Sync upstream main

.github/workflows/codeql-analysis.yml

@@ -43,7 +43,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@497990dfed22177a82ba1bbab381bc8f6d27058f # v3.31.6
+      uses: github/codeql-action/init@45c373516f557556c15d420e3f5e0aa3d64366bc # v3.31.9
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -54,7 +54,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@497990dfed22177a82ba1bbab381bc8f6d27058f # v3.31.6
+      uses: github/codeql-action/autobuild@45c373516f557556c15d420e3f5e0aa3d64366bc # v3.31.9
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -68,4 +68,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@497990dfed22177a82ba1bbab381bc8f6d27058f # v3.31.6
+      uses: github/codeql-action/analyze@45c373516f557556c15d420e3f5e0aa3d64366bc # v3.31.9

.github/workflows/lint.yaml

@@ -50,7 +50,7 @@ jobs:
       - name: Set up poetry
         run: poetry install
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
         with:
           go-version: '>=1.23.6'
       - name: Set up terraform

.github/workflows/scorecards.yml

@@ -50,6 +50,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@497990dfed22177a82ba1bbab381bc8f6d27058f # v3.31.6
+        uses: github/codeql-action/upload-sarif@45c373516f557556c15d420e3f5e0aa3d64366bc # v3.31.9
         with:
           sarif_file: results.sarif

.github/workflows/snapshots.yml

@@ -33,7 +33,7 @@ jobs:
         env:
           OSV_API_BASE_URL: api.test.osv.dev
           UPDATE_SNAPS: always
-      - uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
+      - uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
         with:
           token: ${{ secrets.PR_TOKEN_BOT }}
           title: "test: update apitester snapshots"

.gitignore

@@ -16,3 +16,5 @@ hurl-scripts/
 temp/*
 **/tmp/**
 gcp/api/v1/osv/**
+
+.DS_STORE

bindings/go/go.mod

@@ -4,16 +4,16 @@ go 1.25.5
 
 require (
 	github.com/google/go-cmp v0.7.0
-	github.com/ossf/osv-schema/bindings/go v0.0.0-20251209024518-c18cb6974477
+	github.com/ossf/osv-schema/bindings/go v0.0.0-20251230224438-88c48750ddae
 	golang.org/x/sync v0.18.0
-	google.golang.org/genproto/googleapis/api v0.0.0-20251213004720-97cd9d5aeac2
+	google.golang.org/genproto/googleapis/api v0.0.0-20251222181119-0a764e51fe1b
 	google.golang.org/grpc v1.77.0
 )
 
 require (
 	golang.org/x/net v0.46.1-0.20251013234738-63d1a5100f82 // indirect
 	golang.org/x/sys v0.37.0 // indirect
 	golang.org/x/text v0.30.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846 // indirect
-	google.golang.org/protobuf v1.36.10
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2 // indirect
+	google.golang.org/protobuf v1.36.11
 )

bindings/go/go.sum

@@ -8,8 +8,8 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/ossf/osv-schema/bindings/go v0.0.0-20251209024518-c18cb6974477 h1:WjVFgFtgbxOVpC3ne8Xr3SPThuw+aYEEqWf5KRTiTfg=
-github.com/ossf/osv-schema/bindings/go v0.0.0-20251209024518-c18cb6974477/go.mod h1:Eo7R19vlnflsCRdHW1ynyNUyoRwxdaTmTWD9MtKnJTc=
+github.com/ossf/osv-schema/bindings/go v0.0.0-20251230224438-88c48750ddae h1:nvfTerE/hSYc/TQ3JUZYeL7DuVhjPkBeOGxicPzoJmc=
+github.com/ossf/osv-schema/bindings/go v0.0.0-20251230224438-88c48750ddae/go.mod h1:Eo7R19vlnflsCRdHW1ynyNUyoRwxdaTmTWD9MtKnJTc=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
@@ -32,11 +32,11 @@ golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
 golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/genproto/googleapis/api v0.0.0-20251213004720-97cd9d5aeac2 h1:7LRqPCEdE4TP4/9psdaB7F2nhZFfBiGJomA5sojLWdU=
-google.golang.org/genproto/googleapis/api v0.0.0-20251213004720-97cd9d5aeac2/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846 h1:Wgl1rcDNThT+Zn47YyCXOXyX/COgMTIdhJ717F0l4xk=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/genproto/googleapis/api v0.0.0-20251222181119-0a764e51fe1b h1:uA40e2M6fYRBf0+8uN5mLlqUtV192iiksiICIBkYJ1E=
+google.golang.org/genproto/googleapis/api v0.0.0-20251222181119-0a764e51fe1b/go.mod h1:Xa7le7qx2vmqB/SzWUBa7KdMjpdpAHlh5QCSnjessQk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2 h1:2I6GHUeJ/4shcDpoUlLs/2WPnhg7yJwvXtqcMJt9liA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
 google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
 google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
-google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
-google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=

deployment/build-and-stage.yaml

@@ -132,6 +132,20 @@ steps:
   args: ['push', '--all-tags', 'gcr.io/oss-vdb/relations']
   waitFor: ['build-relations', 'cloud-build-queue']
 
+- name: 'gcr.io/cloud-builders/docker'
+  entrypoint: 'bash'
+  args: ['-c', 'docker pull gcr.io/oss-vdb/generatesitemap:latest || exit 0']
+  id: 'pull-generatesitemap'
+  waitFor: ['setup']
+- name: gcr.io/cloud-builders/docker
+  args: ['build', '-t', 'gcr.io/oss-vdb/generatesitemap:latest', '-t', 'gcr.io/oss-vdb/generatesitemap:$COMMIT_SHA', '-f', 'cmd/generatesitemap/Dockerfile', '--cache-from', 'gcr.io/oss-vdb/generatesitemap:latest', '--pull', '.']
+  dir: 'go'
+  id: 'build-generatesitemap'
+  waitFor: ['pull-generatesitemap']
+- name: gcr.io/cloud-builders/docker
+  args: ['push', '--all-tags', 'gcr.io/oss-vdb/generatesitemap']
+  waitFor: ['build-generatesitemap', 'cloud-build-queue']
+
 - name: 'gcr.io/cloud-builders/docker'
   entrypoint: 'bash'
   args: ['-c', 'docker pull gcr.io/oss-vdb/custommetrics:latest || exit 0']
@@ -372,6 +386,7 @@ steps:
      record-checker=gcr.io/oss-vdb/record-checker:$COMMIT_SHA,\
      custommetrics=gcr.io/oss-vdb/custommetrics:$COMMIT_SHA,\
      relations=gcr.io/oss-vdb/relations:$COMMIT_SHA,\
+     generatesitemap=gcr.io/oss-vdb/generatesitemap:$COMMIT_SHA,\
      gitter=gcr.io/oss-vdb/gitter:$COMMIT_SHA"
   ]
   dir: deployment/clouddeploy/gke-workers
@@ -432,4 +447,5 @@ images:
 - 'gcr.io/oss-vdb/record-checker:$COMMIT_SHA'
 - 'gcr.io/oss-vdb/custommetrics:$COMMIT_SHA'
 - 'gcr.io/oss-vdb/relations:$COMMIT_SHA'
+- 'gcr.io/oss-vdb/generatesitemap:$COMMIT_SHA'
 - 'gcr.io/oss-vdb/gitter:$COMMIT_SHA'

deployment/clouddeploy/gke-workers/base/generate-sitemap.yaml

@@ -13,9 +13,8 @@ spec:
         spec:
           containers:
           - name: generate-sitemap-cron
-            image: cron
+            image: generatesitemap
             imagePullPolicy: Always
-            command: ["/usr/local/bin/generate_sitemap/generate_and_upload.sh"]
             resources:
               requests:
                 cpu: "1"

deployment/clouddeploy/gke-workers/environments/oss-vdb-test/generate-sitemap.yaml

@@ -10,9 +10,11 @@ spec:
           containers:
           - name: generate-sitemap-cron
             env:
-            - name: BASE_URL
-              value: "https://test.osv.dev"
             - name: GOOGLE_CLOUD_PROJECT
               value: oss-vdb-test
-            - name: OUTPUT_GCS_BUCKET
-              value: test-osv-dev-sitemap
+            args:
+              - "--base-url=https://test.osv.dev"
+              - "--osv-vulns-bucket=osv-test-vulnerabilities"
+              - "--upload-to-gcs=true"
+              - "--bucket=test-osv-dev-sitemap"
+

deployment/clouddeploy/gke-workers/environments/oss-vdb/generate-sitemap.yaml

@@ -10,9 +10,11 @@ spec:
           containers:
           - name: generate-sitemap-cron
             env:
-            - name: BASE_URL
-              value: "https://osv.dev"
             - name: GOOGLE_CLOUD_PROJECT
               value: oss-vdb
-            - name: OUTPUT_GCS_BUCKET
-              value: osv-dev-sitemap
+            args:
+              - "--base-url=https://osv.dev"
+              - "--osv-vulns-bucket=osv-vulnerabilities"
+              - "--upload-to-gcs=true"
+              - "--bucket=osv-dev-sitemap"
+

docker/terraform/Dockerfile

@@ -1,12 +1,12 @@
 # Taken and modified from https://github.com/GoogleCloudPlatform/cloud-builders-community/tree/master/terraform
 
-FROM golang:1.25.5-alpine@sha256:26111811bc967321e7b6f852e914d14bede324cd1accb7f81811929a6a57fea9 AS GO_BUILD
+FROM golang:1.25.5-alpine@sha256:ac09a5f469f307e5da71e766b0bd59c9c49ea460a528cc3e6686513d64a6f1fb AS GO_BUILD
 
 ARG TERRAFORM_VERSION
 WORKDIR /build/
 RUN GOBIN=$(pwd) go install github.com/hashicorp/terraform@v${TERRAFORM_VERSION}
 
-FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine@sha256:09ca9257eea270001fdb49b0b176c0e3018c6858d83e085835c1ef700a457a5d
+FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine@sha256:4bac65aa40d61f285b5c08452467c24f50ba68d9d0a2c36089b2cf8372cc4b49
 
 COPY --from=GO_BUILD /build/terraform /usr/bin/terraform
 COPY entrypoint.bash /builder/entrypoint.bash

docs/rest-api.md

@@ -26,6 +26,8 @@ To contribute, we will need to know the following information:
 ```
 The endpoint may contain more information, but at a minimum it must contain the ID and modified date of each vulnerability.
 
+This endpoints must be configured to allow both HEAD and GET requests, with Last-Modified metadata provided to reduce unnecessary requests and traffic. 
+
 ### 2. The base url of the endpoints: 
 This is the base url for which the full, individual vulnerability endpoints will be appended to.