From b9dcb1fce13396861ded4e40bb9ffd428f22e605 Mon Sep 17 00:00:00 2001 From: Agustin Groh Date: Thu, 29 Jan 2026 07:47:22 -0300 Subject: [PATCH 1/4] bug(git-packages):SP-3974 add support for missing Git PURLs in OSV use case --- CHANGELOG.md | 7 +- pkg/usecase/OSV_use_case.go | 214 +++++++++++++++++++++---------- pkg/usecase/OSV_use_case_test.go | 141 ++++++++++++++++++++ 3 files changed, 296 insertions(+), 66 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 68e6b8c..eeefaaa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added - Upcoming changes... +## [0.9.0] - 2026/01/29 +### Changed +- Added support for GitHub PURLs in OSV use case by mapping them to GIT ecosystem with GitHub URLs + ## [0.8.0] - 2026/01/07 ### Added - Included Exploit Prediction Scoring System (EPSS) to vulnerability response @@ -92,4 +96,5 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 [0.6.1]: https://github.com/scanoss/vulnerabilities/compare/v0.6.0...v0.6.1 [0.6.2]: https://github.com/scanoss/vulnerabilities/compare/v0.6.1...v0.6.2 [0.7.0]: https://github.com/scanoss/vulnerabilities/compare/v0.6.2...v0.7.0 -[0.8.0]: https://github.com/scanoss/vulnerabilities/compare/v0.7.0...v0.8.0 \ No newline at end of file +[0.8.0]: https://github.com/scanoss/vulnerabilities/compare/v0.7.0...v0.8.0 +[0.9.0]: https://github.com/scanoss/vulnerabilities/compare/v0.8.0...v0.9.0 \ No newline at end of file diff --git a/pkg/usecase/OSV_use_case.go b/pkg/usecase/OSV_use_case.go index 187af40..db87daf 100644 --- a/pkg/usecase/OSV_use_case.go +++ b/pkg/usecase/OSV_use_case.go @@ -20,9 +20,12 @@ import ( "bytes" "context" "encoding/json" + "fmt" "net/http" + "net/url" "time" + "github.com/package-url/packageurl-go" "go.uber.org/zap" "scanoss.com/vulnerabilities/pkg/config" @@ -34,14 +37,17 @@ import ( ) type OSVPackageRequest struct { - Purl string `json:"purl,omitempty"` - Name string `json:"name,omitempty"` + Purl string `json:"purl,omitempty"` + Name string `json:"name,omitempty"` + Ecosystem string `json:"ecosystem,omitempty"` } type OSVRequest struct { - Version string `json:"version,omitempty"` - Package OSVPackageRequest `json:"package"` - Requirement string `json:"requirement,omitempty"` + Version string `json:"version,omitempty"` + Package OSVPackageRequest `json:"package"` + Requirement string `json:"-"` + OriginalPurl string `json:"-"` + FallbackPackage *OSVPackageRequest `json:"-"` } type OSVUseCase struct { @@ -64,19 +70,95 @@ func NewOSVUseCase(s *zap.SugaredLogger, config *config.ServerConfig) *OSVUseCas } } -func (us OSVUseCase) getOSVRequestsFromDTO(dto []dtos.ComponentDTO) []OSVRequest { +// getRepoURL converts a PURL string into a Git repository URL if the PURL refers to a known git host. +// +// It supports two resolution strategies: +// +// 1. repository_url qualifier: If the PURL contains a "repository_url" qualifier, its value is used directly. +// This is the standard mechanism for hosts without a dedicated PURL type (e.g., pkg:/...?repository_url=https://gitlab.gnome.org/GNOME/gimp). +// +// 2. Direct type-based: For PURL types that have a spec-defined default repository URL, the host is resolved +// from the type (e.g., pkg:github/owner/repo -> https://github.com/owner/repo). +// +// Supported PURL types with default URLs (defined in spec): +// - github: https://github.com (see: https://github.com/package-url/purl-spec/blob/main/types-doc/github-definition.md) +// - bitbucket: https://bitbucket.org (see: https://github.com/package-url/purl-spec/blob/main/types-doc/bitbucket-definition.md) +// +// Supported PURL types with default URLs (not yet in spec): +// - gitlab: https://gitlab.com (candidate: https://github.com/package-url/purl-spec/blob/main/docs/candidate-purl-types.md) +// - gitee: https://gitee.com (not in spec or candidates) +// +// Not handled: git hosts without a dedicated PURL type and without a "repository_url" qualifier +// (e.g., gitlab.gnome.org, gitlab.freedesktop.org, gitlab.xiph.org, vcgit.hhi.fraunhofer.de, +// git.codelinaro.org, yoctoproject.org, trustedfirmware.org, sourceware.org, gitcode.com, +// eclipse.org, invent.kde.org). These hosts have no defined PURL type in the spec. +// +// Reference: https://github.com/package-url/purl-spec +// +// Returns a pointer to the repository URL string, or nil if the PURL is invalid or does not match any known git host. +func (us OSVUseCase) getRepoURL(purlString string) *string { + // Parse PURL to check if it's a git-based package + purl, err := packageurl.FromString(purlString) + if err != nil { + return nil + } + repoURL := purl.Qualifiers.Map()["repository_url"] + if repoURL != "" { + decoded, errUnescape := url.QueryUnescape(repoURL) + if errUnescape != nil { + return nil + } + return &decoded + } + + // Default URLs by purl type + gitHosts := map[string]string{ + "github": "https://github.com", + "gitlab": "https://gitlab.com", // not defined in the purl spec. See: https://github.com/package-url/purl-spec/blob/main/docs/candidate-purl-types.md + "bitbucket": "https://bitbucket.org", + "gitee": "https://gitee.com", + } + host, hostFound := gitHosts[purl.Type] + namespace := purl.Namespace + if hostFound { + repoURL := fmt.Sprintf("%s/%s/%s", host, namespace, purl.Name) + return &repoURL + } + return nil +} + +// getOSVRequestsFromDTO converts a slice of ComponentDTOs into OSVRequest objects. +// For git-based packages (GitHub, GitLab, Bitbucket), it constructs a repository URL +// and sets the ecosystem to "GIT", with the original PURL as a fallback. +// For all other packages, the PURL is used directly. +func (us OSVUseCase) getOSVRequestsFromDTO(componentDTOs []dtos.ComponentDTO) []OSVRequest { var osvRequests []OSVRequest - for _, element := range dto { - if element.Requirement != "" { - osvRequest := OSVRequest{ - Package: OSVPackageRequest{ - Purl: element.Purl, - }, - Version: element.Version, - Requirement: element.Requirement, + for _, c := range componentDTOs { + osvRequest := OSVRequest{ + Version: c.Version, + Requirement: c.Requirement, + OriginalPurl: c.Purl, + } + // Parse PURL to check if it's a git-based package + repoURL := us.getRepoURL(c.Purl) + + if repoURL != nil { + osvRequest.Package = OSVPackageRequest{ + Name: *repoURL, + Ecosystem: "GIT", } - osvRequests = append(osvRequests, osvRequest) + fallback := OSVPackageRequest{ + Purl: c.Purl, + } + osvRequest.FallbackPackage = &fallback } + if osvRequest.Package == (OSVPackageRequest{}) { + // For other packages, use the PURL directly + osvRequest.Package = OSVPackageRequest{ + Purl: c.Purl, + } + } + osvRequests = append(osvRequests, osvRequest) } return osvRequests } @@ -96,12 +178,10 @@ func (us OSVUseCase) processRequests(ctx context.Context, requests []OSVRequest) for i := 0; i < workers; i++ { go us.processRequest(ctx, jobs, results) } - for _, r := range requests { jobs <- r } close(jobs) - // Collect all results into a slice var response = dtos.VulnerabilityOutput{ Components: []dtos.VulnerabilityComponentOutput{}, @@ -125,59 +205,25 @@ func (us OSVUseCase) processRequest(ctx context.Context, jobs chan OSVRequest, r return // Channel closed, stop worker } response := dtos.VulnerabilityComponentOutput{ - Purl: j.Package.Purl, + Purl: j.OriginalPurl, Requirement: j.Requirement, Version: j.Version, } - out, err := json.Marshal(struct { - Version string `json:"version,omitempty"` - Package OSVPackageRequest `json:"package"` - }{ - Version: j.Version, - Package: j.Package, - }) - if err != nil { - us.s.Errorf("Failed to marshal request: %s", err) - results <- response - continue - } - req, err := http.NewRequest(http.MethodPost, us.OSVAPIBaseURL+"/query", bytes.NewBuffer(out)) - if err != nil { - us.s.Errorf("Failed to create HTTP request: %s", err) - results <- response - continue - } - req.Header.Set("Content-Type", "application/json") - - // Use a shared HTTP client to avoid creating a new one every call - resp, err := us.client.Do(req) - if err != nil { - us.s.Errorf("HTTP request failed: %s", err) - results <- response - continue - } - // Check for non-200 HTTP responses - if resp.StatusCode != http.StatusOK { - us.s.Errorf("Unexpected HTTP status: %d", resp.StatusCode) - err = resp.Body.Close() - if err != nil { - us.s.Errorf("Failed to close response body: %s", err) + response.Vulnerabilities = us.queryOSV(ctx, j) + + // Fallback: if GIT ecosystem returned no results, retry with the PURL directly + if len(response.Vulnerabilities) == 0 && j.FallbackPackage != nil { + us.s.Debugf("No vulnerabilities found for GIT ecosystem, falling back to PURL query for: %s", j.OriginalPurl) + fallbackReq := OSVRequest{ + Version: j.Version, + Package: *j.FallbackPackage, + OriginalPurl: j.OriginalPurl, + } + fallbackVulns := us.queryOSV(ctx, fallbackReq) + if fallbackVulns != nil { + response.Vulnerabilities = fallbackVulns } - results <- response - continue - } - var OSVResponse dtos.OSVResponseDTO - err = json.NewDecoder(resp.Body).Decode(&OSVResponse) - if err != nil { - us.s.Errorf("Failed to decode response: %s", err) - results <- response - continue - } - err = resp.Body.Close() - if err != nil { - us.s.Errorf("Failed to close response body: %s", err) } - response.Vulnerabilities = us.mapOSVVulnerabilities(OSVResponse.Vulns) results <- response case <-ctx.Done(): // Cancellation signal received: stop working and return immediately @@ -187,6 +233,44 @@ func (us OSVUseCase) processRequest(ctx context.Context, jobs chan OSVRequest, r } } +// queryOSV performs a single OSV API query and returns mapped vulnerabilities, or nil on error. +func (us OSVUseCase) queryOSV(ctx context.Context, r OSVRequest) []dtos.VulnerabilitiesOutput { + out, err := json.Marshal(struct { + Version string `json:"version,omitempty"` + Package OSVPackageRequest `json:"package"` + }{ + Version: r.Version, + Package: r.Package, + }) + if err != nil { + us.s.Errorf("Failed to marshal request: %s", err) + return nil + } + req, err := http.NewRequestWithContext(ctx, http.MethodPost, us.OSVAPIBaseURL+"/query", bytes.NewBuffer(out)) + if err != nil { + us.s.Errorf("Failed to create HTTP request: %s", err) + return nil + } + req.Header.Set("Content-Type", "application/json") + resp, err := us.client.Do(req) + if err != nil { + us.s.Errorf("HTTP request failed: %s", err) + return nil + } + defer resp.Body.Close() + if resp.StatusCode != http.StatusOK { + us.s.Errorf("Unexpected HTTP status: %d", resp.StatusCode) + return nil + } + var osvResponse dtos.OSVResponseDTO + err = json.NewDecoder(resp.Body).Decode(&osvResponse) + if err != nil { + us.s.Errorf("Failed to decode response: %s", err) + return nil + } + return us.mapOSVVulnerabilities(osvResponse.Vulns) +} + // mapOSVVulnerabilities converts OSV vulnerabilities to the required DTO structure. func (us OSVUseCase) mapOSVVulnerabilities(vulns []dtos.Entry) []dtos.VulnerabilitiesOutput { vulnerabilities := make([]dtos.VulnerabilitiesOutput, 0, len(vulns)) diff --git a/pkg/usecase/OSV_use_case_test.go b/pkg/usecase/OSV_use_case_test.go index 0629ac7..8151905 100644 --- a/pkg/usecase/OSV_use_case_test.go +++ b/pkg/usecase/OSV_use_case_test.go @@ -68,3 +68,144 @@ func TestOSVUseCase(t *testing.T) { }) } } + +func TestGetRepoURL(t *testing.T) { + err := zlog.NewSugaredDevLogger() + if err != nil { + t.Fatalf("an error '%s' was not expected when opening a sugared logger", err) + } + defer zlog.SyncZap() + ctx := ctxzap.ToContext(context.Background(), zlog.L) + s := ctxzap.Extract(ctx).Sugar() + + serverConfig, err := config.NewServerConfig(nil) + if err != nil { + t.Fatalf("failed to load Config: %v", err) + } + + us := NewOSVUseCase(s, serverConfig) + + tests := []struct { + name string + purl string + expected *string + }{ + // Direct type-based hosts + { + name: "GitHub PURL", + purl: "pkg:github/owner/repo@v1.0.0", + expected: strPtr("https://github.com/owner/repo"), + }, + { + name: "GitLab PURL", + purl: "pkg:gitlab/owner/repo@v1.0.0", + expected: strPtr("https://gitlab.com/owner/repo"), + }, + { + name: "Bitbucket PURL", + purl: "pkg:bitbucket/owner/repo@v1.0.0", + expected: strPtr("https://bitbucket.org/owner/repo"), + }, + { + name: "Gitee PURL", + purl: "pkg:gitee/owner/repo@v1.0.0", + expected: strPtr("https://gitee.com/owner/repo"), + }, + // repository_url qualifier-based hosts + { + name: "GNOME GitLab via repository_url", + purl: "pkg:generic/gnome.org/GNOME/gimp@GIMP_2_10_36?repository_url=https://gitlab.gnome.org/GNOME/gimp", + expected: strPtr("https://gitlab.gnome.org/GNOME/gimp"), + }, + { + name: "Freedesktop GitLab via repository_url", + purl: "pkg:generic/freedesktop.org/mesa/mesa@mesa-24.0.0?repository_url=https://gitlab.freedesktop.org/mesa/mesa", + expected: strPtr("https://gitlab.freedesktop.org/mesa/mesa"), + }, + { + name: "Xiph GitLab via repository_url", + purl: "pkg:generic/xiph.org/xiph/opus@v1.6?repository_url=https://gitlab.xiph.org/xiph/opus", + expected: strPtr("https://gitlab.xiph.org/xiph/opus"), + }, + { + name: "Fraunhofer HHI via repository_url", + purl: "pkg:generic/vcgit.hhi.fraunhofer.de/jvet/VVCSoftware_VTM@VTM-15.0?repository_url=https://vcgit.hhi.fraunhofer.de/jvet/VVCSoftware_VTM", + expected: strPtr("https://vcgit.hhi.fraunhofer.de/jvet/VVCSoftware_VTM"), + }, + { + name: "CodeLinaro via repository_url", + purl: "pkg:generic/codelinaro.org/linaro/qcomlt/kernel@v6.0?repository_url=https://git.codelinaro.org/linaro/qcomlt/kernel", + expected: strPtr("https://git.codelinaro.org/linaro/qcomlt/kernel"), + }, + { + name: "Yocto Project via repository_url", + purl: "pkg:generic/yoctoproject.org/poky@yocto-4.0?repository_url=https://git.yoctoproject.org/poky", + expected: strPtr("https://git.yoctoproject.org/poky"), + }, + { + name: "Trusted Firmware via repository_url", + purl: "pkg:generic/trustedfirmware.org/TF-A/trusted-firmware-a@lts-v2.12?repository_url=https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git", + expected: strPtr("https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git"), + }, + { + name: "Sourceware via repository_url", + purl: "pkg:generic/sourceware.org/glibc@glibc-2.39?repository_url=https://sourceware.org/git/glibc.git", + expected: strPtr("https://sourceware.org/git/glibc.git"), + }, + { + name: "GitCode via repository_url", + purl: "pkg:generic/gitcode.com/openharmony/docs@v1.0.0?repository_url=https://gitcode.com/openharmony/docs", + expected: strPtr("https://gitcode.com/openharmony/docs"), + }, + { + name: "Eclipse via repository_url", + purl: "pkg:generic/eclipse.org/jgit/jgit@v7.0.0?repository_url=https://git.eclipse.org/c/jgit/jgit.git", + expected: strPtr("https://git.eclipse.org/c/jgit/jgit.git"), + }, + { + name: "KDE Invent via repository_url", + purl: "pkg:generic/invent.kde.org/plasma/plasma-desktop@v6.0.0?repository_url=https://invent.kde.org/plasma/plasma-desktop", + expected: strPtr("https://invent.kde.org/plasma/plasma-desktop"), + }, + { + name: "Gitee via repository_url", + purl: "pkg:generic/openharmony/docs@v5.0.0?repository_url=https://gitee.com/openharmony/docs", + expected: strPtr("https://gitee.com/openharmony/docs"), + }, + // Non-git PURL returns nil + { + name: "PyPI PURL returns nil", + purl: "pkg:pypi/requests@2.28.0", + expected: nil, + }, + // Invalid PURL returns nil + { + name: "Invalid PURL returns nil", + purl: "not-a-purl", + expected: nil, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + result := us.getRepoURL(tc.purl) + if tc.expected == nil { + if result != nil { + t.Errorf("expected nil, got %s", *result) + } + return + } + if result == nil { + t.Errorf("expected %s, got nil", *tc.expected) + return + } + if *result != *tc.expected { + t.Errorf("expected %s, got %s", *tc.expected, *result) + } + }) + } +} + +func strPtr(s string) *string { + return &s +} From 1acc450c732104601bc5697fe073eccfdce33f7d Mon Sep 17 00:00:00 2001 From: Agustin Groh Date: Thu, 29 Jan 2026 07:55:17 -0300 Subject: [PATCH 2/4] chore(component-resolution):SP-3986 refactor component version resolution --- CHANGELOG.md | 1 + pkg/usecase/vulnerability_use_case.go | 80 ++++++++++++++++++++------- 2 files changed, 61 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eeefaaa..6abf83a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [0.9.0] - 2026/01/29 ### Changed - Added support for GitHub PURLs in OSV use case by mapping them to GIT ecosystem with GitHub URLs +- Refactored component version resolution in vulnerability use case to use concurrent worker pool ## [0.8.0] - 2026/01/07 ### Added diff --git a/pkg/usecase/vulnerability_use_case.go b/pkg/usecase/vulnerability_use_case.go index ed61386..a751cfb 100644 --- a/pkg/usecase/vulnerability_use_case.go +++ b/pkg/usecase/vulnerability_use_case.go @@ -49,6 +49,63 @@ func NewVulnerabilityUseCase(s *zap.SugaredLogger, config *config.ServerConfig, } } +// componentVersionWorker processes components from the jobs channel, resolving each component's +// version by querying the SCANOSS API. If a resolved version is found, it replaces the original; +// otherwise the existing version is preserved. +func (us VulnerabilityUseCase) componentVersionWorker(ctx context.Context, jobs chan dtos.ComponentDTO, results chan dtos.ComponentDTO, wg *sync.WaitGroup) { + defer wg.Done() + sc := scanoss.New(us.db) + for j := range jobs { + processedComponent := dtos.ComponentDTO{ + Purl: j.Purl, + Requirement: j.Requirement, + Version: j.Version, + } + // Set by default version = requirement + var component types.ComponentResponse + component, err := sc.Component.GetComponent(ctx, types.ComponentRequest{ + Purl: j.Purl, + Requirement: j.Requirement, + }) + if err != nil { + us.s.Warnf("Failed to get component: %s, %s", j.Purl, j.Requirement) + continue + } + if component.Version != "" { + processedComponent.Version = component.Version + } + results <- processedComponent + } +} + +// getComponentsVersion resolves the concrete version for each component using a fan-out/fan-in +// concurrency pattern. It spawns up to MaxWorkers goroutines (capped by the number of components) +// to query versions in parallel, then collects and returns the results. +func (us VulnerabilityUseCase) getComponentsVersion(ctx context.Context, components []dtos.ComponentDTO) []dtos.ComponentDTO { + numJobs := len(components) + jobs := make(chan dtos.ComponentDTO, numJobs) + results := make(chan dtos.ComponentDTO, numJobs) + numWorkers := min(us.config.Source.SCANOSS.MaxWorkers, numJobs) + wg := sync.WaitGroup{} + for i := 0; i < numWorkers; i++ { + wg.Add(1) + go us.componentVersionWorker(ctx, jobs, results, &wg) + } + for _, c := range components { + jobs <- c + } + close(jobs) + go func() { + wg.Wait() + close(results) + }() + var processedComponents []dtos.ComponentDTO + for r := range results { + processedComponents = append(processedComponents, r) + } + return processedComponents +} + func (us VulnerabilityUseCase) Execute(ctx context.Context, components []dtos.ComponentDTO) (dtos.VulnerabilityOutput, error) { us.s.Debugf("Processing Vulnerabilities request: %v", components) if len(components) == 0 { @@ -61,23 +118,7 @@ func (us VulnerabilityUseCase) Execute(ctx context.Context, components []dtos.Co return dtos.VulnerabilityOutput{}, errors.New("problem getting database pool connection") } defer models.CloseConn(conn) - sc := scanoss.New(us.db) - for i, c := range components { - // Set by default version = requirement - components[i].Version = c.Requirement - var component types.ComponentResponse - component, err = sc.Component.GetComponent(ctx, types.ComponentRequest{ - Purl: c.Purl, - Requirement: c.Requirement, - }) - if err != nil { - us.s.Warnf("Failed to get component: %s, %s", c.Purl, c.Requirement) - continue - } - if component.Version != "" { - components[i].Version = component.Version - } - } + processedComponents := us.getComponentsVersion(ctx, components) wg := sync.WaitGroup{} // Gets OSV vulnerabilities only if enabled @@ -88,7 +129,7 @@ func (us VulnerabilityUseCase) Execute(ctx context.Context, components []dtos.Co defer wg.Done() us.s.Debugf("vulnerabilities: OSV enabled") osvUseCase := NewOSVUseCase(us.s, us.config) - osvVulnerabilities = osvUseCase.Execute(ctx, components) + osvVulnerabilities = osvUseCase.Execute(ctx, processedComponents) }() } // ************* OSV Use case end *************** / @@ -100,7 +141,7 @@ func (us VulnerabilityUseCase) Execute(ctx context.Context, components []dtos.Co go func() { defer wg.Done() localVulUc := NewLocalVulnerabilitiesUseCase(ctx, us.s, us.config, us.db) - localVulnerabilities, err = localVulUc.GetVulnerabilities(ctx, components) + localVulnerabilities, err = localVulUc.GetVulnerabilities(ctx, processedComponents) if err != nil { us.s.Errorf("Failed to get Vulnerabilities: %v", err) localErr = errors.New("problems encountered extracting vulnerability data") @@ -112,7 +153,6 @@ func (us VulnerabilityUseCase) Execute(ctx context.Context, components []dtos.Co if localErr != nil { return dtos.VulnerabilityOutput{}, localErr } - // Merge OSV and local vulnerabilities in one response. Avoids duplicated vulnerabilities := helpers.MergeOSVAndLocalVulnerabilities(localVulnerabilities, osvVulnerabilities) // Add EPSS data From add61cc9b9feef92c8f6bbc4c063a11898366fc7 Mon Sep 17 00:00:00 2001 From: Agustin Groh Date: Thu, 29 Jan 2026 10:55:57 -0300 Subject: [PATCH 3/4] chore(deps):upgrades scanoss/go-models to v0.3.0 --- CHANGELOG.md | 1 + go.mod | 19 ++---------- go.sum | 82 ++-------------------------------------------------- 3 files changed, 5 insertions(+), 97 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6abf83a..330bd97 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed - Added support for GitHub PURLs in OSV use case by mapping them to GIT ecosystem with GitHub URLs - Refactored component version resolution in vulnerability use case to use concurrent worker pool +- Upgraded `/scanoss/go-models` to `v0.3.0` ## [0.8.0] - 2026/01/07 ### Added diff --git a/go.mod b/go.mod index 55bb621..d4ba7b9 100644 --- a/go.mod +++ b/go.mod @@ -8,14 +8,14 @@ require ( github.com/Masterminds/semver/v3 v3.4.0 github.com/golobby/config/v3 v3.4.2 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 - github.com/guseggert/pkggodev-client v0.0.0-20240318140526-cdb0034504cf github.com/jmoiron/sqlx v1.4.0 github.com/lib/pq v1.10.9 github.com/mattn/go-sqlite3 v1.14.32 github.com/package-url/packageurl-go v0.1.3 github.com/pandatix/go-cvss v0.6.2 github.com/scanoss/go-grpc-helper v0.9.0 - github.com/scanoss/go-models v0.2.0 + github.com/scanoss/go-models v0.3.0 + github.com/scanoss/go-purl-helper v0.2.1 github.com/scanoss/papi v0.28.0 github.com/scanoss/zap-logging-helper v0.4.0 go.uber.org/zap v1.27.0 @@ -25,35 +25,21 @@ require ( require ( github.com/BurntSushi/toml v1.2.1 // indirect - github.com/PuerkitoBio/goquery v1.10.3 // indirect - github.com/andybalholm/cascadia v1.3.3 // indirect - github.com/antchfx/htmlquery v1.3.4 // indirect - github.com/antchfx/xmlquery v1.4.4 // indirect - github.com/antchfx/xpath v1.3.5 // indirect - github.com/bits-and-blooms/bitset v1.24.0 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect - github.com/gobwas/glob v0.2.3 // indirect - github.com/gocolly/colly/v2 v2.2.0 // indirect - github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/golobby/cast v1.3.3 // indirect github.com/golobby/dotenv v1.3.2 // indirect github.com/golobby/env/v2 v2.2.4 // indirect github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 // indirect - github.com/kennygrant/sanitize v1.2.4 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/ncruces/go-strftime v0.1.9 // indirect - github.com/nlnwa/whatwg-url v0.6.2 // indirect github.com/phuslu/iploc v1.0.20230201 // indirect github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect - github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d // indirect - github.com/scanoss/go-purl-helper v0.2.1 // indirect github.com/scanoss/ipfilter/v2 v2.0.2 // indirect - github.com/temoto/robotstxt v1.1.2 // indirect github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect @@ -71,7 +57,6 @@ require ( golang.org/x/net v0.43.0 // indirect golang.org/x/sys v0.35.0 // indirect golang.org/x/text v0.28.0 // indirect - google.golang.org/appengine v1.6.8 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect google.golang.org/protobuf v1.36.8 // indirect diff --git a/go.sum b/go.sum index e19f966..3533d8e 100644 --- a/go.sum +++ b/go.sum @@ -394,22 +394,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= -github.com/PuerkitoBio/goquery v1.10.3 h1:pFYcNSqHxBD06Fpj/KsbStFRsgRATgnf3LeXiUkhzPo= -github.com/PuerkitoBio/goquery v1.10.3/go.mod h1:tMUX0zDMHXYlAQk6p35XxQMqMweEKB7iK7iLNd4RH4Y= -github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM= -github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA= -github.com/antchfx/htmlquery v1.3.4 h1:Isd0srPkni2iNTWCwVj/72t7uCphFeor5Q8nCzj1jdQ= -github.com/antchfx/htmlquery v1.3.4/go.mod h1:K9os0BwIEmLAvTqaNSua8tXLWRWZpocZIH73OzWQbwM= -github.com/antchfx/xmlquery v1.4.4 h1:mxMEkdYP3pjKSftxss4nUHfjBhnMk4imGoR96FRY2dg= -github.com/antchfx/xmlquery v1.4.4/go.mod h1:AEPEEPYE9GnA2mj5Ur2L5Q5/2PycJ0N9Fusrx9b12fc= -github.com/antchfx/xpath v1.3.3/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs= -github.com/antchfx/xpath v1.3.5 h1:PqbXLC3TkfeZyakF5eeh3NTWEbYl4VHNVeufANzDbKQ= -github.com/antchfx/xpath v1.3.5/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= -github.com/bits-and-blooms/bitset v1.20.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8= -github.com/bits-and-blooms/bitset v1.24.0 h1:H4x4TuulnokZKvHLfzVRTHJfFfnHEeSYJizujEZvmAM= -github.com/bits-and-blooms/bitset v1.24.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -467,10 +453,6 @@ github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= -github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= -github.com/gocolly/colly/v2 v2.2.0 h1:FQGxcqvTdFAvOpMRhk52o20Qsf6KtRU5HSf0bITS38I= -github.com/gocolly/colly/v2 v2.2.0/go.mod h1:YOQwv1ofoQOzJiELnkThDd6ObOfl6odUk2i6Czbx3Ws= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= @@ -478,9 +460,6 @@ github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0L github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ= -github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= @@ -535,7 +514,6 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= @@ -588,8 +566,6 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4Zs github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w= github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww= github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90= -github.com/guseggert/pkggodev-client v0.0.0-20240318140526-cdb0034504cf h1:f05FiJteLjgahJRh0PuXq2IhX4oHfCjjNavp8kLnP3w= -github.com/guseggert/pkggodev-client v0.0.0-20240318140526-cdb0034504cf/go.mod h1:sknxAX1660yRadbSXHoog+U2aOr6AFZzvyGyqcUK0Ys= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho= @@ -599,8 +575,6 @@ github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= -github.com/kennygrant/sanitize v1.2.4 h1:gN25/otpP5vAsO2djbMhF/LQX6R7+O1TB4yv8NzpJ3o= -github.com/kennygrant/sanitize v1.2.4/go.mod h1:LGsjYYtgxbetdg5owWB2mpgUL6e2nfw2eObZ0u0qvak= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -624,8 +598,6 @@ github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuE github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4= github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls= -github.com/nlnwa/whatwg-url v0.6.2 h1:jU61lU2ig4LANydbEJmA2nPrtCGiKdtgT0rmMd2VZ/Q= -github.com/nlnwa/whatwg-url v0.6.2/go.mod h1:x0FPXJzzOEieQtsBT/AKvbiBbQ46YlL6Xa7m02M1ECk= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs= github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0= @@ -649,12 +621,10 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= -github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d h1:hrujxIzL1woJ7AwssoOcM/tq5JjjG2yYOc8odClEiXA= -github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d/go.mod h1:uugorj2VCxiV1x+LzaIdVa9b4S4qGAcH6cbhh4qVxOU= github.com/scanoss/go-grpc-helper v0.9.0 h1:lK9JtKtyOqR9XxjnYR0wbW5KCNDH82P1E1LJwwP5Xb4= github.com/scanoss/go-grpc-helper v0.9.0/go.mod h1:EPI1NBg+DJ+krWehxC9eHyNpM5Pii5odOJcNdNG9qA0= -github.com/scanoss/go-models v0.2.0 h1:GLO1bN/UFoRC2v0PNe8lJV2SgqiHuHgEVTyb9Y7gbpU= -github.com/scanoss/go-models v0.2.0/go.mod h1:vJspSuRxjRaukPO4hylXwndBnTvSvB/moub2f0OyPzg= +github.com/scanoss/go-models v0.3.0 h1:E5uJSKdSPKrU2J08kAfrLv6uof1FRYWKDRypsYU/g7k= +github.com/scanoss/go-models v0.3.0/go.mod h1:Dq8ag9CI/3h0sqDWYUrTjW/jO8l5L6oopWJRKtJxzqA= github.com/scanoss/go-purl-helper v0.2.1 h1:jp960a585ycyJSlqZky1NatMJBIQi/JGITDfNSu/9As= github.com/scanoss/go-purl-helper v0.2.1/go.mod h1:v20/bKD8G+vGrILdiq6r0hyRD2bO8frCJlu9drEcQ38= github.com/scanoss/ipfilter/v2 v2.0.2 h1:GaB9i8kVJg9JQZm5XGStYkEpiaCVdsrj7ezI2wV/oh8= @@ -683,8 +653,6 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/temoto/robotstxt v1.1.2 h1:W2pOjSJ6SWvldyEuiFXNxz3xZ8aiWX5LbfDiOFd7Fxg= -github.com/temoto/robotstxt v1.1.2/go.mod h1:+1AmkuG3IYkh1kv0d2qEB9Le88ehNO0zwOr3ujewlOo= github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce h1:fb190+cK2Xz/dvi9Hv8eCYJYvIGUTN2/KLq1pT6CjEc= github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -744,11 +712,6 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= -golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= -golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -789,10 +752,6 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ= golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -846,13 +805,6 @@ golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458/go.mod h1:YDH+HFinaLZZlnHAfS golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= -golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= -golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= -golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= -golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= -golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k= golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE= golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -896,10 +848,6 @@ golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= -golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw= golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -971,28 +919,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI= golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= -golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= -golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= -golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= -golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= -golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= -golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= -golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1005,12 +938,6 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng= golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1075,9 +1002,6 @@ golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k= -golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= -golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg= golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1148,8 +1072,6 @@ google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= -google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= From af07fa927a1767d23368d8876d2c000916b949c3 Mon Sep 17 00:00:00 2001 From: Agustin Groh Date: Fri, 30 Jan 2026 14:59:25 -0300 Subject: [PATCH 4/4] chore(version): upgrade version to v0.9.0 --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 330bd97..d7944fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,9 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added - Upcoming changes... -## [0.9.0] - 2026/01/29 +## [0.9.0] - 2026/02/02 ### Changed -- Added support for GitHub PURLs in OSV use case by mapping them to GIT ecosystem with GitHub URLs +- Added support for GitHub PURLs in OSV use case by mapping them to GIT ecosystem with Git URLs - Refactored component version resolution in vulnerability use case to use concurrent worker pool - Upgraded `/scanoss/go-models` to `v0.3.0`