metal3-io · metal3-io-bot · Mar 26, 2025 · Mar 26, 2025
diff --git a/.github/workflows/osv-scanner-scan.yml b/.github/workflows/osv-scanner-scan.yml
@@ -26,17 +26,20 @@ jobs:
       uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
       with:
         go-version: ${{ steps.vars.outputs.go_version }}
+    # NOTE: this "go install" is not updated by Dependabot
     - name: Install OSV Scanner
-      run: go install github.com/google/osv-scanner/cmd/osv-scanner@b13f37e1a1e4cb98556c1d34cd3256a876929be1 # v1.9.1
+      run: go install github.com/google/osv-scanner/v2/cmd/osv-scanner@0e986b49c4e7ee5aa545531c4a8908455f8a9e82 # v2.0.0
     - name: Run OSV Scanner
+      id: osv-scan
       run: |
         osv-scanner scan \
-          --format json --output results.json --recursive --skip-git \
+          --format json --output results.json --recursive \
           --config=<( echo "GoVersionOverride = \"${{ steps.vars.outputs.go_version }}\"" ) \
           ./
+        echo "has_vulnerabilities=$(jq '.results | length > 0' results.json)" >> "${GITHUB_OUTPUT}"
       continue-on-error: true
     - name: "Run OSV Scanner Reporter"
-      uses: google/osv-scanner/actions/reporter@1e295ee11c5e107886e58bacb04228325082146f # v1.9.2
+      uses: google/osv-scanner/actions/reporter@0e986b49c4e7ee5aa545531c4a8908455f8a9e82 # v2.0.0
       with:
         scan-args: |-
           --output=results.sarif
@@ -47,3 +50,14 @@ jobs:
       uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
       with:
         sarif_file: results.sarif
+    # if the results.json has any results, then it means there is some vulnerability to be checked out
+    - name: Slack Notification on Failure
+      if: ${{ steps.osv-scan.outputs.has_vulnerabilities == 'true' }}
+      uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 # 2.3.2
+      env:
+        SLACK_TITLE: "OSV-Scanner detected vulnerabilities in ${{ github.repository }}"
+        SLACK_COLOR: "#FF0000"
+        SLACK_MESSAGE: "OSV-Scanner detected vulnerabilities in ${{ github.repository }}"
+        SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+        SLACK_CHANNEL: metal3-github-actions-notify
+        SLACK_USERNAME: metal3-github-actions-notify
diff --git a/hack/verify-release.sh b/hack/verify-release.sh
@@ -45,9 +45,7 @@ GLOBIGNORE=./hack/tools/go.mod
 VERSION="${1:?release version missing, provide without leading v. Example: 1.5.0}"
 GITHUB_TOKEN="${GITHUB_TOKEN:?export GITHUB_TOKEN with permissions to read unpublished release notes}"
 
-# if CONTAINER_RUNTIME is set, we will use crane and osv-scanner from images
-# otherwise, we will expect them to be installed binaries. This allows some
-# flexibility for the Mac users, where Docker Desktop is a bit problematic.
+# if CONTAINER_RUNTIME is set, we will use crane and osv-scanner from images.
 CONTAINER_RUNTIME="${CONTAINER_RUNTIME:-}"
 # correct remote will be autodetected, if empty
 REMOTE="${REMOTE:-}"
@@ -132,6 +130,7 @@ declare -a required_tools=(
 )
 
 # we also require a container runtime, or pre-installed binaries
+# for osv-scanner we have also version check implemented during tool check
 if [[ -n "${CONTAINER_RUNTIME}" ]]; then
     required_tools+=(
         "${CONTAINER_RUNTIME}"
@@ -143,13 +142,13 @@ if [[ -n "${CONTAINER_RUNTIME}" ]]; then
     )
     declare -a OSVSCANNER_CMD=(
         "${CONTAINER_RUNTIME}" run --rm
-        -v "${PWD}":/src -w /src
-        --pull always
-        ghcr.io/google/osv-scanner:v1.9.2@sha256:239d47ec1a70af430c3cd57524d18e8b2d2dc2f28869384217b64f409ab6650a
+        -v "${PWD}":"/src:ro,z"
+        -w /src
+        ghcr.io/google/osv-scanner:v2.0.0@sha256:ceea4d7c57dcb4ab65453445f7a3155d0cc9ccef66a098a516ac264677d4b61f
     )
 else
     # go install github.com/google/go-containerregistry/cmd/gcrane@latest
-    # go install github.com/google/osv-scanner/cmd/osv-scanner@v1
+    # go install github.com/google/osv-scanner/v2/cmd/osv-scanner@v2.0.0
     required_tools+=(
         gcrane
         osv-scanner
@@ -200,11 +199,18 @@ check_tools()
     echo "Checking required tools ..."
 
     for tool in "${required_tools[@]}"; do
-        type "${tool}" &>/dev/null || { echo "FATAL: need ${tool} to be installed"; exit 1; }
+        if ! type "${tool}" &>/dev/null; then
+            echo "FATAL: need ${tool} to be installed"
+            if [[ "${tool}" = "osv-scanner" ]] || [[ "${tool}" = "gcrane" ]]; then
+                echo "HINT: 'export CONTAINER_RUNTIME=<docker|podman>' to use containerized tools"
+            fi
+            exit 1
+        fi
+
         case "${tool}" in
             osv-scanner)
                 version=$("${OSVSCANNER_CMD[@]}" -v | grep version | cut -f3 -d" ")
-                min_version="1.5.0"
+                min_version="2.0.0"
                 ;;
             *)
                 # dummy values here for other tools
@@ -622,7 +628,7 @@ verify_vulnerabilities()
     go_version="$(make go-version)"
     echo "GoVersionOverride = \"${go_version}\"" > "${config_file}"
     "${OSVSCANNER_CMD[@]}" scan \
-        --skip-git --recursive \
+        --recursive \
         --config="${config_file}" \
         ./ > "${SCAN_LOG}" || true