feat: make --plugins additive by default, and introduce --no-default-plugins

cmd/osv-scanner/internal/helper/flags.go

@@ -184,5 +184,9 @@ func BuildCommonScanFlags(defaultExtractors []string) []cli.Flag {
 			Name:  "experimental-disable-plugins",
 			Usage: "list of specific plugins and presets of plugins to not use",
 		},
+		&cli.BoolFlag{
+			Name:  "experimental-no-default-plugins",
+			Usage: "disable default plugins, instead using only those enabled by --experimental-plugins",
+		},
 	}
 }

cmd/osv-scanner/internal/helper/getters.go

@@ -51,7 +51,8 @@ func GetCommonScannerActions(cmd *cli.Command, scanLicensesAllowlist []string) o
 
 func GetExperimentalScannerActions(cmd *cli.Command) osvscanner.ExperimentalScannerActions {
 	return osvscanner.ExperimentalScannerActions{
-		PluginsEnabled:  cmd.StringSlice("experimental-plugins"),
-		PluginsDisabled: cmd.StringSlice("experimental-disable-plugins"),
+		PluginsEnabled:    cmd.StringSlice("experimental-plugins"),
+		PluginsDisabled:   cmd.StringSlice("experimental-disable-plugins"),
+		PluginsNoDefaults: cmd.Bool("experimental-no-default-plugins"),
 	}
 }

cmd/osv-scanner/scan/image/__snapshots__/command_test.snap

@@ -109,29 +109,68 @@ No issues found
 
 ---
 
-[TestCommand_ExplicitExtractors/extractors_cancelled_out - 1]
+[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out - 1]
+Checking if docker image ("alpine:non-existent-tag") exists locally...
+
+---
+
+[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out - 2]
+Docker command exited with code ("/usr/bin/docker pull -q alpine:non-existent-tag"): 1
+STDERR:
+> Error response from daemon: manifest for alpine:non-existent-tag not found: manifest unknown: manifest unknown
+failed to pull container image: failed to run docker command
+
+---
+
+[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out#01 - 1]
+Checking if docker image ("alpine:non-existent-tag") exists locally...
+
+---
+
+[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out#01 - 2]
+Docker command exited with code ("/usr/bin/docker pull -q alpine:non-existent-tag"): 1
+STDERR:
+> Error response from daemon: manifest for alpine:non-existent-tag not found: manifest unknown: manifest unknown
+failed to pull container image: failed to run docker command
+
+---
+
+[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_with_presets - 1]
+Checking if docker image ("alpine:non-existent-tag") exists locally...
+
+---
+
+[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_with_presets - 2]
+Docker command exited with code ("/usr/bin/docker pull -q alpine:non-existent-tag"): 1
+STDERR:
+> Error response from daemon: manifest for alpine:non-existent-tag not found: manifest unknown: manifest unknown
+failed to pull container image: failed to run docker command
+
+---
+
+[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out - 1]
 
 ---
 
-[TestCommand_ExplicitExtractors/extractors_cancelled_out - 2]
+[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out - 2]
 at least one extractor must be enabled
 
 ---
 
-[TestCommand_ExplicitExtractors/extractors_cancelled_out#01 - 1]
+[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out#01 - 1]
 
 ---
 
-[TestCommand_ExplicitExtractors/extractors_cancelled_out#01 - 2]
+[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out#01 - 2]
 at least one extractor must be enabled
 
 ---
 
-[TestCommand_ExplicitExtractors/extractors_cancelled_out_with_presets - 1]
+[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_with_presets - 1]
 
 ---
 
-[TestCommand_ExplicitExtractors/extractors_cancelled_out_with_presets - 2]
+[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_with_presets - 2]
 at least one extractor must be enabled
 
 ---

cmd/osv-scanner/scan/image/command_test.go

@@ -11,7 +11,7 @@ import (
 	"github.com/google/osv-scanner/v2/internal/testutility"
 )
 
-func TestCommand_ExplicitExtractors(t *testing.T) {
+func TestCommand_ExplicitExtractors_WithDefaults(t *testing.T) {
 	t.Parallel()
 
 	tests := []testcmd.Case{
@@ -47,6 +47,59 @@ func TestCommand_ExplicitExtractors(t *testing.T) {
 			Exit: 127,
 		},
 	}
+	for _, tt := range tests {
+		t.Run(tt.Name, func(t *testing.T) {
+			t.Parallel()
+
+			// Only test on linux, and mac/windows CI/CD does not come with docker preinstalled
+			if runtime.GOOS != "linux" {
+				testutility.Skip(t, "Skipping Docker-based test as only Linux has Docker installed in CI")
+			}
+
+			testcmd.RunAndMatchSnapshots(t, tt)
+		})
+	}
+}
+
+func TestCommand_ExplicitExtractors_WithoutDefaults(t *testing.T) {
+	t.Parallel()
+
+	tests := []testcmd.Case{
+		{
+			Name: "extractors_cancelled_out",
+			Args: []string{
+				"", "image",
+				"--experimental-plugins=sbom/spdx",
+				"--experimental-plugins=sbom/cdx",
+				"--experimental-disable-plugins=sbom",
+				"--experimental-no-default-plugins",
+				"alpine:non-existent-tag",
+			},
+			Exit: 127,
+		},
+		{
+			Name: "extractors_cancelled_out_with_presets",
+			Args: []string{
+				"", "image",
+				"--experimental-plugins=sbom",
+				"--experimental-disable-plugins=sbom",
+				"--experimental-no-default-plugins",
+				"alpine:non-existent-tag",
+			},
+			Exit: 127,
+		},
+		{
+			Name: "extractors_cancelled_out",
+			Args: []string{
+				"", "image",
+				"--experimental-plugins=sbom/spdx,sbom/cdx",
+				"--experimental-disable-plugins=sbom",
+				"--experimental-no-default-plugins",
+				"alpine:non-existent-tag",
+			},
+			Exit: 127,
+		},
+	}
 	for _, tt := range tests {
 		t.Run(tt.Name, func(t *testing.T) {
 			t.Parallel()