fix: input.Path is incorrectly constructed in osv-scanner on windows

cmd/osv-scanner/scan/image/__snapshots__/command_test.snap

@@ -273,7 +273,7 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 Scanning local image tarball "./testdata/test-ubuntu.tar"
 
 Container Scanning Result (Ubuntu 22.04.5 LTS):
-Total 19 packages affected by 37 known vulnerabilities (2 Critical, 11 High, 19 Medium, 4 Low, 1 Unknown) from 1 ecosystem.
+Total 19 packages affected by 38 known vulnerabilities (2 Critical, 11 High, 20 Medium, 4 Low, 1 Unknown) from 1 ecosystem.
 16 vulnerabilities can be fixed.
 
 
@@ -297,7 +297,7 @@ Ubuntu:22.04
 | ncurses        | 6.3-2ubuntu0.1               | No fix available        |          2 | libncurses6... (5)      | # 4 Layer        | ubuntu        |
 | openssl        | 3.0.2-0ubuntu1.18            | Partial fixes Available |          3 | libssl3                 | # 4 Layer        | ubuntu        |
 | pam            | 1.4.0-11ubuntu2.5            | Partial fixes Available |          3 | libpam-modules... (4)   | # 4 Layer        | ubuntu        |
-| pcre2          | 10.39-3ubuntu0.1             | No fix available        |          1 | libpcre2-8-0            | # 4 Layer        | ubuntu        |
+| pcre2          | 10.39-3ubuntu0.1             | No fix available        |          2 | libpcre2-8-0            | # 4 Layer        | ubuntu        |
 | perl           | 5.34.0-3ubuntu1.3            | Partial fixes Available |          3 | perl-base               | # 4 Layer        | ubuntu        |
 | shadow         | 1:4.8.1-2ubuntu2.2           | No fix available        |          2 | login, passwd           | # 4 Layer        | ubuntu        |
 | systemd        | 249.11-0ubuntu3.12           | Partial fixes Available |          2 | libsystemd0... (2)      | # 4 Layer        | ubuntu        |
@@ -318,7 +318,7 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
 Scanning local image tarball "./testdata/test-ubuntu.tar"
 
 Container Scanning Result (Ubuntu 22.04.5 LTS):
-Total 19 packages affected by 37 known vulnerabilities (2 Critical, 11 High, 19 Medium, 4 Low, 1 Unknown) from 1 ecosystem.
+Total 19 packages affected by 38 known vulnerabilities (2 Critical, 11 High, 20 Medium, 4 Low, 1 Unknown) from 1 ecosystem.
 16 vulnerabilities can be fixed.
 
 
@@ -342,7 +342,7 @@ Ubuntu:22.04
 | ncurses        | 6.3-2ubuntu0.1               | No fix available        |          2 | libncurses6... (5)      | # 4 Layer        | ubuntu        |
 | openssl        | 3.0.2-0ubuntu1.18            | Partial fixes Available |          3 | libssl3                 | # 4 Layer        | ubuntu        |
 | pam            | 1.4.0-11ubuntu2.5            | Partial fixes Available |          3 | libpam-modules... (4)   | # 4 Layer        | ubuntu        |
-| pcre2          | 10.39-3ubuntu0.1             | No fix available        |          1 | libpcre2-8-0            | # 4 Layer        | ubuntu        |
+| pcre2          | 10.39-3ubuntu0.1             | No fix available        |          2 | libpcre2-8-0            | # 4 Layer        | ubuntu        |
 | perl           | 5.34.0-3ubuntu1.3            | Partial fixes Available |          3 | perl-base               | # 4 Layer        | ubuntu        |
 | shadow         | 1:4.8.1-2ubuntu2.2           | No fix available        |          2 | login, passwd           | # 4 Layer        | ubuntu        |
 | systemd        | 249.11-0ubuntu3.12           | Partial fixes Available |          2 | libsystemd0... (2)      | # 4 Layer        | ubuntu        |
@@ -2883,9 +2883,10 @@ Scanning local image tarball "./testdata/test-node_modules-npm-full.tar"
             }
           },
           "vulnerabilities": [
-            "UBUNTU-CVE-2022-41409"
+            "UBUNTU-CVE-2022-41409",
+            "UBUNTU-CVE-2025-58050"
           ],
-          "groups": 1
+          "groups": 2
         },
         {
           "package": {

cmd/osv-scanner/scan/source/command_test.go

@@ -997,6 +997,11 @@ func TestCommand_Transitive(t *testing.T) {
 			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--data-source=github", "-L", "pom.xml:./testdata/maven-transitive/registry.xml"},
 			Exit: 127,
 		},
+		{
+			Name: "scan local disk transitive dependencies",
+			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--no-resolve", "./testdata/locks-requirements/requirements-transitive.txt"},
+			Exit: 1,
+		},
 	}
 
 	for _, tt := range tests {

cmd/osv-scanner/scan/source/testdata/locks-requirements/requirements-transitive.txt

@@ -0,0 +1,2 @@
+numpy==2.3.1
+-r requirements.txt

cmd/osv-scanner/update/__snapshots__/command_test.snap

@@ -114,7 +114,7 @@ file not found: ./testdata/does_not_exist.xml
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-core</artifactId>
-      <version>2.20.0-rc1</version>
+      <version>2.20.0</version>
     </dependency>
     <dependency>
       <groupId>junit</groupId>
@@ -185,7 +185,7 @@ file not found: ./testdata/does_not_exist.xml
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-core</artifactId>
-      <version>2.20.0-rc1</version>
+      <version>2.20.0</version>
     </dependency>
     <dependency>
       <groupId>junit</groupId>
@@ -256,7 +256,7 @@ file not found: ./testdata/does_not_exist.xml
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-core</artifactId>
-      <version>2.20.0-rc1</version>
+      <version>2.20.0</version>
     </dependency>
     <dependency>
       <groupId>junit</groupId>

internal/scalibrextract/extract.go

@@ -131,6 +131,9 @@ func createScanInput(path string, root string, fileInfo fs.FileInfo) (*filesyste
 		return nil, err
 	}
 
+	// Convert path to slashes, as go FS expects unix like paths
+	path = filepath.ToSlash(path)
+
 	si := filesystem.ScanInput{
 		FS:     os.DirFS(root).(scalibrfs.FS),
 		Path:   path,

internal/scalibrextract/language/java/pomxmlenhanceable/pomxmlenhanceable.go

@@ -9,6 +9,7 @@ import (
 	"github.com/google/osv-scalibr/extractor/filesystem/language/java/pomxmlnet"
 	"github.com/google/osv-scalibr/inventory"
 	"github.com/google/osv-scalibr/plugin"
+	"github.com/google/osv-scanner/v2/internal/cmdlogger"
 )
 
 const (
@@ -59,6 +60,9 @@ func (e *Extractor) Extract(ctx context.Context, input *filesystem.ScanInput) (i
 		return inv, err
 	}
 
+	cmdlogger.Warnf(
+		"failed to resolve transitive dependencies for %q, falling back to offline extraction: %s", input.Path, err.Error())
+
 	// Fallback to the base extractor if the enhanced extraction failed.
 	f, err := input.FS.Open(input.Path)
 	if err != nil {

internal/scalibrextract/language/python/requirementsenhancable/requirementsenhanceable.go

@@ -10,6 +10,7 @@ import (
 	"github.com/google/osv-scalibr/extractor/filesystem/language/python/requirementsnet"
 	"github.com/google/osv-scalibr/inventory"
 	"github.com/google/osv-scalibr/plugin"
+	"github.com/google/osv-scanner/v2/internal/cmdlogger"
 )
 
 const (
@@ -60,6 +61,9 @@ func (e *Extractor) Extract(ctx context.Context, input *filesystem.ScanInput) (i
 		return inv, err
 	}
 
+	cmdlogger.Warnf(
+		"failed to resolve transitive dependencies for %q, falling back to offline extraction: %s", input.Path, err.Error())
+
 	// Fallback to the base extractor if the enhanced extraction failed.
 	f, err := input.FS.Open(input.Path)
 	if err != nil {