feat: Use OSV-Scalibr directly

internal/scalibrextract/vcs/gitcommitdirect/extractor.go

@@ -0,0 +1,55 @@
+// Package gitcommitdirect provides an dummy extractor that returns a preset list of commits
+package gitcommitdirect
+
+import (
+	"context"
+
+	"github.com/google/osv-scalibr/extractor"
+	"github.com/google/osv-scalibr/extractor/standalone"
+	"github.com/google/osv-scalibr/inventory"
+	"github.com/google/osv-scalibr/plugin"
+)
+
+const (
+	// Name is the unique name of this extractor.
+	Name = "vcs/gitcommitdirect"
+)
+
+// Extractor extracts git repository hashes including submodule hashes.
+// This extractor will not return an error, and will just return no results if we fail to extract
+type Extractor struct {
+	commits []string
+}
+
+// New returns a new instance of the extractor.
+func New(commits []string) standalone.Extractor {
+	return &Extractor{
+		commits: commits,
+	}
+}
+
+// Name of the extractor.
+func (e *Extractor) Name() string { return Name }
+
+// Version of the extractor.
+func (e *Extractor) Version() int { return 0 }
+
+// Requirements of the extractor.
+func (e *Extractor) Requirements() *plugin.Capabilities {
+	return &plugin.Capabilities{}
+}
+
+func (e *Extractor) Extract(_ context.Context, _ *standalone.ScanInput) (inventory.Inventory, error) {
+	pkgs := make([]*extractor.Package, 0, len(e.commits))
+	for _, commit := range e.commits {
+		pkgs = append(pkgs, &extractor.Package{
+			SourceCode: &extractor.SourceCodeIdentifier{Commit: commit},
+		})
+	}
+
+	return inventory.Inventory{
+		Packages: pkgs,
+	}, nil
+}
+
+var _ standalone.Extractor = &Extractor{}

internal/scalibrplugin/__snapshots__/resolve_test.snap

@@ -56,6 +56,8 @@ javascript/bunlock
 javascript/packagelockjson
 javascript/pnpmlock
 javascript/yarnlock
+os/apk
+os/dpkg
 osv/osvscannerjson
 php/composerlock
 python/pdmlock

internal/scalibrplugin/presets.go

@@ -113,6 +113,13 @@ var ExtractorPresets = map[string]extractors.InitMap{
 		stacklock.Name: {stacklock.NewDefault},
 
 		osvscannerjson.Name: {osvscannerjson.New},
+
+		// --- OS "lockfiles" ---
+		// These have very strict FileRequired paths, so we can safely enable them for source scanning as well.
+		// Alpine
+		apk.Name: {apk.NewDefault},
+		// Debian
+		dpkg.Name: {dpkg.NewDefault},
 	},
 	"directory": {
 		gitrepo.Name:  {gitrepo.New},

internal/utility/types/cast.go

@@ -0,0 +1,11 @@
+// Package types provides type conversion utility functions
+package types
+
+func MustCastSlice[OUT, IN any](a []IN) []OUT {
+	out := make([]OUT, len(a))
+	for i := range a {
+		out[i] = any(a[i]).(OUT)
+	}
+
+	return out
+}

pkg/osvscanner/__snapshots__/osvscanner_test.snap

@@ -0,0 +1,101 @@
+
+[TestDoScan/Test_curl_git_scanning - 1]
+{
+  "results": [
+    {
+      "source": {
+        "path": "",
+        "type": "unknown"
+      },
+      "packages": [
+        {
+          "package": {
+            "name": "",
+            "version": "",
+            "ecosystem": "",
+            "commit": "33dffa3909a67e1b5d22647128ab7eb6e53fd0c7"
+          },
+          "vulnerabilities": [
+            {
+              "modified": "2025-11-02T06:08:01Z",
+              "published": "2025-10-31T07:15:38Z",
+              "schema_version": "1.7.3",
+              "id": "CVE-2025-63675",
+              "aliases": [
+                "GHSA-97w9-v595-3h5q"
+              ],
+              "details": "cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aes_decrypt_message in symmetric_encryption.py.",
+              "severity": [
+                {
+                  "type": "CVSS_V3",
+                  "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
+                }
+              ],
+              "affected": [
+                {
+                  "ranges": [
+                    {
+                      "type": "GIT",
+                      "events": [
+                        {
+                          "introduced": "0"
+                        },
+                        {
+                          "last_affected": "33dffa3909a67e1b5d22647128ab7eb6e53fd0c7"
+                        }
+                      ],
+                      "repo": "https://github.com/netinvent/cryptidy"
+                    }
+                  ],
+                  "versions": [
+                    "v1.0.4",
+                    "v1.0.5",
+                    "v1.0.7",
+                    "v1.1.0",
+                    "v1.2.0",
+                    "v1.2.1",
+                    "v1.2.2",
+                    "v1.2.3",
+                    "v1.2.4"
+                  ],
+                  "database_specific": {
+                    "source": "https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63675.json"
+                  }
+                }
+              ],
+              "references": [
+                {
+                  "type": "PACKAGE",
+                  "url": "https://github.com/javiermorales36/cryptidy-analysis"
+                },
+                {
+                  "type": "WEB",
+                  "url": "https://github.com/netinvent/cryptidy/blob/cebc9ffd54cc20679d15a1a43ca9a5da645b0c58/cryptidy/symmetric_encryption.py#L220-L238"
+                }
+              ]
+            }
+          ],
+          "groups": [
+            {
+              "ids": [
+                "CVE-2025-63675"
+              ],
+              "aliases": [
+                "CVE-2025-63675",
+                "GHSA-97w9-v595-3h5q"
+              ],
+              "max_severity": "6.9"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "experimental_config": {
+    "licenses": {
+      "summary": false,
+      "allowlist": null
+    }
+  }
+}
+---