feat: OSV-Scanner MCP server

.gemini/config.yaml

@@ -0,0 +1,11 @@
+have_fun: false
+code_review:
+  disable: false
+  comment_severity_threshold: MEDIUM
+  max_review_comments: -1
+  pull_request_opened:
+    help: false
+    summary: false
+    code_review: false
+    include_drafts: true
+ignore_patterns: []

.github/workflows/checks.yml

@@ -16,10 +16,10 @@ name: Checks
 
 on:
   push:
-    branches: [main, v1]
+    branches: ["main", "v1", "mcp"]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [main, v1]
+    branches: ["main", "v1", "mcp"]
   workflow_dispatch:
 
 concurrency:
@@ -42,6 +42,16 @@ jobs:
         with:
           persist-credentials: false
       - run: scripts/report_uncleaned_snapshots.py
+  filenames:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - run: |
+          find . -mindepth 1 ! -regex '.*/[#@A-Za-z0-9._-]*' -print0 \
+            | xargs -0 -I{} bash -c \
+              'printf "::error file=%q::This filename contains undesired characters\n" "$1" && false' _ {}
   format:
     permissions:
       contents: read # to fetch code (actions/checkout)

.github/workflows/codeql-analysis.yml

@@ -48,7 +48,7 @@ jobs:
           go-version-file: go.mod
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        uses: github/codeql-action/init@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -59,7 +59,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        uses: github/codeql-action/autobuild@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -73,4 +73,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        uses: github/codeql-action/analyze@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6

.github/workflows/dependencies.yml

@@ -34,7 +34,7 @@ jobs:
           go get github.com/google/osv-scalibr@"$latest_commit"
           echo "latest_scalibr_commit=$latest_commit" >> "$GITHUB_ENV"
           go mod tidy
-      - run: go test ./cmd/osv-scanner/ -run 'Test_run$'
+      - run: go test ./cmd/osv-scanner/ -run 'Test_run$' || true
         env:
           TEST_ACCEPTANCE: true
           UPDATE_SNAPS: always

.github/workflows/osv-scanner-unified-action.yml

@@ -16,11 +16,11 @@ name: OSV-Scanner Scheduled Scan
 
 on:
   pull_request:
-    branches: ["main", "v1"]
+    branches: ["main", "v1", "mcp"]
   schedule:
     - cron: "12 12 * * 1"
   push:
-    branches: ["main", "v1"]
+    branches: ["main", "v1", "mcp"]
 
 # Restrict jobs in this workflow to have no permissions by default; permissions
 # should be granted per job as needed using a dedicated `permissions` block

.github/workflows/scorecards.yml

@@ -38,7 +38,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -68,6 +68,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
         with:
           sarif_file: results.sarif

.github/workflows/staleness.yml

@@ -13,7 +13,7 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
+      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
         with:
           days-before-stale: 60
           days-before-close: 14

.golangci.yaml

@@ -53,6 +53,11 @@ linters:
     gocritic:
       disabled-checks:
         - ifElseChain
+    govet:
+      enable-all: true
+      disable:
+        - fieldalignment
+        - shadow
     nlreturn:
       block-size: 2
     revive:

CHANGELOG.md

@@ -1,3 +1,16 @@
+# v2.2.3
+
+### Features:
+
+- [Feature #2209](https://github.com/google/osv-scanner/pull/2209) Add support for resolving git packages that have a version specified.
+- [Feature #2210](https://github.com/google/osv-scanner/pull/2210) Make the `--experimental-plugins` flag additive by default, and introduce a new `--experimental-no-default-plugins` flag.
+- [Feature #2203](https://github.com/google/osv-scanner/pull/2203) Update `osv-scalibr` to 0.3.4 for improved dependency extraction. See osv-scalibr changelog for additional information.
+
+### Fixes:
+
+- [Bug #2214](https://github.com/google/osv-scanner/pull/2214) Fix issue where `input.Path` was incorrectly constructed on Windows when using the `-L` flag.
+- [Fix #2241](https://github.com/google/osv-scanner/pull/2241) **Performance:** Greatly reduce memory usage in the local matcher by only loading advisories relevant to the packages being scanned.
+
 # v2.2.2
 
 ### Features:

cmd/osv-scanner/__snapshots__/main_test.snap

@@ -23,7 +23,7 @@ OPTIONS:
 ---
 
 [Test_run/version - 1]
-osv-scanner version: 2.2.2
+osv-scanner version: 2.2.3
 osv-scalibr version: 0.3.4
 commit: n/a
 built at: n/a
@@ -50,7 +50,6 @@ Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the
 [Test_run_SubCommands/with_no_subcommand - 1]
 Scanning dir ./testdata/locks-many/composer.lock
 Scanned <rootdir>/testdata/locks-many/composer.lock file and found 1 package
-Loaded filter from: <rootdir>/testdata/locks-many/osv-scanner.toml
 No issues found
 
 ---
@@ -62,7 +61,6 @@ No issues found
 [Test_run_SubCommands/with_scan_subcommand - 1]
 Scanning dir ./testdata/locks-many/composer.lock
 Scanned <rootdir>/testdata/locks-many/composer.lock file and found 1 package
-Loaded filter from: <rootdir>/testdata/locks-many/osv-scanner.toml
 No issues found
 
 ---

cmd/osv-scanner/fix/testdata/in-place-npm/osv-scanner.toml

@@ -1,35 +1,2 @@
 [[PackageOverrides]]
-name = "chownr"
-ecosystem = "npm"
 ignore = true
-reason = "This is an intentionally vulnerable test project"
-
-[[PackageOverrides]]
-name = "concat-stream"
-ecosystem = "npm"
-ignore = true
-reason = "This is an intentionally vulnerable test project"
-
-[[PackageOverrides]]
-name = "hosted-git-info"
-ecosystem = "npm"
-ignore = true
-reason = "This is an intentionally vulnerable test project"
-
-[[PackageOverrides]]
-name = "request"
-ecosystem = "npm"
-ignore = true
-reason = "This is an intentionally vulnerable test project"
-
-[[PackageOverrides]]
-name = "semver"
-ecosystem = "npm"
-ignore = true
-reason = "This is an intentionally vulnerable test project"
-
-[[PackageOverrides]]
-name = "tough-cookie"
-ecosystem = "npm"
-ignore = true
-reason = "This is an intentionally vulnerable test project"

cmd/osv-scanner/fix/testdata/override-maven/osv-scanner.toml

@@ -1,23 +1,2 @@
 [[PackageOverrides]]
-name = "commons-io:commons-io"
-ecosystem = "Maven"
 ignore = true
-reason = "This is an intentionally vulnerable test project"
-
-[[PackageOverrides]]
-name = "org.apache.httpcomponents:httpclient"
-ecosystem = "Maven"
-ignore = true
-reason = "This is an intentionally vulnerable test project"
-
-[[PackageOverrides]]
-name = "org.codehaus.plexus:plexus-utils"
-ecosystem = "Maven"
-ignore = true
-reason = "This is an intentionally vulnerable test project"
-
-[[PackageOverrides]]
-name = "org.jsoup:jsoup"
-ecosystem = "Maven"
-ignore = true
-reason = "This is an intentionally vulnerable test project"

cmd/osv-scanner/fix/testmain_test.go

@@ -7,11 +7,14 @@ import (
 	"github.com/google/osv-scanner/v2/cmd/osv-scanner/fix"
 	"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd"
 	"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd"
+	"github.com/google/osv-scanner/v2/internal/config"
 	"github.com/google/osv-scanner/v2/internal/testlogger"
 	"github.com/google/osv-scanner/v2/internal/testutility"
 )
 
 func TestMain(m *testing.M) {
+	config.OSVScannerConfigName = "osv-scanner-test.toml"
+
 	slog.SetDefault(slog.New(testlogger.New()))
 	testcmd.CommandsUnderTest = []cmd.CommandBuilder{fix.Command}
 	m.Run()

cmd/osv-scanner/main.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/google/osv-scanner/v2/cmd/osv-scanner/fix"
 	"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd"
+	"github.com/google/osv-scanner/v2/cmd/osv-scanner/mcp"
 	"github.com/google/osv-scanner/v2/cmd/osv-scanner/scan"
 	"github.com/google/osv-scanner/v2/cmd/osv-scanner/update"
 )
@@ -15,6 +16,7 @@ func main() {
 			scan.Command,
 			fix.Command,
 			update.Command,
+			mcp.Command,
 		}),
 	)
 }