brew-vulns 0.2.3 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: be255fe2f38fdc4f92a35543e5164f3d4ebca6e8fdcbd18226d2f71b9fc630de
-  data.tar.gz: e0ee3ea8b1327ebff1fef3dbfc441fafe661d26482d59e37c1574c472d58b365
+  metadata.gz: 80d99be04bbb5f94ac9b6ce0572699c06291a38d3cad5643f40fcc5991a11bcf
+  data.tar.gz: 50af431e418e7af72b006acbdbc3d88dcf177726f0796eb2ead936406c5242ba
 SHA512:
-  metadata.gz: 0e19f82e0b1b075245c696ddbf8ffb09c8beab175ec157214037182005b9af6fae8c942235b43694c4d7e54a5e79ba6735709d3e684d3441b9238e9d2d09d53d
-  data.tar.gz: 705abcdef8c8bb4b7795f7f5478751d0025397e5b64def2682cccce4bf63fa88d9d6bbfa55d7dd15a34826f3375ef6b6177f48a1ef384289a5d8fb917788f15d
+  metadata.gz: c45915f201f9b804298836a2ccf16f815eeb48899253499c315ae74a7684e52da207b344682fe8b48af14afe4003bbcdeffb233a11a984cca5821554e687626d
+  data.tar.gz: 4aea92e8df8fe2143d8e1f4268d0173c98d11f721ce1195b79e68c5c67e41357a2f9b96ded95d5b57d62baf821bf20e5cd43beebf18995fc039d8da6cb2b746c

data/.rubocop.yml

@@ -1,7 +1,7 @@
 # This file is synced from `Homebrew/brew` by the `.github` repository, do not modify it directly.
 ---
 AllCops:
-  TargetRubyVersion: 3.4
+  TargetRubyVersion: 4.0
   NewCops: enable
   Include:
   - "**/*.rbi"
@@ -31,8 +31,6 @@ Layout/EndAlignment:
 Layout/HashAlignment:
   EnforcedHashRocketStyle: table
   EnforcedColonStyle: table
-Layout/IndentationWidth:
-  Enabled: false
 Layout/LeadingCommentSpace:
   Exclude:
   - Taps/*/*/cmd/*.rb
@@ -149,6 +147,16 @@ Style/FetchEnvVar:
   - Taps/*/*/*.rb
   - "/**/Formula/**/*.rb"
   - "**/Formula/**/*.rb"
+Style/OneClassPerFile:
+  Exclude:
+  - "**/*.rbi"
+  - Taps/*/*/*.rb
+  - "/**/Abstract/**/*.rb"
+  - "**/Abstract/**/*.rb"
+  - "/**/Formula/**/*.rb"
+  - "**/Formula/**/*.rb"
+  - "/**/developer/bin/*"
+  - "**/developer/bin/*"
 Style/FrozenStringLiteralComment:
   EnforcedStyle: always
   Exclude:

data/.ruby-version

@@ -1 +1 @@
-4.0.0
+4.0.5

data/CHANGELOG.md

@@ -1,5 +1,32 @@
 ## [Unreleased]
 
+## [0.4.0] - 2026-06-28
+
+- Suppress vulnerabilities that a formula's patches declare as resolved (via `patches[].resolves` in `brew info --json=v2`, Homebrew 6.0.4+); list them separately in text/JSON output, exclude them from SARIF output, and exclude them from the exit code
+- CycloneDX output: emit patched vulnerabilities with `analysis.state = resolved` and include formula patches as `pedigree.patches` on each component
+- Add `--no-ignore-patches` to report patched vulnerabilities as open findings
+- Fix invalid SARIF output when no vulnerabilities are found (GitHub code scanning rejected the file)
+
+## [0.3.0] - 2026-05-29
+
+- Add `--all` flag to scan every formula in homebrew-core
+- Accept one or more formula names as arguments to scan specific formulae, including ones that are not installed
+- Exit with status 2 on errors so callers can distinguish errors from "vulnerabilities found" (exit 1)
+- Add example GitHub Actions workflows for tap PR checks and full homebrew-core scans
+- Compute severity bands from CVSS vector strings when OSV data does not provide a severity label
+- Improve CVSS severity fallback handling when multiple score sources are present
+- Handle unbounded `introduced: 0` OSV ranges and multi-interval SEMVER ranges correctly
+- Fail closed (report as affected) when a version range comparison raises instead of silently skipping
+- Sanitize ANSI/terminal escape sequences, carriage returns and backspaces from text output
+- Cap concurrent requests when fetching vulnerability details to avoid unbounded thread spawning
+- Cap OSV pagination at a fixed page limit to avoid unbounded loops on bad responses
+- Set a `User-Agent` header on OSV API requests
+
+## [0.2.3] - 2026-02-05
+
+- Move repository to the Homebrew organisation and update install instructions, formula and links accordingly
+- Internal: shared CI/lint configuration sync and dependency updates
+
 ## [0.2.2] - 2026-01-25
 
 - Add retry logic to OSV API requests (up to 3 attempts on timeout or connection errors)

data/Formula/brew-vulns.rb

@@ -1,8 +1,8 @@
 class BrewVulns < Formula
   desc "Check Homebrew packages for known vulnerabilities via osv.dev"
   homepage "https://github.com/Homebrew/homebrew-brew-vulns"
-  url "https://github.com/Homebrew/homebrew-brew-vulns/archive/refs/tags/v0.2.2.tar.gz"
-  sha256 "64abf7791eb7d04312c1fda9dc49a73f3702f5716ce18506324ed9f401fe2514"
+  url "https://github.com/Homebrew/homebrew-brew-vulns/archive/refs/tags/v0.3.0.tar.gz"
+  sha256 "1b9fbb03d46192350ad7dcac4279b382debb917d40688a4b816319214a2570d4"
   license "MIT"
 
   depends_on "ruby"

data/README.md

@@ -21,15 +21,17 @@ Once installed, the command is available as `brew vulns`.
 ## Usage
 
 ```bash
-brew vulns [formula] [options]
+brew vulns [formula...] [options]
 ```
 
 ### Options
 
 | Flag | Long form | Description |
 |------|-----------|-------------|
+| | `--all` | Scan every formula in homebrew-core |
 | `-b PATH` | `--brewfile PATH` | Scan packages from a Brewfile (default: ./Brewfile) |
 | `-d` | `--deps` | Include dependencies when checking a specific formula or Brewfile |
+| | `--no-ignore-patches` | Report vulnerabilities even when the formula applies a patch that resolves them |
 | `-j` | `--json` | Output results as JSON |
 | | `--cyclonedx` | Output results as CycloneDX SBOM with vulnerabilities |
 | | `--sarif` | Output results as SARIF for GitHub code scanning |
@@ -43,9 +45,15 @@ brew vulns [formula] [options]
 # Check all installed packages
 brew vulns
 
-# Check a specific formula
+# Scan every formula in homebrew-core
+brew vulns --all --json > vulns.json
+
+# Check a specific formula (does not need to be installed)
 brew vulns openssl
 
+# Check several formulae at once
+brew vulns vim curl jq
+
 # Check a formula and its dependencies
 brew vulns python --deps
 
@@ -82,13 +90,19 @@ brew vulns --help
 
 ## How it works
 
-1. Reads installed Homebrew formulae via `brew info --json=v2 --installed`
+1. Reads Homebrew formulae via `brew info --json=v2` (installed packages by default, or any named formulae passed as arguments)
 2. Extracts the repository URL and version tag from each formula's source URL
 3. Queries the OSV API using the GIT ecosystem to find known vulnerabilities
 4. Reports any vulnerabilities found with their severity and CVE identifiers
 
 Packages with GitHub, GitLab, or Codeberg source URLs are checked. Packages from other sources are skipped.
 
+### Patched vulnerabilities
+
+Some Homebrew formulae apply patches that fix CVEs without changing the upstream version number. Where a formula's `patch` block declares (or infers) a `resolves` entry for a CVE or GHSA identifier, `brew vulns` treats matching OSV results as already resolved: they are listed separately in text and `--json` output, omitted from `--sarif` output, emitted in `--cyclonedx` output with `analysis.state` set to `resolved`, and do not affect the exit code. The CycloneDX SBOM also records each formula's patches under `components[].pedigree.patches`. Pass `--no-ignore-patches` to report them as open findings instead.
+
+This relies on `patches[].resolves` data in `brew info --json=v2`, available from Homebrew 6.0.4 onwards. With an older Homebrew, or for formulae whose patches are not yet annotated, no suppression happens.
+
 ## Example output
 
 ```
@@ -108,9 +122,10 @@ Found 15 vulnerabilities in 3 packages
 ## Exit codes
 
 - `0` - No vulnerabilities found
-- `1` - Vulnerabilities found (or error occurred)
+- `1` - Vulnerabilities found
+- `2` - An error occurred (network failure, `brew` failure, parse error)
 
-This makes it suitable for use in CI/CD pipelines.
+This makes it suitable for use in CI/CD pipelines. To let a job continue when vulnerabilities are found but still fail on scan errors, use `brew vulns ... || [ $? -eq 1 ]`.
 
 ## GitHub Actions
 
@@ -134,8 +149,7 @@ jobs:
         run: gem install brew-vulns
 
       - name: Run vulnerability scan
-        run: brew vulns --sarif > results.sarif
-        continue-on-error: true
+        run: brew vulns --sarif > results.sarif || [ $? -eq 1 ]
 
       - name: Upload SARIF results
         uses: github/codeql-action/upload-sarif@v3
@@ -167,8 +181,7 @@ jobs:
         run: gem install brew-vulns
 
       - name: Generate SBOM
-        run: brew vulns --cyclonedx > sbom.cdx.json
-        continue-on-error: true
+        run: brew vulns --cyclonedx > sbom.cdx.json || [ $? -eq 1 ]
 
       - name: Submit to dependency graph
         uses: evryfs/sbom-dependency-submission-action@v0
@@ -178,6 +191,8 @@ jobs:
 
 This adds your Homebrew packages to the repository's dependency graph, enabling Dependabot alerts.
 
+See [examples/](examples/) for workflows that check changed formulae on tap pull requests and publish a daily scan of all of homebrew-core.
+
 ## Development
 
 ```bash

data/Rakefile

@@ -5,7 +5,9 @@ require "minitest/test_task"
 require "digest"
 require "open-uri"
 
-Minitest::TestTask.create
+Minitest::TestTask.create do |t|
+  t.framework = %(require "test/test_helper.rb")
+end
 
 task default: :test
 

data/examples/README.md

@@ -0,0 +1,9 @@
+# Example workflows
+
+GitHub Actions workflows showing how `brew vulns` can be wired into a Homebrew tap.
+
+`pr-vuln-check.yml` runs on pull requests that touch `Formula/**/*.rb`. It works out which formulae changed, runs `brew vulns <names> --sarif` against them, and uploads the result to GitHub code scanning so vulnerabilities appear as annotations on the PR.
+
+`scan-all.yml` runs daily, scans every formula in homebrew-core with `brew vulns --all --json`, and publishes `vulns.json` as an asset on a rolling `vulns` release. Downstream tooling (including Homebrew itself) can fetch that file rather than querying OSV directly.
+
+Copy whichever you need into `.github/workflows/` in the target repository and adjust to taste.

data/examples/pr-vuln-check.yml

@@ -0,0 +1,55 @@
+# Check formulae changed in a pull request for known vulnerabilities.
+# Intended for use in a Homebrew tap (e.g. homebrew-core).
+name: Vulnerability check
+
+on:
+  pull_request:
+    paths:
+      - "Formula/**/*.rb"
+
+permissions: {}
+
+jobs:
+  vulns:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Set up Homebrew
+        id: set-up-homebrew
+        uses: Homebrew/actions/setup-homebrew@main
+
+      - name: Install brew-vulns
+        run: brew install homebrew/brew-vulns/brew-vulns
+
+      - name: Detect changed formulae
+        id: changed
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+        run: |
+          cd "$(brew --repository "${GITHUB_REPOSITORY}")"
+          git fetch --quiet --depth=1 origin "${BASE_SHA}"
+          names=$(git diff --name-only --diff-filter=AM "${BASE_SHA}" -- Formula/ \
+            | xargs -r -n1 basename \
+            | sed 's/\.rb$//' \
+            | tr '\n' ' ')
+          echo "names=${names}" >> "${GITHUB_OUTPUT}"
+
+      - name: Check vulnerabilities
+        id: scan
+        if: steps.changed.outputs.names != ''
+        env:
+          FORMULAE: ${{ steps.changed.outputs.names }}
+        run: |
+          brew vulns ${FORMULAE} --sarif > vulns.sarif || [ $? -eq 1 ]
+          if [ -s vulns.sarif ]; then
+            echo "sarif=true" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: Upload SARIF
+        if: steps.scan.outputs.sarif == 'true'
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+        with:
+          sarif_file: vulns.sarif
+          category: brew-vulns

data/examples/scan-all.yml

@@ -0,0 +1,45 @@
+# Scan every formula in homebrew-core for known vulnerabilities and
+# publish the result as vulns.json on a rolling release.
+name: Scan all formulae
+
+on:
+  schedule:
+    - cron: "0 6 * * *"
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Set up Homebrew
+        uses: Homebrew/actions/setup-homebrew@main
+
+      - name: Install brew-vulns
+        run: brew install homebrew/brew-vulns/brew-vulns
+
+      - name: Scan
+        run: brew vulns --all --json > vulns.json
+        continue-on-error: true
+
+      - name: Validate output
+        run: ruby -rjson -e 'abort "vulns.json is not a JSON array" unless JSON.load_file("vulns.json").is_a?(Array)'
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: vulns
+          path: vulns.json
+
+      - name: Publish to release
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+        run: |
+          if ! gh release view vulns >/dev/null 2>&1; then
+            gh release create vulns --title "Vulnerability data" --notes "Rolling vulnerability scan of homebrew-core"
+          fi
+          gh release upload vulns vulns.json --clobber

data/lib/brew/vulns/cli.rb

@@ -9,11 +9,15 @@ module Brew
 
       DEFAULT_MAX_SUMMARY = 60
       SEVERITY_LEVELS = { "low" => 1, "medium" => 2, "high" => 3, "critical" => 4 }.freeze
+      MAX_VULN_FETCH_THREADS = 15
+      FLAGS_WITH_VALUE = %w[-b --brewfile -m --max-summary -s --severity].freeze
 
       def initialize(args)
         @args = args
-        @formula_filter = args.first unless args.first&.start_with?("-")
+        @formula_names = parse_formula_names(args)
+        @all = args.include?("--all")
         @include_deps = args.include?("--deps") || args.include?("-d")
+        @ignore_patches = !args.include?("--no-ignore-patches")
         @json_output = args.include?("--json") || args.include?("-j")
         @sarif_output = args.include?("--sarif")
         @cyclonedx_output = args.include?("--cyclonedx")
@@ -23,6 +27,25 @@ module Brew
         @brewfile = parse_brewfile_path(args)
       end
 
+      def parse_formula_names(args)
+        names = []
+        skip_next = false
+        args.each do |arg|
+          if skip_next
+            skip_next = false
+            next
+          end
+          if FLAGS_WITH_VALUE.include?(arg)
+            skip_next = true
+            next
+          end
+          next if arg.start_with?("-")
+
+          names << arg
+        end
+        names
+      end
+
       def parse_max_summary(args)
         args.each_with_index do |arg, idx|
           if arg == "--max-summary" || arg == "-m"
@@ -69,7 +92,7 @@ module Brew
 
         formulae = load_formulae
         if formulae.empty?
-          puts "No installed formulae found."
+          puts "No formulae found."
           return 0
         end
 
@@ -82,28 +105,30 @@ module Brew
           puts
         end
 
-        results = scan_vulnerabilities(queryable)
-        output_results(results, formulae)
+        results, patched = scan_vulnerabilities(queryable)
+        output_results(results, patched, formulae)
       rescue OsvClient::Error => e
         $stderr.puts "Error querying OSV: #{e.message}"
-        1
+        2
       rescue Error => e
         $stderr.puts "Error: #{e.message}"
-        1
+        2
       rescue JSON::ParserError => e
         $stderr.puts "Error parsing brew output: #{e.message}"
-        1
+        2
       end
 
       private
 
       def load_formulae
-        if @brewfile
+        if @all
+          Formula.load_all
+        elsif @brewfile
           Formula.load_from_brewfile(@brewfile, include_deps: @include_deps)
-        elsif @include_deps && @formula_filter
-          Formula.load_with_dependencies(@formula_filter)
+        elsif @formula_names.any?
+          Formula.load_named(@formula_names, include_deps: @include_deps)
         else
-          Formula.load_installed(@formula_filter)
+          Formula.load_installed
         end
       end
 
@@ -114,54 +139,67 @@ module Brew
         vuln_results = client.query_batch(queries)
 
         results = {}
+        patched = {}
         formulae.each_with_index do |formula, idx|
           batch_vulns = vuln_results[idx] || []
           next if batch_vulns.empty?
 
-          threads = batch_vulns.map do |v|
-            Thread.new { client.get_vulnerability(v["id"]) }
+          full_vulns = batch_vulns.each_slice(MAX_VULN_FETCH_THREADS).flat_map do |slice|
+            threads = slice.map do |v|
+              Thread.new { client.get_vulnerability(v["id"]) }
+            end
+            threads.map(&:value)
           end
-          full_vulns = threads.map(&:value)
+
           vulns = Vulnerability.from_osv_list(full_vulns)
 
           version = formula.tag || formula.version
           vulns = vulns.select { |v| v.affects_version?(version) }
           vulns = vulns.select { |v| v.severity_level >= @min_severity } if @min_severity > 0
 
+          if @ignore_patches
+            resolved, vulns = vulns.partition { |v| formula.resolves?(v) }
+            patched[formula] = resolved if resolved.any?
+          end
+
           results[formula] = vulns if vulns.any?
         end
 
-        results
+        [results, patched]
       end
 
-      def output_results(results, all_formulae)
+      def output_results(results, patched, all_formulae)
         if @cyclonedx_output
-          output_cyclonedx(results, all_formulae)
+          output_cyclonedx(results, patched, all_formulae)
         elsif @sarif_output
           output_sarif(results)
         elsif @json_output
-          output_json(results)
+          output_json(results, patched)
         else
-          output_text(results, all_formulae)
+          output_text(results, patched, all_formulae)
         end
       end
 
-      def output_json(results)
-        data = results.map do |formula, vulns|
+      def vuln_json(vuln)
+        {
+          id:             vuln.id,
+          severity:       vuln.severity_display,
+          summary:        vuln.summary,
+          aliases:        vuln.aliases,
+          fixed_versions: vuln.fixed_versions,
+        }
+      end
+
+      def output_json(results, patched)
+        formulae = (results.keys + patched.keys).uniq
+        data = formulae.map do |formula|
           {
-            formula: formula.name,
-            version: formula.version,
-            tag: formula.tag,
-            repo_url: formula.repo_url,
-            vulnerabilities: vulns.map do |v|
-              {
-                id: v.id,
-                severity: v.severity_display,
-                summary: v.summary,
-                aliases: v.aliases,
-                fixed_versions: v.fixed_versions
-              }
-            end
+            formula:         formula.name,
+            version:         formula.version,
+            tag:             formula.tag,
+            repo_url:        formula.repo_url,
+            vulnerabilities: (results[formula] || []).map { |v| vuln_json(v) },
+            patched:         (patched[formula] || []).map { |v| vuln_json(v) },
           }
         end
 
@@ -169,39 +207,58 @@ module Brew
         results.empty? ? 0 : 1
       end
 
-      def output_cyclonedx(results, all_formulae)
+      def output_cyclonedx(results, patched, all_formulae)
         components = all_formulae.map do |formula|
-          {
-            type: "library",
-            name: formula.name,
+          component = {
+            type:    "library",
+            name:    formula.name,
             version: formula.version,
-            purl: "pkg:brew/#{formula.name}@#{formula.version}"
+            purl:    "pkg:brew/#{formula.name}@#{formula.version}",
           }
+          pedigree = formula.cyclonedx_pedigree
+          component[:pedigree] = pedigree if pedigree
+          component
         end
 
         vulnerabilities = []
         results.each do |formula, vulns|
           vulns.each do |vuln|
-            vulnerabilities << {
-              id: vuln.id,
-              source: { name: "OSV", url: "https://osv.dev" },
-              ratings: [{ severity: vuln.severity_display&.downcase }],
-              description: vuln.summary,
-              affects: [{ ref: "pkg:brew/#{formula.name}@#{formula.version}" }]
-            }
+            vulnerabilities << cyclonedx_vulnerability(formula, vuln)
+          end
+        end
+        patched.each do |formula, vulns|
+          vulns.each do |vuln|
+            matched = (formula.resolved_vulnerability_ids & vuln.identifiers.map { |i| i.to_s.upcase }).join(", ")
+            vulnerabilities << cyclonedx_vulnerability(formula, vuln).merge(
+              analysis: {
+                state:    "resolved",
+                response: ["update"],
+                detail:   "Resolved by Homebrew formula patch (#{matched}).",
+              },
+            )
           end
         end
 
         generator = Sbom::Cyclonedx::Generator.new(format: :json)
         generator.generate("brew-vulns", {
-          packages: components,
-          vulnerabilities: vulnerabilities
+          packages:        components,
+          vulnerabilities: vulnerabilities,
         })
 
         puts generator.output
         results.empty? ? 0 : 1
       end
 
+      def cyclonedx_vulnerability(formula, vuln)
+        {
+          id:          vuln.id,
+          source:      { name: "OSV", url: "https://osv.dev" },
+          ratings:     [{ severity: vuln.severity_display&.downcase }],
+          description: vuln.summary,
+          affects:     [{ ref: "pkg:brew/#{formula.name}@#{formula.version}" }],
+        }
+      end
+
       def output_sarif(results)
         rules = []
         sarif_results = []
@@ -273,9 +330,10 @@ module Brew
         end
       end
 
-      def output_text(results, all_formulae)
+      def output_text(results, patched, all_formulae)
         if results.empty?
-          puts "No vulnerabilities found."
+          puts patched.empty? ? "No vulnerabilities found." : "No open vulnerabilities found."
+          output_patched_summary(patched)
           return 0
         end
 
@@ -283,33 +341,57 @@ module Brew
         sorted = results.sort_by { |_, vulns| -vulns.map(&:severity_level).max }
 
         sorted.each do |formula, vulns|
-          puts "#{formula.name} (#{formula.version})"
+          puts "#{sanitize_terminal_escapes(formula.name)} (#{sanitize_terminal_escapes(formula.version)})"
           vulns.sort_by { |v| -v.severity_level }.each do |vuln|
             total_vulns += 1
             severity = colorize_severity(vuln.severity_display)
 
-            line = "  #{vuln.id} (#{severity})"
+            line = "  #{sanitize_terminal_escapes(vuln.id)} (#{severity})"
             if vuln.summary
-              summary = if @max_summary > 0 && vuln.summary.length > @max_summary
-                "#{vuln.summary.slice(0, @max_summary)}..."
+              sanitized_summary = sanitize_terminal_escapes(vuln.summary)
+              summary = if @max_summary > 0 && sanitized_summary.length > @max_summary
+                "#{sanitized_summary.slice(0, @max_summary)}..."
               else
-                vuln.summary
+                sanitized_summary
               end
               line = "#{line} - #{summary}"
             end
             puts line
 
             if vuln.fixed_versions.any?
-              puts "    Fixed in: #{vuln.fixed_versions.join(", ")}"
+              fixed_versions = vuln.fixed_versions.map { |version| sanitize_terminal_escapes(version) }
+              puts "    Fixed in: #{fixed_versions.join(", ")}"
             end
           end
           puts
         end
 
         puts "Found #{total_vulns} vulnerabilities in #{results.size} packages"
+        output_patched_summary(patched)
         1
       end
 
+      def output_patched_summary(patched)
+        return if patched.empty?
+
+        total = patched.values.sum(&:size)
+        puts
+        puts "#{total} resolved by formula patches (not counted; pass --no-ignore-patches to include):"
+        patched.sort_by { |f, _| f.name }.each do |formula, vulns|
+          ids = vulns.map { |v| sanitize_terminal_escapes(v.id) }.join(", ")
+          puts "  #{sanitize_terminal_escapes(formula.name)}: #{ids}"
+        end
+      end
+
+      def sanitize_terminal_escapes(text)
+        text.to_s
+          .gsub(/\e\][^\a\e]*(?:\a|\e\\)/, "")
+          .gsub(/\u009d[^\a\u009c]*(?:\a|\u009c)/, "")
+          .gsub(/\u009b[0-?]*[ -\/]*[@-~]/, "")
+          .gsub(/\e\[[0-?]*[ -\/]*[@-~]/, "")
+          .delete("\e\b\r\u0007\u0080-\u009f")
+      end
+
       def colorize_severity(severity)
         return severity unless $stdout.tty?
 
@@ -324,16 +406,18 @@ module Brew
 
       def print_help
         puts <<~HELP
-          Usage: brew vulns [formula] [options]
+          Usage: brew vulns [formula...] [options]
 
-          Check installed Homebrew packages for known vulnerabilities via osv.dev.
+          Check Homebrew packages for known vulnerabilities via osv.dev.
 
           Arguments:
-            formula              Check only this formula (optional)
+            formula              Check only the named formulae (optional, does not need to be installed)
 
           Options:
+            --all                Scan every formula in homebrew-core
             -b, --brewfile PATH  Scan packages from a Brewfile (default: ./Brewfile)
             -d, --deps           Include dependencies when checking a specific formula or Brewfile
+            --no-ignore-patches  Report vulnerabilities even when the formula applies a patch that resolves them
             -j, --json           Output results as JSON
             --cyclonedx          Output results as CycloneDX SBOM with vulnerabilities
             --sarif              Output results as SARIF for GitHub code scanning
@@ -343,7 +427,9 @@ module Brew
 
           Examples:
             brew vulns                    Check all installed packages
+            brew vulns --all --json       Scan every homebrew-core formula, output JSON
             brew vulns openssl            Check only openssl
+            brew vulns vim curl jq        Check several formulae at once
             brew vulns vim --deps         Check vim and its dependencies
             brew vulns --brewfile         Scan packages listed in ./Brewfile
             brew vulns -b ~/project/Brewfile  Scan a specific Brewfile

data/lib/brew/vulns/formula.rb

@@ -6,7 +6,7 @@ require "open3"
 module Brew
   module Vulns
     class Formula
-      attr_reader :name, :version, :source_url, :head_url, :dependencies
+      attr_reader :name, :version, :source_url, :head_url, :dependencies, :patches
 
       def initialize(data)
         @name = data["name"] || data["full_name"]
@@ -14,6 +14,56 @@ module Brew
         @source_url = data.dig("urls", "stable", "url")
         @head_url = data.dig("urls", "head", "url")
         @dependencies = data["dependencies"] || []
+        @patches = data["patches"] || []
+      end
+
+      # CVE/GHSA identifiers declared as resolved by this formula's patches.
+      # Populated from `brew info --json=v2` `patches[].resolves[]` (Homebrew >= 6.0.4);
+      # empty on older Homebrew versions or for formulae with no annotated patches.
+      def resolved_vulnerability_ids
+        return @resolved_vulnerability_ids if defined?(@resolved_vulnerability_ids)
+
+        @resolved_vulnerability_ids = patches
+          .flat_map { |p| Array(p["resolves"]) }
+          .select { |r| r.is_a?(Hash) && r["type"] == "security" }
+          .map { |r| r["id"].to_s.upcase }
+          .reject(&:empty?)
+          .uniq
+      end
+
+      def resolves?(vulnerability)
+        ids = resolved_vulnerability_ids
+        return false if ids.empty?
+
+        vulnerability.identifiers.any? { |id| ids.include?(id.to_s.upcase) }
+      end
+
+      CYCLONEDX_PATCH_TYPES = {
+        "backport"    => "backport",
+        "cherry_pick" => "cherry-pick",
+        "unofficial"  => "unofficial",
+      }.freeze
+
+      # Maps `brew info --json=v2` patch data to a CycloneDX `pedigree` hash
+      # (symbol-keyed for the `sbom` gem). Returns nil when there are no patches.
+      def cyclonedx_pedigree
+        return nil if patches.empty?
+
+        cdx_patches = patches.map do |p|
+          patch = { type: CYCLONEDX_PATCH_TYPES.fetch(p["type"].to_s, "unofficial") }
+          patch[:diff] = { url: p["url"] } if p["url"]
+
+          resolves = Array(p["resolves"]).filter_map do |r|
+            next unless r.is_a?(Hash) && r["type"] && r["id"]
+
+            { type: r["type"], id: r["id"] }
+          end
+          patch[:resolves] = resolves if resolves.any?
+
+          patch
+        end
+
+        { patches: cdx_patches }
       end
 
       def repo_url
@@ -50,51 +100,23 @@ module Brew
         { repo_url: repo_url, version: tag, name: name }
       end
 
-      def self.load_installed(formula_filter = nil)
-        json, status = Open3.capture2("brew", "info", "--json=v2", "--installed")
+      def self.load_all
+        json, status = Open3.capture2("brew", "info", "--json=v2", "--eval-all")
         raise Error, "brew info failed with status #{status.exitstatus}" unless status.success?
 
         data = JSON.parse(json)
-        formulae = data["formulae"].map { |f| new(f) }
-
-        if formula_filter
-          formulae.select! { |f| f.name == formula_filter || f.name.split("@").first == formula_filter }
-        end
-
-        formulae
+        data["formulae"].map { |f| new(f) }
       end
 
-      def self.load_with_dependencies(formula_filter = nil)
+      def self.load_installed
         json, status = Open3.capture2("brew", "info", "--json=v2", "--installed")
         raise Error, "brew info failed with status #{status.exitstatus}" unless status.success?
 
         data = JSON.parse(json)
-        all_formulae = data["formulae"].map { |f| new(f) }
-        formulae_by_name = all_formulae.each_with_object({}) { |f, h| h[f.name] = f }
-
-        if formula_filter
-          filtered = all_formulae.select { |f| f.name == formula_filter || f.name.split("@").first == formula_filter }
-          return [] if filtered.empty?
-
-          deps_output, = Open3.capture2("brew", "deps", "--installed", formula_filter)
-          dep_names = deps_output.split("\n").map(&:strip)
-
-          result = filtered.each_with_object({}) { |f, h| h[f.name] = f }
-          dep_names.each do |dep_name|
-            dep = formulae_by_name[dep_name]
-            result[dep_name] = dep if dep && !result[dep_name]
-          end
-
-          result.values
-        else
-          all_formulae
-        end
+        data["formulae"].map { |f| new(f) }
       end
 
-      def self.load_from_brewfile(brewfile_path, include_deps: false)
-        raise Error, "Brewfile not found: #{brewfile_path}" unless File.exist?(brewfile_path)
-
-        formula_names = parse_brewfile(brewfile_path)
+      def self.load_named(formula_names, include_deps: false)
         return [] if formula_names.empty?
 
         json, status = Open3.capture2("brew", "info", "--json=v2", *formula_names)
@@ -124,6 +146,13 @@ module Brew
         formulae.uniq { |f| f.name }
       end
 
+      def self.load_from_brewfile(brewfile_path, include_deps: false)
+        raise Error, "Brewfile not found: #{brewfile_path}" unless File.exist?(brewfile_path)
+
+        formula_names = parse_brewfile(brewfile_path)
+        load_named(formula_names, include_deps: include_deps)
+      end
+
       def self.parse_brewfile(brewfile_path)
         output, status = Open3.capture2("brew", "bundle", "list", "--file=#{brewfile_path}", "--formula")
         raise Error, "brew bundle list failed with status #{status.exitstatus}" unless status.success?

data/lib/brew/vulns/osv_client.rb

@@ -3,6 +3,7 @@
 require "net/http"
 require "json"
 require "uri"
+require "brew/vulns/version"
 
 module Brew
   module Vulns
@@ -17,6 +18,8 @@ module Brew
       class Error < StandardError; end
       class ApiError < Error; end
 
+      USER_AGENT = "brew-vulns/#{Brew::Vulns::VERSION} (+https://github.com/Homebrew/homebrew-brew-vulns)"
+
       def query(repo_url:, version:)
         payload = {
           package: {
@@ -66,6 +69,7 @@ module Brew
         uri = URI("#{API_BASE}#{path}")
         request = Net::HTTP::Post.new(uri)
         request["Content-Type"] = "application/json"
+        request["User-Agent"] = USER_AGENT
         request.body = JSON.generate(payload)
 
         execute_request(uri, request)
@@ -75,6 +79,7 @@ module Brew
         uri = URI("#{API_BASE}#{path}")
         request = Net::HTTP::Get.new(uri)
         request["Content-Type"] = "application/json"
+        request["User-Agent"] = USER_AGENT
 
         execute_request(uri, request)
       end
@@ -117,15 +122,24 @@ module Brew
         end
       end
 
+      MAX_PAGES = 100
+
       def fetch_all_pages(response, original_payload)
         vulns = response["vulns"] || []
         page_token = response["next_page_token"]
+        page_count = 1
 
         while page_token
+          if page_count >= MAX_PAGES
+            raise ApiError,
+                  "OSV API returned more than #{MAX_PAGES} pages of results; aborting to avoid an unbounded loop"
+          end
+
           payload = original_payload.merge(page_token: page_token)
           response = post("/query", payload)
           vulns.concat(response["vulns"] || [])
           page_token = response["next_page_token"]
+          page_count += 1
         end
 
         vulns

data/lib/brew/vulns/version.rb

@@ -2,6 +2,6 @@
 
 module Brew
   module Vulns
-    VERSION = "0.2.3"
+    VERSION = "0.4.0"
   end
 end

data/lib/brew/vulns/vulnerability.rb

@@ -2,10 +2,17 @@
 
 require "purl"
 require "vers"
+require "cvss_suite"
 
 module Brew
   module Vulns
     class Vulnerability
+      CVSS_TYPE_PRIORITY = {
+        "CVSS_V4" => 4,
+        "CVSS_V3" => 3,
+        "CVSS_V2" => 2
+      }.freeze
+
       attr_reader :id, :summary, :details, :severity, :aliases, :references, :affected
 
       def initialize(data)
@@ -32,8 +39,12 @@ module Brew
         end
       end
 
+      def identifiers
+        ([id] + aliases).compact
+      end
+
       def cve_ids
-        ([id] + aliases).select { |a| a.start_with?("CVE-") }
+        identifiers.select { |a| a.start_with?("CVE-") }
       end
 
       def advisory_url
@@ -76,9 +87,9 @@ module Brew
 
       def extract_severity(data)
         if data["severity"]&.any?
-          sev = data["severity"].first
-          if sev["score"]&.include?("CVSS")
-            return severity_from_cvss(sev["score"])
+          cvss_severities(data["severity"]).each do |sev|
+            cvss_severity = severity_from_cvss(sev["score"])
+            return cvss_severity if cvss_severity
           end
         end
 
@@ -97,6 +108,12 @@ module Brew
         nil
       end
 
+      def cvss_severities(severities)
+        severities
+          .select { |sev| CVSS_TYPE_PRIORITY.key?(sev["type"]) }
+          .sort_by { |sev| -CVSS_TYPE_PRIORITY.fetch(sev["type"], 0) }
+      end
+
       def normalize_severity(severity)
         return nil unless severity
 
@@ -109,34 +126,15 @@ module Brew
       end
 
       def severity_from_cvss(vector)
-        return nil unless vector
-        return nil unless vector.include?("CVSS:3")
-
-        metrics = parse_cvss_metrics(vector)
-        return nil if metrics.empty?
-
-        impact_high = %w[C I A].count { |m| metrics[m] == "H" }
-        network_attack = metrics["AV"] == "N"
-        no_privs = metrics["PR"] == "N"
-        no_interaction = metrics["UI"] == "N"
-
-        if impact_high >= 2 && network_attack && no_privs
-          "critical"
-        elsif impact_high >= 1 && network_attack
-          "high"
-        elsif impact_high >= 1 || (network_attack && no_privs && no_interaction)
-          "medium"
-        else
-          "low"
-        end
-      end
+        return nil if vector.to_s.empty?
 
-      def parse_cvss_metrics(vector)
-        metrics = {}
-        vector.scan(%r{([A-Z]+):([A-Z])}).each do |key, value|
-          metrics[key] = value
-        end
-        metrics
+        cvss = CvssSuite.new(vector)
+
+        normalize_severity(cvss.severity)
+      rescue StandardError
+        warn "Warning: Failed to determine severity from CVSS vector " \
+             "'#{vector}' for '#{id}'"
+        nil
       end
 
       def normalize_version(version)
@@ -171,30 +169,51 @@ module Brew
       def version_in_range?(version, events, ecosystem)
         return false if events.nil? || events.empty?
 
-        constraints = build_constraints(events)
-        return false if constraints.empty?
-
-        Vers.satisfies?(version, constraints.join(","), ecosystem)
+        build_constraint_sets(events).any? do |constraints|
+          constraints.empty? || Vers.satisfies?(version, constraints.join(","), ecosystem)
+        end
       rescue StandardError => e
         warn "Warning: Failed to check version '#{version}' against constraints: #{e.message}"
-        false
+        true
       end
 
-      def build_constraints(events)
-        constraints = []
+      def build_constraint_sets(events)
+        constraint_sets = []
+        constraints = nil
+
         events.each do |event|
           if event["introduced"]
+            constraints = []
             intro = normalize_version(event["introduced"])
             constraints << ">=#{intro}" unless intro == "0"
-          end
-          if event["fixed"]
+          elsif event["fixed"]
+            constraints ||= []
             constraints << "<#{normalize_version(event["fixed"])}"
-          end
-          if event["last_affected"]
+            constraint_sets << constraints
+            constraints = nil
+          elsif event["last_affected"]
+            constraints ||= []
             constraints << "<=#{normalize_version(event["last_affected"])}"
+            constraint_sets << constraints
+            constraints = nil
+          elsif event["limit"]
+            constraints ||= []
+            limit_constraint = build_limit_constraint(event["limit"])
+            constraints << limit_constraint if limit_constraint
+            constraint_sets << constraints
+            constraints = nil
           end
         end
-        constraints
+
+        constraint_sets << constraints if constraints
+        constraint_sets
+      end
+
+      def build_limit_constraint(limit)
+        limit = limit.to_s
+        return if limit == "*"
+
+        "<#{normalize_version(limit)}"
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brew-vulns
 version: !ruby/object:Gem::Version
-  version: 0.2.3
+  version: 0.4.0
 platform: ruby
 authors:
 - Andrew Nesbitt
@@ -9,6 +9,20 @@ bindir: exe
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: cvss-suite
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.1'
 - !ruby/object:Gem::Dependency
   name: purl
   requirement: !ruby/object:Gem::Requirement
@@ -30,6 +44,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -37,20 +54,23 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.1
 - !ruby/object:Gem::Dependency
   name: sbom
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.4'
+        version: '0.5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.4'
+        version: '0.5'
 - !ruby/object:Gem::Dependency
   name: vers
   requirement: !ruby/object:Gem::Requirement
@@ -82,6 +102,9 @@ files:
 - LICENSE
 - README.md
 - Rakefile
+- examples/README.md
+- examples/pr-vuln-check.yml
+- examples/scan-all.yml
 - exe/brew-vulns
 - lib/brew/vulns.rb
 - lib/brew/vulns/cli.rb
@@ -111,7 +134,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.3
+rubygems_version: 4.0.10
 specification_version: 4
 summary: Check Homebrew packages for known vulnerabilities
 test_files: []