+-------------------+---------------+------------+
-
-For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
-You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.
-
----
-
-[TestRun_OCIImage/scanning_node_modules_using_pnpm_with_no_packages - 2]
-
----
-
-[TestRun_OCIImage/scanning_node_modules_using_pnpm_with_some_packages - 1]
-Scanning image ../../internal/image/fixtures/test-node_modules-pnpm-full.tar
-Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
-4 vulnerabilities have fixes available.
-
-Alpine:v3.19
-+----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-pnpm-full.tar:/lib/apk/db/installed                |
-+---------+-------------------+---------------+------------+
-| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
-+---------+-------------------+---------------+------------+
-| busybox | 1.36.1-r15        | Fix Available |          4 |
-+---------+-------------------+---------------+------------+
-
-For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
-You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.
-
----
-
-[TestRun_OCIImage/scanning_node_modules_using_pnpm_with_some_packages - 2]
-
----
-
-[TestRun_OCIImage/scanning_node_modules_using_yarn_with_no_packages - 1]
-Scanning image ../../internal/image/fixtures/test-node_modules-yarn-empty.tar
-Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
-4 vulnerabilities have fixes available.
-
-Alpine:v3.19
-+----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-yarn-empty.tar:/lib/apk/db/installed               |
-+---------+-------------------+---------------+------------+
-| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
-+---------+-------------------+---------------+------------+
-| busybox | 1.36.1-r15        | Fix Available |          4 |
-+---------+-------------------+---------------+------------+
-
-For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
-You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.
-
----
-
-[TestRun_OCIImage/scanning_node_modules_using_yarn_with_no_packages - 2]
-
----
-
-[TestRun_OCIImage/scanning_node_modules_using_yarn_with_some_packages - 1]
-Scanning image ../../internal/image/fixtures/test-node_modules-yarn-full.tar
-Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
-4 vulnerabilities have fixes available.
-
-Alpine:v3.19
-+----------------------------------------------------------+
-| Source:docker:../../internal/image/fixtures/test-node_mo |
-| dules-yarn-full.tar:/lib/apk/db/installed                |
-+---------+-------------------+---------------+------------+
-| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
-+---------+-------------------+---------------+------------+
-| busybox | 1.36.1-r15        | Fix Available |          4 |
-+---------+-------------------+---------------+------------+
-
-For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
-You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.
-
----
-
-[TestRun_OCIImage/scanning_node_modules_using_yarn_with_some_packages - 2]
-
----
-
 [TestRun_SubCommands/scan_with_a_flag - 1]
 Scanning dir ./fixtures/locks-one-with-nested
 Scanned <rootdir>/fixtures/locks-one-with-nested/nested/composer.lock file and found 1 package