brew-vulns 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 393c81aa55ad74bc34018843abde797c2067c055fd669d8669712a32c2e6313c
-  data.tar.gz: a95b21cd1a777076b06b0a6b507f0429c7fde11476b193a712aae67784332d49
+  metadata.gz: 80d99be04bbb5f94ac9b6ce0572699c06291a38d3cad5643f40fcc5991a11bcf
+  data.tar.gz: 50af431e418e7af72b006acbdbc3d88dcf177726f0796eb2ead936406c5242ba
 SHA512:
-  metadata.gz: 718026189245d3ed3bcc08fc1829610ab1d5752b44bead5f9ac9b4c7718aac88074c0f99acc77c6e058cc182932a3ee05593efd9c26035411d4199044686b017
-  data.tar.gz: fe75aa4ff545a67a8cfa361512393a4b9c64a9ad2edeaa7958fd4495424e28287c5363e2f99595ff751bdcb14a0cb618703773e5874ccda4271917a9289fe31c
+  metadata.gz: c45915f201f9b804298836a2ccf16f815eeb48899253499c315ae74a7684e52da207b344682fe8b48af14afe4003bbcdeffb233a11a984cca5821554e687626d
+  data.tar.gz: 4aea92e8df8fe2143d8e1f4268d0173c98d11f721ce1195b79e68c5c67e41357a2f9b96ded95d5b57d62baf821bf20e5cd43beebf18995fc039d8da6cb2b746c

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 ## [Unreleased]
 
+## [0.4.0] - 2026-06-28
+
+- Suppress vulnerabilities that a formula's patches declare as resolved (via `patches[].resolves` in `brew info --json=v2`, Homebrew 6.0.4+); list them separately in text/JSON output, exclude them from SARIF output, and exclude them from the exit code
+- CycloneDX output: emit patched vulnerabilities with `analysis.state = resolved` and include formula patches as `pedigree.patches` on each component
+- Add `--no-ignore-patches` to report patched vulnerabilities as open findings
+- Fix invalid SARIF output when no vulnerabilities are found (GitHub code scanning rejected the file)
+
 ## [0.3.0] - 2026-05-29
 
 - Add `--all` flag to scan every formula in homebrew-core

data/Formula/brew-vulns.rb

@@ -1,8 +1,8 @@
 class BrewVulns < Formula
   desc "Check Homebrew packages for known vulnerabilities via osv.dev"
   homepage "https://github.com/Homebrew/homebrew-brew-vulns"
-  url "https://github.com/Homebrew/homebrew-brew-vulns/archive/refs/tags/v0.2.3.tar.gz"
-  sha256 "1f1bdc60daeeded30d22026ba80e66854a95a299f92392c8624997b75d0f971e"
+  url "https://github.com/Homebrew/homebrew-brew-vulns/archive/refs/tags/v0.3.0.tar.gz"
+  sha256 "1b9fbb03d46192350ad7dcac4279b382debb917d40688a4b816319214a2570d4"
   license "MIT"
 
   depends_on "ruby"

data/README.md

@@ -31,6 +31,7 @@ brew vulns [formula...] [options]
 | | `--all` | Scan every formula in homebrew-core |
 | `-b PATH` | `--brewfile PATH` | Scan packages from a Brewfile (default: ./Brewfile) |
 | `-d` | `--deps` | Include dependencies when checking a specific formula or Brewfile |
+| | `--no-ignore-patches` | Report vulnerabilities even when the formula applies a patch that resolves them |
 | `-j` | `--json` | Output results as JSON |
 | | `--cyclonedx` | Output results as CycloneDX SBOM with vulnerabilities |
 | | `--sarif` | Output results as SARIF for GitHub code scanning |
@@ -96,6 +97,12 @@ brew vulns --help
 
 Packages with GitHub, GitLab, or Codeberg source URLs are checked. Packages from other sources are skipped.
 
+### Patched vulnerabilities
+
+Some Homebrew formulae apply patches that fix CVEs without changing the upstream version number. Where a formula's `patch` block declares (or infers) a `resolves` entry for a CVE or GHSA identifier, `brew vulns` treats matching OSV results as already resolved: they are listed separately in text and `--json` output, omitted from `--sarif` output, emitted in `--cyclonedx` output with `analysis.state` set to `resolved`, and do not affect the exit code. The CycloneDX SBOM also records each formula's patches under `components[].pedigree.patches`. Pass `--no-ignore-patches` to report them as open findings instead.
+
+This relies on `patches[].resolves` data in `brew info --json=v2`, available from Homebrew 6.0.4 onwards. With an older Homebrew, or for formulae whose patches are not yet annotated, no suppression happens.
+
 ## Example output
 
 ```

data/lib/brew/vulns/cli.rb

@@ -17,6 +17,7 @@ module Brew
         @formula_names = parse_formula_names(args)
         @all = args.include?("--all")
         @include_deps = args.include?("--deps") || args.include?("-d")
+        @ignore_patches = !args.include?("--no-ignore-patches")
         @json_output = args.include?("--json") || args.include?("-j")
         @sarif_output = args.include?("--sarif")
         @cyclonedx_output = args.include?("--cyclonedx")
@@ -104,8 +105,8 @@ module Brew
           puts
         end
 
-        results = scan_vulnerabilities(queryable)
-        output_results(results, formulae)
+        results, patched = scan_vulnerabilities(queryable)
+        output_results(results, patched, formulae)
       rescue OsvClient::Error => e
         $stderr.puts "Error querying OSV: #{e.message}"
         2
@@ -138,6 +139,7 @@ module Brew
         vuln_results = client.query_batch(queries)
 
         results = {}
+        patched = {}
         formulae.each_with_index do |formula, idx|
           batch_vulns = vuln_results[idx] || []
           next if batch_vulns.empty?
@@ -155,40 +157,49 @@ module Brew
           vulns = vulns.select { |v| v.affects_version?(version) }
           vulns = vulns.select { |v| v.severity_level >= @min_severity } if @min_severity > 0
 
+          if @ignore_patches
+            resolved, vulns = vulns.partition { |v| formula.resolves?(v) }
+            patched[formula] = resolved if resolved.any?
+          end
+
           results[formula] = vulns if vulns.any?
         end
 
-        results
+        [results, patched]
       end
 
-      def output_results(results, all_formulae)
+      def output_results(results, patched, all_formulae)
         if @cyclonedx_output
-          output_cyclonedx(results, all_formulae)
+          output_cyclonedx(results, patched, all_formulae)
         elsif @sarif_output
           output_sarif(results)
         elsif @json_output
-          output_json(results)
+          output_json(results, patched)
         else
-          output_text(results, all_formulae)
+          output_text(results, patched, all_formulae)
         end
       end
 
-      def output_json(results)
-        data = results.map do |formula, vulns|
+      def vuln_json(vuln)
+        {
+          id:             vuln.id,
+          severity:       vuln.severity_display,
+          summary:        vuln.summary,
+          aliases:        vuln.aliases,
+          fixed_versions: vuln.fixed_versions,
+        }
+      end
+
+      def output_json(results, patched)
+        formulae = (results.keys + patched.keys).uniq
+        data = formulae.map do |formula|
           {
-            formula: formula.name,
-            version: formula.version,
-            tag: formula.tag,
-            repo_url: formula.repo_url,
-            vulnerabilities: vulns.map do |v|
-              {
-                id: v.id,
-                severity: v.severity_display,
-                summary: v.summary,
-                aliases: v.aliases,
-                fixed_versions: v.fixed_versions
-              }
-            end
+            formula:         formula.name,
+            version:         formula.version,
+            tag:             formula.tag,
+            repo_url:        formula.repo_url,
+            vulnerabilities: (results[formula] || []).map { |v| vuln_json(v) },
+            patched:         (patched[formula] || []).map { |v| vuln_json(v) },
           }
         end
 
@@ -196,39 +207,58 @@ module Brew
         results.empty? ? 0 : 1
       end
 
-      def output_cyclonedx(results, all_formulae)
+      def output_cyclonedx(results, patched, all_formulae)
         components = all_formulae.map do |formula|
-          {
-            type: "library",
-            name: formula.name,
+          component = {
+            type:    "library",
+            name:    formula.name,
             version: formula.version,
-            purl: "pkg:brew/#{formula.name}@#{formula.version}"
+            purl:    "pkg:brew/#{formula.name}@#{formula.version}",
           }
+          pedigree = formula.cyclonedx_pedigree
+          component[:pedigree] = pedigree if pedigree
+          component
         end
 
         vulnerabilities = []
         results.each do |formula, vulns|
           vulns.each do |vuln|
-            vulnerabilities << {
-              id: vuln.id,
-              source: { name: "OSV", url: "https://osv.dev" },
-              ratings: [{ severity: vuln.severity_display&.downcase }],
-              description: vuln.summary,
-              affects: [{ ref: "pkg:brew/#{formula.name}@#{formula.version}" }]
-            }
+            vulnerabilities << cyclonedx_vulnerability(formula, vuln)
+          end
+        end
+        patched.each do |formula, vulns|
+          vulns.each do |vuln|
+            matched = (formula.resolved_vulnerability_ids & vuln.identifiers.map { |i| i.to_s.upcase }).join(", ")
+            vulnerabilities << cyclonedx_vulnerability(formula, vuln).merge(
+              analysis: {
+                state:    "resolved",
+                response: ["update"],
+                detail:   "Resolved by Homebrew formula patch (#{matched}).",
+              },
+            )
           end
         end
 
         generator = Sbom::Cyclonedx::Generator.new(format: :json)
         generator.generate("brew-vulns", {
-          packages: components,
-          vulnerabilities: vulnerabilities
+          packages:        components,
+          vulnerabilities: vulnerabilities,
         })
 
         puts generator.output
         results.empty? ? 0 : 1
       end
 
+      def cyclonedx_vulnerability(formula, vuln)
+        {
+          id:          vuln.id,
+          source:      { name: "OSV", url: "https://osv.dev" },
+          ratings:     [{ severity: vuln.severity_display&.downcase }],
+          description: vuln.summary,
+          affects:     [{ ref: "pkg:brew/#{formula.name}@#{formula.version}" }],
+        }
+      end
+
       def output_sarif(results)
         rules = []
         sarif_results = []
@@ -300,9 +330,10 @@ module Brew
         end
       end
 
-      def output_text(results, all_formulae)
+      def output_text(results, patched, all_formulae)
         if results.empty?
-          puts "No vulnerabilities found."
+          puts patched.empty? ? "No vulnerabilities found." : "No open vulnerabilities found."
+          output_patched_summary(patched)
           return 0
         end
 
@@ -336,9 +367,22 @@ module Brew
         end
 
         puts "Found #{total_vulns} vulnerabilities in #{results.size} packages"
+        output_patched_summary(patched)
         1
       end
 
+      def output_patched_summary(patched)
+        return if patched.empty?
+
+        total = patched.values.sum(&:size)
+        puts
+        puts "#{total} resolved by formula patches (not counted; pass --no-ignore-patches to include):"
+        patched.sort_by { |f, _| f.name }.each do |formula, vulns|
+          ids = vulns.map { |v| sanitize_terminal_escapes(v.id) }.join(", ")
+          puts "  #{sanitize_terminal_escapes(formula.name)}: #{ids}"
+        end
+      end
+
       def sanitize_terminal_escapes(text)
         text.to_s
           .gsub(/\e\][^\a\e]*(?:\a|\e\\)/, "")
@@ -373,6 +417,7 @@ module Brew
             --all                Scan every formula in homebrew-core
             -b, --brewfile PATH  Scan packages from a Brewfile (default: ./Brewfile)
             -d, --deps           Include dependencies when checking a specific formula or Brewfile
+            --no-ignore-patches  Report vulnerabilities even when the formula applies a patch that resolves them
             -j, --json           Output results as JSON
             --cyclonedx          Output results as CycloneDX SBOM with vulnerabilities
             --sarif              Output results as SARIF for GitHub code scanning

data/lib/brew/vulns/formula.rb

@@ -6,7 +6,7 @@ require "open3"
 module Brew
   module Vulns
     class Formula
-      attr_reader :name, :version, :source_url, :head_url, :dependencies
+      attr_reader :name, :version, :source_url, :head_url, :dependencies, :patches
 
       def initialize(data)
         @name = data["name"] || data["full_name"]
@@ -14,6 +14,56 @@ module Brew
         @source_url = data.dig("urls", "stable", "url")
         @head_url = data.dig("urls", "head", "url")
         @dependencies = data["dependencies"] || []
+        @patches = data["patches"] || []
+      end
+
+      # CVE/GHSA identifiers declared as resolved by this formula's patches.
+      # Populated from `brew info --json=v2` `patches[].resolves[]` (Homebrew >= 6.0.4);
+      # empty on older Homebrew versions or for formulae with no annotated patches.
+      def resolved_vulnerability_ids
+        return @resolved_vulnerability_ids if defined?(@resolved_vulnerability_ids)
+
+        @resolved_vulnerability_ids = patches
+          .flat_map { |p| Array(p["resolves"]) }
+          .select { |r| r.is_a?(Hash) && r["type"] == "security" }
+          .map { |r| r["id"].to_s.upcase }
+          .reject(&:empty?)
+          .uniq
+      end
+
+      def resolves?(vulnerability)
+        ids = resolved_vulnerability_ids
+        return false if ids.empty?
+
+        vulnerability.identifiers.any? { |id| ids.include?(id.to_s.upcase) }
+      end
+
+      CYCLONEDX_PATCH_TYPES = {
+        "backport"    => "backport",
+        "cherry_pick" => "cherry-pick",
+        "unofficial"  => "unofficial",
+      }.freeze
+
+      # Maps `brew info --json=v2` patch data to a CycloneDX `pedigree` hash
+      # (symbol-keyed for the `sbom` gem). Returns nil when there are no patches.
+      def cyclonedx_pedigree
+        return nil if patches.empty?
+
+        cdx_patches = patches.map do |p|
+          patch = { type: CYCLONEDX_PATCH_TYPES.fetch(p["type"].to_s, "unofficial") }
+          patch[:diff] = { url: p["url"] } if p["url"]
+
+          resolves = Array(p["resolves"]).filter_map do |r|
+            next unless r.is_a?(Hash) && r["type"] && r["id"]
+
+            { type: r["type"], id: r["id"] }
+          end
+          patch[:resolves] = resolves if resolves.any?
+
+          patch
+        end
+
+        { patches: cdx_patches }
       end
 
       def repo_url

data/lib/brew/vulns/version.rb

@@ -2,6 +2,6 @@
 
 module Brew
   module Vulns
-    VERSION = "0.3.0"
+    VERSION = "0.4.0"
   end
 end

data/lib/brew/vulns/vulnerability.rb

@@ -39,8 +39,12 @@ module Brew
         end
       end
 
+      def identifiers
+        ([id] + aliases).compact
+      end
+
       def cve_ids
-        ([id] + aliases).select { |a| a.start_with?("CVE-") }
+        identifiers.select { |a| a.start_with?("CVE-") }
       end
 
       def advisory_url

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brew-vulns
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Andrew Nesbitt
@@ -44,6 +44,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -51,20 +54,23 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.1
 - !ruby/object:Gem::Dependency
   name: sbom
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.4'
+        version: '0.5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.4'
+        version: '0.5'
 - !ruby/object:Gem::Dependency
   name: vers
   requirement: !ruby/object:Gem::Requirement