>>> osv-scanner: Building community/osv-scanner 1.3.0-r1 (using abuild 3.10.0-r0) started Thu, 06 Apr 2023 10:46:34 +0000 >>> osv-scanner: Checking sanity of /home/buildozer/aports/community/osv-scanner/APKBUILD... >>> osv-scanner: Analyzing dependencies... >>> osv-scanner: Installing for build: build-base go (1/3) Installing binutils-gold (2.40-r3) (2/3) Installing go (1.20.3-r0) (3/3) Installing .makedepends-osv-scanner (20230406.104634) Executing busybox-1.36.0-r5.trigger OK: 500 MiB in 102 packages >>> osv-scanner: Cleaning up srcdir >>> osv-scanner: Cleaning up pkgdir >>> osv-scanner: Fetching https://distfiles.alpinelinux.org/distfiles/edge/osv-scanner-1.3.0.tar.gz >>> osv-scanner: Fetching https://distfiles.alpinelinux.org/distfiles/edge/osv-scanner-1.3.0.tar.gz >>> osv-scanner: Checking sha512sums... osv-scanner-1.3.0.tar.gz: OK >>> osv-scanner: Unpacking /var/cache/distfiles/edge/osv-scanner-1.3.0.tar.gz... hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all hint: of your new repositories, which will suppress this warning, call: hint: hint: git config --global init.defaultBranch hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: hint: hint: git branch -m Initialized empty Git repository in /home/buildozer/aports/community/osv-scanner/src/osv-scanner-1.3.0/.git/ go: downloading github.com/urfave/cli/v2 v2.25.1 go: downloading golang.org/x/term v0.6.0 go: downloading github.com/jedib0t/go-pretty/v6 v6.4.6 go: downloading github.com/go-git/go-git/v5 v5.6.1 go: downloading github.com/go-git/go-billy/v5 v5.4.1 go: downloading golang.org/x/exp v0.0.0-20230321023759-10a507213a29 go: downloading github.com/package-url/packageurl-go v0.1.0 go: downloading golang.org/x/vuln v0.0.0-20230303230808-d3042fecc4e3 go: downloading golang.org/x/sync v0.1.0 go: downloading github.com/BurntSushi/toml v1.2.1 go: downloading github.com/spdx/tools-golang v0.4.0 go: downloading github.com/CycloneDX/cyclonedx-go v0.7.0 go: downloading golang.org/x/tools v0.7.0 go: downloading gopkg.in/yaml.v3 v3.0.1 go: downloading golang.org/x/mod v0.9.0 go: downloading golang.org/x/sys v0.6.0 go: downloading github.com/mattn/go-runewidth v0.0.13 go: downloading github.com/rivo/uniseg v0.2.0 go: downloading github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 go: downloading github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.2 go: downloading github.com/go-git/gcfg v1.5.0 go: downloading github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 go: downloading github.com/sergi/go-diff v1.1.0 go: downloading github.com/imdario/mergo v0.3.13 go: downloading github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 go: downloading github.com/emirpasic/gods v1.18.1 go: downloading github.com/pjbgf/sha1cd v0.3.0 go: downloading golang.org/x/crypto v0.6.0 go: downloading golang.org/x/net v0.8.0 go: downloading github.com/xanzy/ssh-agent v0.3.3 go: downloading github.com/kevinburke/ssh_config v1.2.0 go: downloading github.com/skeema/knownhosts v1.1.0 go: downloading github.com/russross/blackfriday/v2 v2.1.0 go: downloading gopkg.in/warnings.v0 v0.1.2 go: downloading github.com/cloudflare/circl v1.1.0 go: downloading github.com/kr/pretty v0.3.1 go: downloading github.com/google/go-cmp v0.5.9 go: downloading github.com/kr/text v0.2.0 go: downloading github.com/rogpeppe/go-internal v1.9.0 ? github.com/google/osv-scanner/internal/output [no test files] ? github.com/google/osv-scanner/internal/sbom [no test files] ? github.com/google/osv-scanner/internal/testutility [no test files] ? github.com/google/osv-scanner/pkg/models [no test files] ? github.com/google/osv-scanner/pkg/osv [no test files] --- FAIL: TestRun (0.00s) --- FAIL: TestRun/#03 (4.72s) main_test.go:298: stdout got: Scanning dir ./fixtures/sbom-insecure/postgres-stretch.cdx.xml Scanned /home/buildozer/aports/community/osv-scanner/src/osv-scanner-1.3.0/cmd/osv-scanner/fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX SBOM and found 136 packages +-------------------------------------+-----------+---------+------------------------------------+-------------------------------------------------+ | OSV URL (ID IN BOLD) | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------------------------+-----------+---------+------------------------------------+-------------------------------------------------+ | https://osv.dev/GHSA-v95c-p5hm-xq8f | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GO-2022-0274 | | | | | | https://osv.dev/GHSA-f3fp-gc8g-vw66 | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-g2j6-57v7-gm8c | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-m8cg-xc2p-r3fc | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-vpvm-3wq2-2wvm | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-p782-xgp4-8hr8 | Go | sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GO-2022-0493 | | | | | +-------------------------------------+-----------+---------+------------------------------------+-------------------------------------------------+ want: Scanning dir ./fixtures/sbom-insecure/postgres-stretch.cdx.xml Scanned %%/fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX SBOM and found 136 packages +-------------------------------------+-----------+---------+------------------------------------+-------------------------------------------------+ | OSV URL (ID IN BOLD) | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------------------------+-----------+---------+------------------------------------+-------------------------------------------------+ | https://osv.dev/GHSA-v95c-p5hm-xq8f | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GO-2022-0274 | | | | | | https://osv.dev/GHSA-f3fp-gc8g-vw66 | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-vpvm-3wq2-2wvm | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-p782-xgp4-8hr8 | Go | sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GO-2022-0493 | | | | | +-------------------------------------+-----------+---------+------------------------------------+-------------------------------------------------+ FAIL FAIL github.com/google/osv-scanner/cmd/osv-scanner 4.757s ok github.com/google/osv-scanner/internal/govulncheckshim 3.113s ok github.com/google/osv-scanner/internal/semantic 4.895s ok github.com/google/osv-scanner/internal/sourceanalysis 0.020s ok github.com/google/osv-scanner/pkg/config 0.022s ok github.com/google/osv-scanner/pkg/grouper 0.020s ok github.com/google/osv-scanner/pkg/lockfile 0.117s ok github.com/google/osv-scanner/pkg/osvscanner 0.068s FAIL >>> ERROR: osv-scanner: check failed >>> osv-scanner: Uninstalling dependencies... (1/3) Purging .makedepends-osv-scanner (20230406.104634) (2/3) Purging go (1.20.3-r0) (3/3) Purging binutils-gold (2.40-r3) Executing busybox-1.36.0-r5.trigger OK: 327 MiB in 99 packages