These commits are when the Protocol Buffers files have changed: (only the last 100 relevant commits are shown)
| Commit: | ed04c24 | |
|---|---|---|
| Author: | Rex Pan | |
| Committer: | Copybara-Service | |
Improve SCALIBR determinism and ecosystem support - Sort enriched packages in transitive dependency enrichers (pom.xml, requirements). - Map Brew and Git PURLs to GIT ecosystem in converter. - Use PURL name/version as fallback in SPDX extractor. PiperOrigin-RevId: 932878609
| Commit: | b944c73 | |
|---|---|---|
| Author: | Rex Pan | |
| Committer: | Copybara-Service | |
Example implementation of the configuration redesign for scalibr. PiperOrigin-RevId: 906701178
| Commit: | 8660b02 | |
|---|---|---|
| Author: | Ryan Beltran | |
| Committer: | Copybara-Service | |
Make SCALIBR transitive dependency extraction a graph PiperOrigin-RevId: 933295697
| Commit: | cb55caa | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #2182 from doyensec:http-csrf-token PiperOrigin-RevId: 931199528
| Commit: | 837c741 | |
|---|---|---|
| Author: | alessandro-Doyensec | |
| Committer: | alessandro-Doyensec | |
add: plugin registration; add: secret to scan result proto; add: proto conversion logic; add: csrf token to supported inventory types
| Commit: | 431e072 | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #2126 from doyensec:http-bearer PiperOrigin-RevId: 928591187
| Commit: | 5cac720 | |
|---|---|---|
| Author: | alessandro-Doyensec | |
| Committer: | alessandro-Doyensec | |
add: plugins registration; add: proto conversion; add: supported inventory entry
| Commit: | 0f5758f | |
|---|---|---|
| Author: | SCALIBR Team | |
| Committer: | Copybara-Service | |
Add sensitive information for inventory and updated Veles to support sensitive information. PiperOrigin-RevId: 921451772
| Commit: | 4cf427f | |
|---|---|---|
| Author: | Yuvraj Saxena | |
| Committer: | Yuvraj Saxena | |
PRP: Add Extractor for Nuget Project Assets Closes: https://github.com/google/osv-scalibr/issues/1996
| Commit: | 6d8e2ed | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1809 from fmunozs:feature/paket-dotnet-support PiperOrigin-RevId: 911643863
| Commit: | 05749df | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #2022 from doyensec:http-basic-auth PiperOrigin-RevId: 910715977
| Commit: | 84f6e04 | |
|---|---|---|
| Author: | Maciej Trzos | |
| Committer: | Copybara-Service | |
Migrate the standalone extractors to use the new PluginConfig. PiperOrigin-RevId: 910671869
| Commit: | 8f90415 | |
|---|---|---|
| Author: | Rex P | |
Merge upstream/main into feature/paket-dotnet-support (resolve list.go and regenerate config proto)
| Commit: | 8db9424 | |
|---|---|---|
| Author: | alessandro-Doyensec | |
| Committer: | alessandro-Doyensec | |
fix: filenames
| Commit: | db3ca16 | |
|---|---|---|
| Author: | Zhijie Yang | |
chore: apply code review comments
| Commit: | 1e14fe5 | |
|---|---|---|
| Author: | Zhijie Yang | |
chore(extractor): adapt chisel extractor to new conventions
| Commit: | a2dba85 | |
|---|---|---|
| Author: | alowayed | |
| Committer: | Copybara-Service | |
Extract and surface container labels. PiperOrigin-RevId: 897243339
| Commit: | cb4abf7 | |
|---|---|---|
| Author: | Maciej Trzos | |
| Committer: | Copybara-Service | |
Migrate enrichers to use the global PluginConfig. PiperOrigin-RevId: 889914970
| Commit: | bcaae84 | |
|---|---|---|
| Author: | Rex Pan | |
| Committer: | Copybara-Service | |
refactor: Metadata as proto.Any type ## Overview This is a giant PR, but most changes are boilerplate. The primary goal is to decouple the core `scan_result.proto` from specific metadata implementations by replacing the monolithic `oneof` metadata field with `google.protobuf.Any`. This allows for a more modular architecture where new extractors and metadata types can be added without modifying the core protocol buffer definition. ## Core Changes ### 1. Protocol Buffer Changes (`scan_result.proto`) - The `oneof metadata` field in the `Package` message has been deprecated. - Added a new `optional google.protobuf.Any metadataAny` to replace it. - A new `FSMetadata` message was added to handle non-serializable filesystem metadata during extraction (though it converts to a placeholder in proto). ### 2. Go Implementation - **New Package**: `scalibr/binary/proto/metadata` handles the conversion between `anypb.Any` and Go structs. - **Registration Pattern**: Individual metadata packages (e.g., `os/apk/metadata`) now register their `ToStruct` and `ToProto` conversion functions via `init()` using `metadataproto.Register`. - All tests has to be reworked from testing for `SetProto` to `ToProto`, removing a lot of testing boilerplate. - These tests are arguably unnecessary now, since the implementation of `ToProto` is so simple, this is just adding extra boilerplate to test. - This is the majority of the changed files / lines. - **Interface**: The `Metadata` field in the `extractor.Package` struct is now of type `metadataproto.Metadata` (an interface requiring `IsMetadata()`), replacing `any`. ## Review Guide ### Key Files to Review - `binary/proto/scan_result.proto`: The core proto change. - `binary/proto/metadataproto/metadataproto.go`: The new registry and conversion logic. - `binary/proto/package.go`: How the `Package` struct converts to/from Proto. **Not boilerplate file changes** - `guidedremediation/internal/vulns/vulns.go` example of how custom metadata types can be excluded from registration if they are not intended to be converted to proto - `testing/fakemetadata/metadata.go` Testing specific fake metadata type. - `extractor/filesystem/fsmetadata/metadata.go` Some extractors (netscaler and cve20257775) pass FS inside their metadata. (I'm not sure this is best practice, but is currently happening). This fsmetadata type is added to support that while still keeping the type checker happy. ### Key details / changes - `ToProto` and `ToStruct` do **not** support accepting nil as an argument. This is by design to lessen the amount of boilerplate each plugin has to write. These functions should only be called by `metadataproto`'s `StructToProto` and `ProtoToStruct` functions, which has the nil checks. - `metadata` field still exists to support existing workflows, but is now deprecated. - When a Metadata struct type is not registered, but tries to be converted **into** Proto, we are currently logging an error and then setting Metadata fields to nil. - Two alternatives here, either panic and fail loudly, or silently set the metadata fields to nil if we expect this to be a common occurance. - I think the current logging but continuing is a good middle ground. - When a Metadata struct type is not registered, but tries to be converted **from** Proto to Struct, we panic. The only case this would happen is if the metadata proto has been registered, but the conversion functions have not been registered, which is a definite programmer error. - Alternative here is to avoid panics at all costs, and just do an error log. ## TODOs - Update plugger to support checking whether metadata is registered or not. (This will be done in a followup PR) PiperOrigin-RevId: 888392759
| Commit: | 51c8f4a | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1890 from cuixq:osvdev PiperOrigin-RevId: 887800943
| Commit: | e5c2cc8 | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | Copybara-Service | |
Update scan results proto to mark the legacy location fields deprecated. PiperOrigin-RevId: 886351243
| Commit: | ec4239d | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | Copybara-Service | |
Move package+secret locations into a separate struct. PiperOrigin-RevId: 885678793
| Commit: | 2b00397 | |
|---|---|---|
| Author: | Xueqin Cui | |
| Committer: | Xueqin Cui | |
feat: support PluginConfig in osvdev vulnmatch enricher
| Commit: | c7f2e9b | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | Copybara-Service | |
Add new structured Location fields to protos. In followup PRs plugins will be migrated to use the new Location fields and old |locations| protos will be deprecated. PiperOrigin-RevId: 879660544
| Commit: | f3ed19d | |
|---|---|---|
| Author: | Rex Pan | |
| Committer: | Copybara-Service | |
Metadata refactor. Description still WIP. PiperOrigin-RevId: 876054664
| Commit: | 190a251 | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1779 from am0o0:dotnet_dep_extractors PiperOrigin-RevId: 877365663
| Commit: | c2a7b5b | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1782 from JamesFoxxx:bitwarden_oauth2_veles PiperOrigin-RevId: 877355103
| Commit: | 1aab268 | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | GitHub | |
Merge branch 'main' into dotnet_dep_extractors
| Commit: | ef75d82 | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1781 from joernNNN:spack_extractor PiperOrigin-RevId: 877347102
| Commit: | c9222e7 | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | GitHub | |
Merge branch 'main' into bitwarden_oauth2_veles
| Commit: | 844a3c5 | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | GitHub | |
fix config.proto
| Commit: | 810636e | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | GitHub | |
Merge branch 'main' into spack_extractor
| Commit: | e831a07 | |
|---|---|---|
| Author: | joernNNN | |
| Committer: | joernNNN | |
update tests to avoid boilerplates fix a FP when checking the path remove package_name + package_version from spack metadata struct fix an override
| Commit: | 0ce8816 | |
|---|---|---|
| Author: | Xueqin Cui | |
update proto field number again
| Commit: | 4146424 | |
|---|---|---|
| Author: | Xueqin Cui | |
Merge branch 'main' into depsdev
| Commit: | 4cc3e81 | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1724 from sanjay20m:main PiperOrigin-RevId: 875727808
| Commit: | 985e3fc | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1750 from shipsteady:Packagist PiperOrigin-RevId: 875712229
| Commit: | d2ce378 | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | GitHub | |
Merge branch 'main' into main
| Commit: | aa82623 | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | GitHub | |
Merge branch 'main' into Packagist
| Commit: | 6e6f70d | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | Copybara-Service | |
Misc refactors. PiperOrigin-RevId: 875674507
| Commit: | e01ae22 | |
|---|---|---|
| Author: | Sanjay Jangid | |
Merge remote-tracking branch 'upstream/main'
| Commit: | 0c8a50c | |
|---|---|---|
| Author: | UNS | |
Merge remote-tracking branch 'origin/main' into Packagist
| Commit: | e0a336c | |
|---|---|---|
| Author: | Xueqin Cui | |
Merge remote-tracking branch 'origin/main' into depsdev # Conflicts: # binary/proto/config.proto # binary/proto/config_go_proto/config.pb.go
| Commit: | 1096bd5 | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1735 from frkngksl:perlPackageManager PiperOrigin-RevId: 875224610
| Commit: | 837e11c | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1738 from darkRancher:supabase PiperOrigin-RevId: 875194681
| Commit: | e8c962a | |
|---|---|---|
| Author: | darkRancher | |
| Committer: | darkRancher | |
Remove unnecessary comments and ensure proper formatting in Supabase detector and validator files
| Commit: | b2d0044 | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | GitHub | |
Merge branch 'main' into supabase
| Commit: | 568c14a | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | GitHub | |
Update config.proto
| Commit: | de9539d | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | GitHub | |
Merge branch 'main' into perlPackageManager
| Commit: | c6eae25 | |
|---|---|---|
| Author: | Sanjay Jangid | |
| Committer: | Sanjay Jangid | |
Add DiscordBotToken message and field
| Commit: | 30b3b21 | |
|---|---|---|
| Author: | alessandro-Doyensec | |
edit: use reserved instead of deprecated in .proto
| Commit: | aef9ea4 | |
|---|---|---|
| Author: | darkRancher | |
| Committer: | GitHub | |
Merge branch 'main' into supabase
| Commit: | e034b87 | |
|---|---|---|
| Author: | Xueqin Cui | |
| Committer: | Xueqin Cui | |
feat: add config for Python requirements transitive dependnecy enricher
| Commit: | d95788d | |
|---|---|---|
| Author: | alessandro-Doyensec | |
fix: remove .proto formatting
| Commit: | fb080f2 | |
|---|---|---|
| Author: | alessandro-Doyensec | |
| Committer: | alessandro-Doyensec | |
remove: id from HashiCorpVaultAppRoleCredentials
| Commit: | 0afbfa3 | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1691 from 0xXA:qemu-plugin PiperOrigin-RevId: 873956307
| Commit: | fa7c9aa | |
|---|---|---|
| Author: | darkRancher | |
fixed conflicts
| Commit: | 8dd1d35 | |
|---|---|---|
| Author: | darkRancher | |
Merge remote-tracking branch 'origin/main' into supabase
| Commit: | d61872d | |
|---|---|---|
| Author: | darkRancher | |
Merge remote-tracking branch 'origin/main' into supabase
| Commit: | deb047b | |
|---|---|---|
| Author: | Fernando Muñoz | |
Initial paket support
| Commit: | 3d89e7d | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1405 from am0o0:deno-extractor PiperOrigin-RevId: 872926421
| Commit: | 3f5213e | |
|---|---|---|
| Author: | Maciej Trzos | |
| Committer: | Copybara-Service | |
Migrate all remaining detectors to use the global PluginConfig. PiperOrigin-RevId: 872809129
| Commit: | 2d45275 | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1278 from am0o0:bazel_Maven_Extractor PiperOrigin-RevId: 872795689
| Commit: | b30d3ba | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | GitHub | |
Merge branch 'main' into deno-extractor
| Commit: | 118e447 | |
|---|---|---|
| Author: | am0o0 | |
Check if this TypeScript file is part of a Deno project by looking for "deno.json" or "deno.lock" in ancestor directories.
| Commit: | fff3711 | |
|---|---|---|
| Author: | JamesFoxxx | |
Add Bitwarden OAuth2 access token secret detector
| Commit: | e85780e | |
|---|---|---|
| Author: | joernNNN | |
Add spack package manager extractor Add a new filesystem extractor for Spack that parses .spack/spec.json files to extract installed package information including name, version, hash, and architecture. External packages are filtered out. Includes proto serialization support, PURL generation with arch/distro qualifiers, ecosystem integration, and comprehensive tests.
| Commit: | c9af172 | |
|---|---|---|
| Author: | am0o0 | |
feat: NuGet Central Package Management files and Microsoft Build Engine (MSBuild) project files extractors.
| Commit: | 4072d75 | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1457 from devampkid:cloudflare-secret-detector PiperOrigin-RevId: 871246001
| Commit: | a806834 | |
|---|---|---|
| Author: | am0o0 | |
global config for deno extractors, remove some unused code, add new line at the end of the files
| Commit: | 1b76376 | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1776 from JellyBongo:macapps-config PiperOrigin-RevId: 871205990
| Commit: | a77a8a3 | |
|---|---|---|
| Author: | JellyBongo | |
Add comment to proto
| Commit: | a56d224 | |
|---|---|---|
| Author: | JellyBongo | |
allow custom directories in macapps extractor
| Commit: | 0ea4062 | |
|---|---|---|
| Author: | Furkan Göksel | |
| Committer: | GitHub | |
Merge branch 'main' into perlPackageManager
| Commit: | 146867a | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1458 from secureness:npmjs-veles PiperOrigin-RevId: 870900930
| Commit: | 7cc7f5c | |
|---|---|---|
| Author: | Furkan Göksel | |
| Committer: | GitHub | |
Merge branch 'main' into perlPackageManager
| Commit: | 538fbd0 | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | GitHub | |
Merge branch 'main' into npmjs-veles
| Commit: | 4fe76a0 | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | GitHub | |
Merge branch 'main' into cloudflare-secret-detector
| Commit: | 632ead9 | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | GitHub | |
Merge branch 'main' into bazel_Maven_Extractor
| Commit: | e44cff5 | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1733 from frkngksl:herokuAPI PiperOrigin-RevId: 869691574
| Commit: | 3c05ced | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | GitHub | |
Merge branch 'main' into deno_secret_extractor
| Commit: | 32acc9c | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | GitHub | |
Merge branch 'main' into add-sendgrid-detector
| Commit: | f89c30a | |
|---|---|---|
| Author: | Erik Varga | |
| Committer: | GitHub | |
Merge branch 'main' into herokuAPI
| Commit: | fea88d7 | |
|---|---|---|
| Author: | secureness | |
Merge branch 'main' into npmjs-veles
| Commit: | adfa181 | |
|---|---|---|
| Author: | Furkan Göksel | |
| Committer: | GitHub | |
Merge branch 'main' into perlPackageManager
| Commit: | cfba548 | |
|---|---|---|
| Author: | am0o0 | |
refactor(javascript): Split denojson into denojson and denotssource Separate Deno extractors: denojson for config files and denotssource for TypeScript imports. Add shared denohelper and denometadata packages. Update docs.
| Commit: | 5fa0f80 | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1682 from 0xXA:salesforceoauth2jwt-plugin PiperOrigin-RevId: 868615555
| Commit: | cdca7b9 | |
|---|---|---|
| Author: | UNS | |
Add Packagist secret detectors and validators - Implemented detectors for Packagist API keys, secrets, organization tokens, and user tokens. - Added validation logic for API keys and secrets using HMAC-SHA256. - Created test cases for all detectors and validators to ensure correct functionality. - Included sample auth.json files for various scenarios (valid, invalid, incomplete).
| Commit: | c907235 | |
|---|---|---|
| Author: | Furkan Göksel | |
Update Heroku Secret Type
| Commit: | 0ee033f | |
|---|---|---|
| Author: | Furkan Göksel | |
Update Heroku Secret Type
| Commit: | 39cb9ff | |
|---|---|---|
| Author: | Furkan Göksel | |
| Committer: | GitHub | |
Merge branch 'main' into herokuAPI
| Commit: | 3692534 | |
|---|---|---|
| Author: | Furkan Göksel | |
Add time.Duration type
| Commit: | d956875 | |
|---|---|---|
| Author: | Copybara-Service | |
Merge pull request #1669 from shipsteady:squareup PiperOrigin-RevId: 868077448
| Commit: | 3fd81fe | |
|---|---|---|
| Author: | UNS | |
Updated the squareup validator and tests and Merge remote-tracking branch 'origin/main' into squareup
| Commit: | 5b55073 | |
|---|---|---|
| Author: | am0o0 | |
Merge branch 'main' into deno-extractor
| Commit: | 0163edf | |
|---|---|---|
| Author: | secureness | |
Merge branch 'main' into npmjs-veles
| Commit: | b18af5a | |
|---|---|---|
| Author: | Yuvraj Saxena | |
| Committer: | GitHub | |
Merge branch 'main' into qemu-plugin
| Commit: | 77fcb38 | |
|---|---|---|
| Author: | am0o0 | |
Merge branch 'main' into bazel_Maven_Extractor add New function to the bazel maven extractor
| Commit: | 9abf471 | |
|---|---|---|
| Author: | devampkid | |
Merge branch 'main' into cloudflare-secret-detector
| Commit: | cea2d48 | |
|---|---|---|
| Author: | darkRancher | |
feat: add support for Supabase credentials detection and validation