output: sanitize \r in gh-annotations to prevent GitHub Actions workflow command injection

[djvirus9]

Summary

--format=gh-annotations sanitized \n → %0A to prevent annotation line breaks, but did not sanitize \r. GitHub Actions runners treat \r as a line boundary when parsing workflow commands, so a carriage return embedded in a package name or file path causes the annotation to be split — with anything after \r executed as a new workflow command.

Impact

An attacker who introduces a dependency with \r in its package metadata (via a public registry or a crafted PR) can inject commands including ::warning::, ::add-mask::, ::set-output::, and ::stop-commands:: into any CI pipeline running osv-scanner --format=gh-annotations.

Reproduction

MALICIOUS=$(printf 'scan\r::warning::INJECTED_BY_ATTACKER')
mkdir -p "$MALICIOUS" && cp package-lock.json "$MALICIOUS/"                                             
osv-scanner --format=gh-annotations "$MALICIOUS/package-lock.json" | cat -v                             
# ^M visible in output — on GitHub Actions runner this fires ::warning::INJECTED_BY_ATTACKER            
                                                                                                        
Live confirmation: https://github.com/djvirus9/osv-injection-poc/actions                                
                                                                                                      
Fix

Sanitize \r → %0D in renderedTable and artifactPath, mirroring
the existing \n → %0A sanitization.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[djvirus9]

I have signed the CLA.

[G-Rath]

I'll leave it to @another-rex to comment on if this is a vuln or not, but either way you need to include tests for this

[djvirus9]

---

▎ Added a test in TestPrintGHAnnotationReport_CRSanitization that:
▎ - Constructs a VulnerabilityResults with \r embedded in the source path
▎ - Verifies the output contains no raw \r character
▎ - Verifies the encoded form %0D is present instead

Test passes locally. Also still working on the CLA check — the agreement is signed at cla.developers.google.com under danishismyname1@gmail.com (signed Mar 21). @googlebot I have signed the CLA. Please recheck.

[another-rex]

Good find! LGTM.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.66%. Comparing base (8e262c3) to head (bce0984).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2669      +/-   ##
==========================================
- Coverage   71.67%   71.66%   -0.01%     
==========================================
  Files         164      164              
  Lines       12080    12084       +4     
==========================================
+ Hits         8658     8660       +2     
- Misses       2794     2795       +1     
- Partials      628      629       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.