Behavior of implicit osv-scanner.toml when doing recursive scans

[spencerschrock]

When configuring osv-scanner there's implicit and explicit osv-scanner.toml detection:

osv-scanner/docs/configuration.md

Lines 8 to 10 in 3d964a5

	# Configure OSV-Scanner
	To configure scanning, place an osv-scanner.toml file in the scanned file's directory. To override this osv-scanner.toml file, pass the `--config=/path/to/config.toml` flag with the path to the configuration you want to apply instead.

How is this supposed to interact with --recursive? I'm seeing the following in ossf/scorecard#4530:

implicit top-level osv-scanner.toml, with vulns in a subdirectory, still show those vulns which are ignored by the top-level config.

osv-scanner scan --recursive .
Loaded filter from: /tmp/keycloak-poc/osv-scanner.toml
╭─────────────────────────────────────┬──────┬───────────┬────────────────────────┬──────────┬───────────────────────────────────────────────────────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE                │ VERSION  │ SOURCE                                                        │
├─────────────────────────────────────┼──────┼───────────┼────────────────────────┼──────────┼───────────────────────────────────────────────────────────────┤
│ https://osv.dev/GHSA-rc2q-x9mf-w3vf │ 7.8  │ Maven     │ org.testng:testng      │ 7.5      │ distribution/maven-plugins/pom.xml                            │
│ https://osv.dev/GHSA-9mvj-f7w8-pvh2 │ 6.4  │ npm       │ bootstrap              │ 3.4.1    │ js/pnpm-lock.yaml                                             │
│ https://osv.dev/GHSA-67mh-4wv8-2f99 │ 5.3  │ npm       │ esbuild                │ 0.23.1   │ js/pnpm-lock.yaml                                             │
│ https://osv.dev/GHSA-67mh-4wv8-2f99 │ 5.3  │ npm       │ esbuild                │ 0.24.2   │ js/pnpm-lock.yaml                                             │
│ https://osv.dev/GHSA-gxr4-xjj5-5px2 │ 6.9  │ npm       │ jquery                 │ 3.4.1    │ js/pnpm-lock.yaml                                             │
│ https://osv.dev/GHSA-jpcq-cgw6-v4j6 │ 6.9  │ npm       │ jquery                 │ 3.4.1    │ js/pnpm-lock.yaml                                             │
│ https://osv.dev/GHSA-5mg8-w23w-74h3 │ 3.3  │ Maven     │ com.google.guava:guava │ 31.1-jre │ testsuite/integration-arquillian/tests/other/webauthn/pom.xml │
│ https://osv.dev/GHSA-7g45-4rm6-3mm3 │ 5.5  │ Maven     │ com.google.guava:guava │ 31.1-jre │ testsuite/integration-arquillian/tests/other/webauthn/pom.xml │
│ https://osv.dev/GHSA-78wr-2p64-hpwj │ 8.7  │ Maven     │ commons-io:commons-io  │ 2.11.0   │ testsuite/integration-arquillian/tests/other/webauthn/pom.xml │
╰─────────────────────────────────────┴──────┴───────────┴────────────────────────┴──────────┴───────────────────────────────────────────────────────────────╯

When --config osv-scanner.toml is provided, the manually specified top-level config is applied to all subdirectories and they're all ignored

osv-scanner scan --config osv-scanner.toml -r .
CVE-2022-4065 and 1 alias have been filtered out because: reason
CVE-2024-6484 and 1 alias have been filtered out because: reason
GHSA-67mh-4wv8-2f99 has been filtered out because: reason
GHSA-67mh-4wv8-2f99 has been filtered out because: reason
CVE-2020-11022 and 2 aliases have been filtered out because: reason
CVE-2020-11023 and 2 aliases have been filtered out because: reason
CVE-2020-8908 and 2 aliases have been filtered out because: reason
CVE-2023-2976 and 2 aliases have been filtered out because: reason
CVE-2024-47554 and 1 alias have been filtered out because: reason
Filtered 9 vulnerabilities from output

[another-rex]

Yes this is the intended behavior, osv-scanner will do one of the following:

• Use the config passed in via --config
• Use the config in the same directory (same level) as each lockfile that it is parsing when recursively walking through a directory.

[another-rex]

We'll update the documentation to be clearer about this.