ci: Split long-running tests to avoid running on irrelevant changes

.github/workflows/checks.yml

@@ -97,93 +97,3 @@ jobs:
           check-latest: true
       - name: Run lint action
         uses: ./.github/workflows/lint-action
-  prepare_test_image_testdata:
-    permissions:
-      contents: read # to fetch code (actions/checkout)
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      - run: scripts/build_test_images.sh
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }}
-          path: cmd/osv-scanner/scan/image/testdata/*.tar
-          retention-days: 1
-  tests:
-    permissions:
-      contents: read # to fetch code (actions/checkout)
-    needs:
-      - prepare_test_image_testdata
-    name: Run unit tests
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          pattern: image-testdata-${{ github.run_number }}-*
-          path: cmd/osv-scanner/scan/image/testdata/
-      - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
-        with:
-          go-version-file: "go.mod"
-          check-latest: true
-      - name: Run test action
-        uses: ./.github/workflows/test-action
-        with:
-          codecov_token: ${{ secrets.CODECOV_TOKEN }}
-  docker:
-    permissions:
-      contents: read # to fetch code (actions/checkout)
-    runs-on: ubuntu-latest
-    env:
-      # Required for buildx on docker 19.x
-      DOCKER_CLI_EXPERIMENTAL: "enabled"
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-      - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
-        with:
-          go-version-file: "go.mod"
-          check-latest: true
-      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-      - name: Run GoReleaser
-        id: run-goreleaser
-        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
-        with:
-          distribution: goreleaser
-          version: "~> v2"
-          args: release --clean --snapshot
-      - env:
-          ARTIFACTS: ${{ steps.run-goreleaser.outputs.artifacts }}
-        run: |
-          echo "$ARTIFACTS" > output.json
-          jq -r '.[] | select(
-            .type == "Docker Image" and
-            .goarch == "amd64" and
-            .goos == "linux" and
-            .extra.DockerConfig.dockerfile == "goreleaser.dockerfile"
-          ) | .name' output.json | while read -r image; do
-            echo "Testing image $image"
-
-            exit_code=0
-            docker run -v ${PWD}:/src $image -L /src/go.mod || exit_code=$?
-
-            # fail if we get a non-zero exit code other than "vulnerabilities were found"
-            if [[ $exit_code -ne 0 && $exit_code -ne 1  ]]; then
-              exit $exit_code
-            fi
-          done

.github/workflows/tests.yml

@@ -0,0 +1,138 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Tests
+
+on:
+  push:
+    branches: ["main", "v1", "mcp"]
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
+      - ".github/workflows/*"
+      - "!.github/workflows/tests.yml"
+      - "!.github/workflows/test-action/**"
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main", "v1", "mcp"]
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
+      - ".github/workflows/*"
+      - "!.github/workflows/tests.yml"
+      - "!.github/workflows/test-action/**"
+  workflow_dispatch:
+
+concurrency:
+  # Pushing new changes to a branch will cancel any in-progress CI runs
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# Restrict jobs in this workflow to have no permissions by default; permissions
+# should be granted per job as needed using a dedicated `permissions` block
+permissions: {}
+
+jobs:
+  prepare_test_image_testdata:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - run: scripts/build_test_images.sh
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }}
+          path: cmd/osv-scanner/scan/image/testdata/*.tar
+          retention-days: 1
+  tests:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+    needs:
+      - prepare_test_image_testdata
+    name: Run unit tests
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          pattern: image-testdata-${{ github.run_number }}-*
+          path: cmd/osv-scanner/scan/image/testdata/
+      - name: Set up Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        with:
+          go-version-file: "go.mod"
+          check-latest: true
+      - name: Run test action
+        uses: ./.github/workflows/test-action
+        with:
+          codecov_token: ${{ secrets.CODECOV_TOKEN }}
+  docker:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+    runs-on: ubuntu-latest
+    env:
+      # Required for buildx on docker 19.x
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Set up Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        with:
+          go-version-file: "go.mod"
+          check-latest: true
+          cache: false
+      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - name: Run GoReleaser
+        id: run-goreleaser
+        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
+        with:
+          distribution: goreleaser
+          version: "~> v2"
+          args: release --clean --snapshot
+      - env:
+          ARTIFACTS: ${{ steps.run-goreleaser.outputs.artifacts }}
+        run: |
+          echo "$ARTIFACTS" > output.json
+          jq -r '.[] | select(
+            .type == "Docker Image" and
+            .goarch == "amd64" and
+            .goos == "linux" and
+            .extra.DockerConfig.dockerfile == "goreleaser.dockerfile"
+          ) | .name' output.json | while read -r image; do
+            echo "Testing image $image"
+
+            exit_code=0
+            docker run -v ${PWD}:/src $image -L /src/go.mod || exit_code=$?
+
+            # fail if we get a non-zero exit code other than "vulnerabilities were found"
+            if [[ $exit_code -ne 0 && $exit_code -ne 1  ]]; then
+              exit $exit_code
+            fi
+          done

cmd/osv-scanner/fix/__snapshots__/command_test.snap

@@ -9204,7 +9204,7 @@ Guided remediation (the fix command) can be risky when run on untrusted projects
         {
           "name": "org.codehaus.plexus:plexus-utils",
           "versionFrom": "3.0",
-          "versionTo": "4.0.3",
+          "versionTo": "3.6.1",
           "transitive": false
         }
       ],
@@ -9358,7 +9358,7 @@ Guided remediation (the fix command) can be risky when run on untrusted projects
     <dependency>
       <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-utils</artifactId>
-      <version>4.0.3</version>
+      <version>3.6.1</version>
     </dependency>
   </dependencies>
 </project>
@@ -9512,7 +9512,7 @@ Guided remediation (the fix command) can be risky when run on untrusted projects
 Found 13 vulnerabilities matching the filter
 Can fix 13/13 matching vulnerabilities by overriding 4 dependencies
 OVERRIDE-PACKAGE: org.apache.httpcomponents:httpclient,4.5.13
-OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,4.0.3
+OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,3.6.1
 OVERRIDE-PACKAGE: commons-io:commons-io,2.14.0
 OVERRIDE-PACKAGE: org.jsoup:jsoup,1.15.3
 FIXED-VULN-IDS: GHSA-2x83-r56g-cv47,GHSA-6fmv-xxpf-w3cw,GHSA-78wr-2p64-hpwj,GHSA-7r82-7xv7-xcpj,GHSA-8vhq-qq4p-grq3,GHSA-cfh5-3ghh-wfjx,GHSA-fmj5-wv96-r2ch,GHSA-g6ph-x5wf-g337,GHSA-gp7f-rwcx-9369,GHSA-gw85-4gmf-m7rh,GHSA-gwrp-pvrq-jmwv,GHSA-jcwr-x25h-x5fh,GHSA-m72m-mhq2-9p6c
@@ -9566,7 +9566,7 @@ UNFIXABLE-VULNS: 0
     <dependency>
       <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-utils</artifactId>
-      <version>4.0.3</version>
+      <version>3.6.1</version>
     </dependency>
   </dependencies>
 </project>
@@ -11354,7 +11354,7 @@ Guided remediation (the fix command) can be risky when run on untrusted projects
 Found 13 vulnerabilities matching the filter
 Can fix 13/13 matching vulnerabilities by overriding 4 dependencies
 OVERRIDE-PACKAGE: org.apache.httpcomponents:httpclient,4.5.13
-OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,4.0.3
+OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,3.6.1
 OVERRIDE-PACKAGE: commons-io:commons-io,2.14.0
 OVERRIDE-PACKAGE: org.jsoup:jsoup,1.15.3
 FIXED-VULN-IDS: GHSA-2x83-r56g-cv47,GHSA-6fmv-xxpf-w3cw,GHSA-78wr-2p64-hpwj,GHSA-7r82-7xv7-xcpj,GHSA-8vhq-qq4p-grq3,GHSA-cfh5-3ghh-wfjx,GHSA-fmj5-wv96-r2ch,GHSA-g6ph-x5wf-g337,GHSA-gp7f-rwcx-9369,GHSA-gw85-4gmf-m7rh,GHSA-gwrp-pvrq-jmwv,GHSA-jcwr-x25h-x5fh,GHSA-m72m-mhq2-9p6c
@@ -11408,7 +11408,7 @@ UNFIXABLE-VULNS: 0
     <dependency>
       <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-utils</artifactId>
-      <version>4.0.3</version>
+      <version>3.6.1</version>
     </dependency>
   </dependencies>
 </project>

cmd/osv-scanner/mcp/__snapshots__/integration_test.snap

@@ -24,7 +24,6 @@ lockfile:<rootdir>/testdata/go-project/go.mod: found 1 package with issues
       Severity: '5.9'; Minimal Fix Version: '1.1.0';
 
   1 known vulnerability found in lockfile:<rootdir>/testdata/go-project/go.mod
-Hiding 9 number of vulnerabilities deemed unimportant, use --all-vulns to show them.
-
+Hiding 15 number of vulnerabilities deemed unimportant, use --all-vulns to show them.
 
 ---

cmd/osv-scanner/scan/image/__snapshots__/command_test.snap

@@ -1202,6 +1202,34 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 
 ---
 
+[TestCommand_OCIImage/scanning_ubuntu_image_with_homebrew_extractor - 1]
+Scanning local image tarball "./testdata/test-ubuntu-homebrew.tar"
+skipping file "home/linuxbrew/.linuxbrew/Homebrew/Library/Taps/homebrew/homebrew-core/.git/objects/pack/pack-0113dab039640255baab5438994e90f67a4c482c.pack" because its size (1155620741 bytes) is larger than the max size (1073741824 bytes)
+
+
+Container Scanning Result (Ubuntu 22.04.5 LTS):
+Total 1 package affected by 3 known vulnerabilities (1 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
+0 vulnerabilities can be fixed.
+
+
+GIT
++------------------------------------------------------------------------------------------------------------------------------------------------------+
+| Source:os:/home/linuxbrew/.linuxbrew/Cellar/cjson/1.7.17/INSTALL_RECEIPT.json                                                                        |
++-------------------------------------+-------------------+------------------+------------+-------------------------+------------------+---------------+
+| SOURCE PACKAGE                      | INSTALLED VERSION | FIX AVAILABLE    | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |
++-------------------------------------+-------------------+------------------+------------+-------------------------+------------------+---------------+
+| https://github.com/DaveGamble/cJSON | 1.7.17            | No fix available |          3 |                         | # 19 Layer       | --            |
++-------------------------------------+-------------------+------------------+------------+-------------------------+------------------+---------------+
+
+For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve <image_name>`.
+You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical <image_name>`.
+
+---
+
+[TestCommand_OCIImage/scanning_ubuntu_image_with_homebrew_extractor - 2]
+
+---
+
 [TestCommand_OCIImage_JSONFormat/Scanning_python_image_with_some_packages - 1]
 {
   "results": [

cmd/osv-scanner/scan/image/command_test.go

@@ -352,6 +352,17 @@ func TestCommand_OCIImage(t *testing.T) {
 			},
 			Exit: 1,
 		},
+		{
+			Name: "scanning_ubuntu_image_with_homebrew_extractor",
+			Args: []string{
+				"", "image",
+				"--experimental-plugins", "os/homebrew",
+				"--experimental-plugins", "misc/brew-source",
+				"--experimental-no-default-plugins",
+				"--archive", "./testdata/test-ubuntu-homebrew.tar",
+			},
+			Exit: 1,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.Name, func(t *testing.T) {