Proto commits in google/osv-scalibr

These commits are when the Protocol Buffers files have changed: (only the last 100 relevant commits are shown)

Commit:ed04c24
Author:Rex Pan
Committer:Copybara-Service

Improve SCALIBR determinism and ecosystem support - Sort enriched packages in transitive dependency enrichers (pom.xml, requirements). - Map Brew and Git PURLs to GIT ecosystem in converter. - Use PURL name/version as fallback in SPDX extractor. PiperOrigin-RevId: 932878609

Commit:b944c73
Author:Rex Pan
Committer:Copybara-Service

Example implementation of the configuration redesign for scalibr. PiperOrigin-RevId: 906701178

Commit:8660b02
Author:Ryan Beltran
Committer:Copybara-Service

Make SCALIBR transitive dependency extraction a graph PiperOrigin-RevId: 933295697

Commit:cb55caa
Author:Copybara-Service

Merge pull request #2182 from doyensec:http-csrf-token PiperOrigin-RevId: 931199528

Commit:837c741
Author:alessandro-Doyensec
Committer:alessandro-Doyensec

add: plugin registration; add: secret to scan result proto; add: proto conversion logic; add: csrf token to supported inventory types

Commit:431e072
Author:Copybara-Service

Merge pull request #2126 from doyensec:http-bearer PiperOrigin-RevId: 928591187

Commit:5cac720
Author:alessandro-Doyensec
Committer:alessandro-Doyensec

add: plugins registration; add: proto conversion; add: supported inventory entry

Commit:0f5758f
Author:SCALIBR Team
Committer:Copybara-Service

Add sensitive information for inventory and updated Veles to support sensitive information. PiperOrigin-RevId: 921451772

Commit:4cf427f
Author:Yuvraj Saxena
Committer:Yuvraj Saxena

PRP: Add Extractor for Nuget Project Assets Closes: https://github.com/google/osv-scalibr/issues/1996

Commit:6d8e2ed
Author:Copybara-Service

Merge pull request #1809 from fmunozs:feature/paket-dotnet-support PiperOrigin-RevId: 911643863

Commit:05749df
Author:Copybara-Service

Merge pull request #2022 from doyensec:http-basic-auth PiperOrigin-RevId: 910715977

Commit:84f6e04
Author:Maciej Trzos
Committer:Copybara-Service

Migrate the standalone extractors to use the new PluginConfig. PiperOrigin-RevId: 910671869

Commit:8f90415
Author:Rex P

Merge upstream/main into feature/paket-dotnet-support (resolve list.go and regenerate config proto)

Commit:8db9424
Author:alessandro-Doyensec
Committer:alessandro-Doyensec

fix: filenames

Commit:db3ca16
Author:Zhijie Yang

chore: apply code review comments

Commit:1e14fe5
Author:Zhijie Yang

chore(extractor): adapt chisel extractor to new conventions

Commit:a2dba85
Author:alowayed
Committer:Copybara-Service

Extract and surface container labels. PiperOrigin-RevId: 897243339

Commit:cb4abf7
Author:Maciej Trzos
Committer:Copybara-Service

Migrate enrichers to use the global PluginConfig. PiperOrigin-RevId: 889914970

Commit:bcaae84
Author:Rex Pan
Committer:Copybara-Service

refactor: Metadata as proto.Any type ## Overview This is a giant PR, but most changes are boilerplate. The primary goal is to decouple the core `scan_result.proto` from specific metadata implementations by replacing the monolithic `oneof` metadata field with `google.protobuf.Any`. This allows for a more modular architecture where new extractors and metadata types can be added without modifying the core protocol buffer definition. ## Core Changes ### 1. Protocol Buffer Changes (`scan_result.proto`) - The `oneof metadata` field in the `Package` message has been deprecated. - Added a new `optional google.protobuf.Any metadataAny` to replace it. - A new `FSMetadata` message was added to handle non-serializable filesystem metadata during extraction (though it converts to a placeholder in proto). ### 2. Go Implementation - **New Package**: `scalibr/binary/proto/metadata` handles the conversion between `anypb.Any` and Go structs. - **Registration Pattern**: Individual metadata packages (e.g., `os/apk/metadata`) now register their `ToStruct` and `ToProto` conversion functions via `init()` using `metadataproto.Register`. - All tests has to be reworked from testing for `SetProto` to `ToProto`, removing a lot of testing boilerplate. - These tests are arguably unnecessary now, since the implementation of `ToProto` is so simple, this is just adding extra boilerplate to test. - This is the majority of the changed files / lines. - **Interface**: The `Metadata` field in the `extractor.Package` struct is now of type `metadataproto.Metadata` (an interface requiring `IsMetadata()`), replacing `any`. ## Review Guide ### Key Files to Review - `binary/proto/scan_result.proto`: The core proto change. - `binary/proto/metadataproto/metadataproto.go`: The new registry and conversion logic. - `binary/proto/package.go`: How the `Package` struct converts to/from Proto. **Not boilerplate file changes** - `guidedremediation/internal/vulns/vulns.go` example of how custom metadata types can be excluded from registration if they are not intended to be converted to proto - `testing/fakemetadata/metadata.go` Testing specific fake metadata type. - `extractor/filesystem/fsmetadata/metadata.go` Some extractors (netscaler and cve20257775) pass FS inside their metadata. (I'm not sure this is best practice, but is currently happening). This fsmetadata type is added to support that while still keeping the type checker happy. ### Key details / changes - `ToProto` and `ToStruct` do **not** support accepting nil as an argument. This is by design to lessen the amount of boilerplate each plugin has to write. These functions should only be called by `metadataproto`'s `StructToProto` and `ProtoToStruct` functions, which has the nil checks. - `metadata` field still exists to support existing workflows, but is now deprecated. - When a Metadata struct type is not registered, but tries to be converted **into** Proto, we are currently logging an error and then setting Metadata fields to nil. - Two alternatives here, either panic and fail loudly, or silently set the metadata fields to nil if we expect this to be a common occurance. - I think the current logging but continuing is a good middle ground. - When a Metadata struct type is not registered, but tries to be converted **from** Proto to Struct, we panic. The only case this would happen is if the metadata proto has been registered, but the conversion functions have not been registered, which is a definite programmer error. - Alternative here is to avoid panics at all costs, and just do an error log. ## TODOs - Update plugger to support checking whether metadata is registered or not. (This will be done in a followup PR) PiperOrigin-RevId: 888392759

Commit:51c8f4a
Author:Copybara-Service

Merge pull request #1890 from cuixq:osvdev PiperOrigin-RevId: 887800943

Commit:e5c2cc8
Author:Erik Varga
Committer:Copybara-Service

Update scan results proto to mark the legacy location fields deprecated. PiperOrigin-RevId: 886351243

Commit:ec4239d
Author:Erik Varga
Committer:Copybara-Service

Move package+secret locations into a separate struct. PiperOrigin-RevId: 885678793

Commit:2b00397
Author:Xueqin Cui
Committer:Xueqin Cui

feat: support PluginConfig in osvdev vulnmatch enricher

Commit:c7f2e9b
Author:Erik Varga
Committer:Copybara-Service

Add new structured Location fields to protos. In followup PRs plugins will be migrated to use the new Location fields and old |locations| protos will be deprecated. PiperOrigin-RevId: 879660544

Commit:f3ed19d
Author:Rex Pan
Committer:Copybara-Service

Metadata refactor. Description still WIP. PiperOrigin-RevId: 876054664

Commit:190a251
Author:Copybara-Service

Merge pull request #1779 from am0o0:dotnet_dep_extractors PiperOrigin-RevId: 877365663

Commit:c2a7b5b
Author:Copybara-Service

Merge pull request #1782 from JamesFoxxx:bitwarden_oauth2_veles PiperOrigin-RevId: 877355103

Commit:1aab268
Author:Erik Varga
Committer:GitHub

Merge branch 'main' into dotnet_dep_extractors

Commit:ef75d82
Author:Copybara-Service

Merge pull request #1781 from joernNNN:spack_extractor PiperOrigin-RevId: 877347102

Commit:c9222e7
Author:Erik Varga
Committer:GitHub

Merge branch 'main' into bitwarden_oauth2_veles

Commit:844a3c5
Author:Erik Varga
Committer:GitHub

fix config.proto

Commit:810636e
Author:Erik Varga
Committer:GitHub

Merge branch 'main' into spack_extractor

Commit:e831a07
Author:joernNNN
Committer:joernNNN

update tests to avoid boilerplates fix a FP when checking the path remove package_name + package_version from spack metadata struct fix an override

Commit:0ce8816
Author:Xueqin Cui

update proto field number again

Commit:4146424
Author:Xueqin Cui

Merge branch 'main' into depsdev

Commit:4cc3e81
Author:Copybara-Service

Merge pull request #1724 from sanjay20m:main PiperOrigin-RevId: 875727808

Commit:985e3fc
Author:Copybara-Service

Merge pull request #1750 from shipsteady:Packagist PiperOrigin-RevId: 875712229

Commit:d2ce378
Author:Erik Varga
Committer:GitHub

Merge branch 'main' into main

Commit:aa82623
Author:Erik Varga
Committer:GitHub

Merge branch 'main' into Packagist

Commit:6e6f70d
Author:Erik Varga
Committer:Copybara-Service

Misc refactors. PiperOrigin-RevId: 875674507

Commit:e01ae22
Author:Sanjay Jangid

Merge remote-tracking branch 'upstream/main'

Commit:0c8a50c
Author:UNS

Merge remote-tracking branch 'origin/main' into Packagist

Commit:e0a336c
Author:Xueqin Cui

Merge remote-tracking branch 'origin/main' into depsdev # Conflicts: # binary/proto/config.proto # binary/proto/config_go_proto/config.pb.go

Commit:1096bd5
Author:Copybara-Service

Merge pull request #1735 from frkngksl:perlPackageManager PiperOrigin-RevId: 875224610

Commit:837e11c
Author:Copybara-Service

Merge pull request #1738 from darkRancher:supabase PiperOrigin-RevId: 875194681

Commit:e8c962a
Author:darkRancher
Committer:darkRancher

Remove unnecessary comments and ensure proper formatting in Supabase detector and validator files

Commit:b2d0044
Author:Erik Varga
Committer:GitHub

Merge branch 'main' into supabase

Commit:568c14a
Author:Erik Varga
Committer:GitHub

Update config.proto

Commit:de9539d
Author:Erik Varga
Committer:GitHub

Merge branch 'main' into perlPackageManager

Commit:c6eae25
Author:Sanjay Jangid
Committer:Sanjay Jangid

Add DiscordBotToken message and field

Commit:30b3b21
Author:alessandro-Doyensec

edit: use reserved instead of deprecated in .proto

Commit:aef9ea4
Author:darkRancher
Committer:GitHub

Merge branch 'main' into supabase

Commit:e034b87
Author:Xueqin Cui
Committer:Xueqin Cui

feat: add config for Python requirements transitive dependnecy enricher

Commit:d95788d
Author:alessandro-Doyensec

fix: remove .proto formatting

Commit:fb080f2
Author:alessandro-Doyensec
Committer:alessandro-Doyensec

remove: id from HashiCorpVaultAppRoleCredentials

Commit:0afbfa3
Author:Copybara-Service

Merge pull request #1691 from 0xXA:qemu-plugin PiperOrigin-RevId: 873956307

Commit:fa7c9aa
Author:darkRancher

fixed conflicts

Commit:8dd1d35
Author:darkRancher

Merge remote-tracking branch 'origin/main' into supabase

Commit:d61872d
Author:darkRancher

Merge remote-tracking branch 'origin/main' into supabase

Commit:deb047b
Author:Fernando Muñoz

Initial paket support

Commit:3d89e7d
Author:Copybara-Service

Merge pull request #1405 from am0o0:deno-extractor PiperOrigin-RevId: 872926421

Commit:3f5213e
Author:Maciej Trzos
Committer:Copybara-Service

Migrate all remaining detectors to use the global PluginConfig. PiperOrigin-RevId: 872809129

Commit:2d45275
Author:Copybara-Service

Merge pull request #1278 from am0o0:bazel_Maven_Extractor PiperOrigin-RevId: 872795689

Commit:b30d3ba
Author:Erik Varga
Committer:GitHub

Merge branch 'main' into deno-extractor

Commit:118e447
Author:am0o0

Check if this TypeScript file is part of a Deno project by looking for "deno.json" or "deno.lock" in ancestor directories.

Commit:fff3711
Author:JamesFoxxx

Add Bitwarden OAuth2 access token secret detector

Commit:e85780e
Author:joernNNN

Add spack package manager extractor Add a new filesystem extractor for Spack that parses .spack/spec.json files to extract installed package information including name, version, hash, and architecture. External packages are filtered out. Includes proto serialization support, PURL generation with arch/distro qualifiers, ecosystem integration, and comprehensive tests.

Commit:c9af172
Author:am0o0

feat: NuGet Central Package Management files and Microsoft Build Engine (MSBuild) project files extractors.

Commit:4072d75
Author:Copybara-Service

Merge pull request #1457 from devampkid:cloudflare-secret-detector PiperOrigin-RevId: 871246001

Commit:a806834
Author:am0o0

global config for deno extractors, remove some unused code, add new line at the end of the files

Commit:1b76376
Author:Copybara-Service

Merge pull request #1776 from JellyBongo:macapps-config PiperOrigin-RevId: 871205990

Commit:a77a8a3
Author:JellyBongo

Add comment to proto

Commit:a56d224
Author:JellyBongo

allow custom directories in macapps extractor

Commit:0ea4062
Author:Furkan Göksel
Committer:GitHub

Merge branch 'main' into perlPackageManager

Commit:146867a
Author:Copybara-Service

Merge pull request #1458 from secureness:npmjs-veles PiperOrigin-RevId: 870900930

Commit:7cc7f5c
Author:Furkan Göksel
Committer:GitHub

Merge branch 'main' into perlPackageManager

Commit:538fbd0
Author:Erik Varga
Committer:GitHub

Merge branch 'main' into npmjs-veles

Commit:4fe76a0
Author:Erik Varga
Committer:GitHub

Merge branch 'main' into cloudflare-secret-detector

Commit:632ead9
Author:Erik Varga
Committer:GitHub

Merge branch 'main' into bazel_Maven_Extractor

Commit:e44cff5
Author:Copybara-Service

Merge pull request #1733 from frkngksl:herokuAPI PiperOrigin-RevId: 869691574

Commit:3c05ced
Author:Erik Varga
Committer:GitHub

Merge branch 'main' into deno_secret_extractor

Commit:32acc9c
Author:Erik Varga
Committer:GitHub

Merge branch 'main' into add-sendgrid-detector

Commit:f89c30a
Author:Erik Varga
Committer:GitHub

Merge branch 'main' into herokuAPI

Commit:fea88d7
Author:secureness

Merge branch 'main' into npmjs-veles

Commit:adfa181
Author:Furkan Göksel
Committer:GitHub

Merge branch 'main' into perlPackageManager

Commit:cfba548
Author:am0o0

refactor(javascript): Split denojson into denojson and denotssource Separate Deno extractors: denojson for config files and denotssource for TypeScript imports. Add shared denohelper and denometadata packages. Update docs.

Commit:5fa0f80
Author:Copybara-Service

Merge pull request #1682 from 0xXA:salesforceoauth2jwt-plugin PiperOrigin-RevId: 868615555

Commit:cdca7b9
Author:UNS

Add Packagist secret detectors and validators - Implemented detectors for Packagist API keys, secrets, organization tokens, and user tokens. - Added validation logic for API keys and secrets using HMAC-SHA256. - Created test cases for all detectors and validators to ensure correct functionality. - Included sample auth.json files for various scenarios (valid, invalid, incomplete).

Commit:c907235
Author:Furkan Göksel

Update Heroku Secret Type

Commit:0ee033f
Author:Furkan Göksel

Update Heroku Secret Type

Commit:39cb9ff
Author:Furkan Göksel
Committer:GitHub

Merge branch 'main' into herokuAPI

Commit:3692534
Author:Furkan Göksel

Add time.Duration type

Commit:d956875
Author:Copybara-Service

Merge pull request #1669 from shipsteady:squareup PiperOrigin-RevId: 868077448

Commit:3fd81fe
Author:UNS

Updated the squareup validator and tests and Merge remote-tracking branch 'origin/main' into squareup

Commit:5b55073
Author:am0o0

Merge branch 'main' into deno-extractor

Commit:0163edf
Author:secureness

Merge branch 'main' into npmjs-veles

Commit:b18af5a
Author:Yuvraj Saxena
Committer:GitHub

Merge branch 'main' into qemu-plugin

Commit:77fcb38
Author:am0o0

Merge branch 'main' into bazel_Maven_Extractor add New function to the bazel maven extractor

Commit:9abf471
Author:devampkid

Merge branch 'main' into cloudflare-secret-detector

Commit:cea2d48
Author:darkRancher

feat: add support for Supabase credentials detection and validation