From 6091d46d9c655897ba91cfa65c8004e75b98b424 Mon Sep 17 00:00:00 2001
From: Gareth Jones <jones258@gmail.com>
Date: Sat, 18 Feb 2023 09:53:34 +1300
Subject: [PATCH] fix: ensure that vulnerability results are ordered
 deterministically

---
 .../fixtures/locks-insecure/my-yarn.lock      |  5 ++
 cmd/osv-scanner/main_test.go                  | 47 +++++++++++++++++++
 pkg/osvscanner/vulnerability_result.go        |  9 ++++
 3 files changed, 61 insertions(+)
 create mode 100644 cmd/osv-scanner/fixtures/locks-insecure/my-yarn.lock

diff --git a/cmd/osv-scanner/fixtures/locks-insecure/my-yarn.lock b/cmd/osv-scanner/fixtures/locks-insecure/my-yarn.lock
new file mode 100644
index 0000000000..50b5bb68c1
--- /dev/null
+++ b/cmd/osv-scanner/fixtures/locks-insecure/my-yarn.lock
@@ -0,0 +1,5 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+ansi-html@^0.0.1:
+  version "0.0.1"
diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go
index 5d969159cd..7c6b40db24 100644
--- a/cmd/osv-scanner/main_test.go
+++ b/cmd/osv-scanner/main_test.go
@@ -352,6 +352,53 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) {
 			`,
 			wantStderr: "",
 		},
+		// multiple, + output order is deterministic
+		{
+			name: "",
+			args: []string{
+				"",
+				"-L", "package-lock.json:" + filepath.FromSlash("./fixtures/locks-insecure/my-package-lock.json"),
+				"-L", "yarn.lock:" + filepath.FromSlash("./fixtures/locks-insecure/my-yarn.lock"),
+				filepath.FromSlash("./fixtures/locks-insecure"),
+			},
+			wantExitCode: 1,
+			wantStdout: `
+				Scanned %%/fixtures/locks-insecure/my-package-lock.json file as a package-lock.json and found 1 packages
+				Scanned %%/fixtures/locks-insecure/my-yarn.lock file as a yarn.lock and found 1 packages
+				Scanning dir ./fixtures/locks-insecure
+				Scanned %%/fixtures/locks-insecure/composer.lock file and found 0 packages
+				+-------------------------------------+-----------+-----------+---------+----------------------------------------------+
+				| OSV URL (ID IN BOLD)                | ECOSYSTEM | PACKAGE   | VERSION | SOURCE                                       |
+				+-------------------------------------+-----------+-----------+---------+----------------------------------------------+
+				| https://osv.dev/GHSA-whgm-jr23-g3j9 | npm       | ansi-html | 0.0.1   | fixtures/locks-insecure/my-package-lock.json |
+				| https://osv.dev/GHSA-whgm-jr23-g3j9 | npm       | ansi-html | 0.0.1   | fixtures/locks-insecure/my-yarn.lock         |
+				+-------------------------------------+-----------+-----------+---------+----------------------------------------------+
+			`,
+			wantStderr: "",
+		},
+		{
+			name: "",
+			args: []string{
+				"",
+				"-L", "yarn.lock:" + filepath.FromSlash("./fixtures/locks-insecure/my-yarn.lock"),
+				"-L", "package-lock.json:" + filepath.FromSlash("./fixtures/locks-insecure/my-package-lock.json"),
+				filepath.FromSlash("./fixtures/locks-insecure"),
+			},
+			wantExitCode: 1,
+			wantStdout: `
+				Scanned %%/fixtures/locks-insecure/my-yarn.lock file as a yarn.lock and found 1 packages
+				Scanned %%/fixtures/locks-insecure/my-package-lock.json file as a package-lock.json and found 1 packages
+				Scanning dir ./fixtures/locks-insecure
+				Scanned %%/fixtures/locks-insecure/composer.lock file and found 0 packages
+				+-------------------------------------+-----------+-----------+---------+----------------------------------------------+
+				| OSV URL (ID IN BOLD)                | ECOSYSTEM | PACKAGE   | VERSION | SOURCE                                       |
+				+-------------------------------------+-----------+-----------+---------+----------------------------------------------+
+				| https://osv.dev/GHSA-whgm-jr23-g3j9 | npm       | ansi-html | 0.0.1   | fixtures/locks-insecure/my-package-lock.json |
+				| https://osv.dev/GHSA-whgm-jr23-g3j9 | npm       | ansi-html | 0.0.1   | fixtures/locks-insecure/my-yarn.lock         |
+				+-------------------------------------+-----------+-----------+---------+----------------------------------------------+
+			`,
+			wantStderr: "",
+		},
 		// files that error on parsing stop parsable files from being checked
 		{
 			name: "",
diff --git a/pkg/osvscanner/vulnerability_result.go b/pkg/osvscanner/vulnerability_result.go
index 7e5a198d65..5196aae597 100644
--- a/pkg/osvscanner/vulnerability_result.go
+++ b/pkg/osvscanner/vulnerability_result.go
@@ -2,6 +2,7 @@ package osvscanner
 
 import (
 	"fmt"
+	"sort"
 
 	"github.com/google/osv-scanner/internal/output"
 	"github.com/google/osv-scanner/pkg/grouper"
@@ -58,5 +59,13 @@ func groupResponseBySource(r *output.Reporter, query osv.BatchedQuery, resp *osv
 		})
 	}
 
+	sort.Slice(output.Results, func(i, j int) bool {
+		if output.Results[i].Source.Path == output.Results[j].Source.Path {
+			return output.Results[i].Source.Type < output.Results[j].Source.Type
+		}
+
+		return output.Results[i].Source.Path < output.Results[j].Source.Path
+	})
+
 	return output
 }