ci(deps): improve handling OSV_SCANNER_ADDITIONAL_OPTS env var (backp…

…ort of #11188) (#11190)

ci(deps): improve handling OSV_SCANNER_ADDITIONAL_OPTS env var (#11188)

Earlier try didn't fix the issue when provided
OSV_SCANNER_ADDITIONAL_OPTS env var war empty (as it's in the case of
our CI). Now we are handling explicitly parsing of this env var, which
should fix update-vulnerable-dependencies.sh script.

Signed-off-by: Bart Smykla <bartek@smykla.com>
Co-authored-by: Bart Smykla <bartek@smykla.com>

tools/ci/update-vulnerable-dependencies/update-vulnerable-dependencies.sh

@@ -8,7 +8,20 @@ command -v jq >/dev/null 2>&1 || { echo >&2 "jq not installed!"; exit 1; }
 SCRIPT_PATH="${BASH_SOURCE[0]:-$0}";
 SCRIPT_DIR="$(dirname -- "$SCRIPT_PATH")"
 
-for dep in $(osv-scanner "${OSV_SCANNER_ADDITIONAL_OPTS[@]}" --lockfile=go.mod --json | jq -c '.results[].packages[] | .package.name as $vulnerablePackage | {
+OSV_FLAGS=(--lockfile=go.mod --json)
+
+# Loop over the array, add only non-empty values to the new array
+for i in "${OSV_SCANNER_ADDITIONAL_OPTS[@]}"; do
+   # Skip null items
+   if [ -z "$i" ]; then
+     continue
+   fi
+
+   # Add the rest of the elements to an array
+   OSV_FLAGS+=("${i}")
+done
+
+for dep in $(osv-scanner "${OSV_FLAGS[@]}" | jq -c '.results[].packages[] | .package.name as $vulnerablePackage | {
   name: $vulnerablePackage,
   current: .package.version,
   fixedVersions: [.vulnerabilities[].affected[] | select(.package.name == $vulnerablePackage) | .ranges[].events |