implement filtering by packages through the config

[josieang]

I'd like feedback on the config yaml schema, the filter message and it's behaviour if the version is empty (it filters any version of that package).

This is in response to #814

[josieang]

I think I need a better way to filter based on semver parts. I know think deps.dev/util/semver does this, I will come back to it once I'm back from leave.

[another-rex]

Thanks! Main comment is that I think we can consolidate the two overrides into one, so they can share the package matching logic.

[another-rex]

I feel like ignore package versions and override package versions both could have the same "package matching" logic.

Can we consolidate them into the same field, and just have a bool ignore which if true ignores the package entirely, otherwise an override field where someone can override the license.

E.g.

[[Package]]
name = "pkg-name"
exactVersion = "1.0.0"
ecosystem = "Go"
ignore = false # if true ignores the package entirely
licenseOverride = ["MIT", "0BSD"]
# In the future, if someone requests we can also add a versionOverride field here, or other overrides
reason = "abc"
# major ...
# minor ...
# ...

[oliverchang]

+1.

version (Which I think we should exactVersion to) is optional right?

Additionally, would it make sense to make license a structured field of some sort instead?

I.e.

[[Package]]
[[Package.license]]
override = ["MIT"]

[josieang]

This makes sense to me! done.

[another-rex]

For maintainability, can we just use the snapshot library here to store/match the results?

[josieang]

should be done but check my code just in case I'm not understanding the snapshot library correctly

[oliverchang]

+1.

version (Which I think we should exactVersion to) is optional right?

Additionally, would it make sense to make license a structured field of some sort instead?

I.e.

[[Package]]
[[Package.license]]
override = ["MIT"]

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 81.96721% with 11 lines in your changes are missing coverage. Please review.

Project coverage is 63.75%. Comparing base (cc7261e) to head (a11bd38).
Report is 1 commits behind head on main.

Files	Patch %	Lines
pkg/osvscanner/osvscanner.go	8.33%	10 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #944      +/-   ##
==========================================
+ Coverage   63.71%   63.75%   +0.03%     
==========================================
  Files         146      146              
  Lines       11958    12000      +42     
==========================================
+ Hits         7619     7650      +31     
- Misses       3875     3885      +10     
- Partials      464      465       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[josieang]

Was I supposed to provide a token?

https://github.com/google/osv-scanner/actions/runs/8978083643/job/24657957118

Error: Codecov token not found. Please provide Codecov token with -t flag.
Error: Codecov: Failed to properly create commit: The process '/Users/runner/work/_actions/codecov/codecov-action/5ecb98a3c6b[74](https://github.com/google/osv-scanner/actions/runs/8978083643/job/24657957118#step:5:77)7ed38dc09f787459979aebb39be/dist/codecov' failed with exit code 1

[another-rex]

We seem to be getting these errors every now and then, current workaround is just rerun the tests