docs: minor grammar fixes (#1743)

These were flagged by my IDE, so I figured I'd get them addressed

Author: G-Rath

cmd/osv-scanner/fix/state-choose-strategy.go

@@ -117,7 +117,7 @@ func (st *stateChooseStrategy) Update(m model, msg tea.Msg) (tea.Model, tea.Cmd)
 			if st.cursorPos == stateChooseQuit {
 				return m, tea.Quit
 			}
-			// otherwise move the cursor to the quit line if its not already there
+			// otherwise move the cursor to the quit line if it's not already there
 			st.cursorPos = stateChooseQuit
 		case key.Matches(msg, tui.Keys.Select):
 			// enter key was pressed, parse input

cmd/osv-scanner/fix/state-in-place-result.go

@@ -110,7 +110,7 @@ func (st *stateInPlaceResult) Update(m model, msg tea.Msg) (tea.Model, tea.Cmd)
 			if st.cursorPos == stateInPlaceQuit {
 				return m, tea.Quit
 			}
-			// move the cursor to the quit line if its not already there
+			// move the cursor to the quit line if it's not already there
 			st.cursorPos = stateInPlaceQuit
 		case key.Matches(msg, tui.Keys.Select):
 			// enter key was pressed, parse input

cmd/osv-scanner/fix/state-relock-result.go

@@ -177,7 +177,7 @@ func (st *stateRelockResult) Update(m model, msg tea.Msg) (tea.Model, tea.Cmd) {
 			if st.getEffectiveCursor() == stateRelockQuit {
 				return m, tea.Quit
 			}
-			// move the cursor to the quit line if its not already there
+			// move the cursor to the quit line if it's not already there
 			st.setEffectiveCursor(stateRelockQuit)
 		case key.Matches(msg, tui.Keys.Select): // enter key pressed
 			return st.parseInput(m)

docs/github-action.md

@@ -23,7 +23,7 @@ OSV-Scanner is available as a CI/CD Action. We currently offer two different reu
 1. A workflow that triggers a scan with each [pull request](./github-action.md#scan-on-pull-request) and will only report new vulnerabilities introduced through the pull request.
 2. A workflow that performs a full vulnerability scan, which can be configured to scan on pushes or a [regular schedule](./github-action.md#scheduled-scans). The full vulnerability scan can also be configured to run [on release](./github-action.md#scan-on-release) to prevent releasing with known vulnerabilities in dependencies.
 
-Currently there is no prebuilt workflows for other platforms, but we welcome any contributions for this!
+Currently, there is no prebuilt workflows for other platforms, but we welcome any contributions for this!
 
 ## Scan on pull request
 
@@ -113,7 +113,7 @@ Maintainers can review results of the scan by navigating to their project's `sec
 
 ## Scan on release
 
-Here is a example of blocking on release, though the actual implementation will heavily depend on your specific release process.
+Here is an example of blocking on release, though the actual implementation will heavily depend on your specific release process.
 
 ```yml
 name: Go Release Process

docs/guided-remediation.md

@@ -28,7 +28,7 @@ This tool provides several options to users for how to prioritise and remediate
 
 - Resolution and analysis of the entire transitive graph (leveraging [deps.dev](https://deps.dev)) to determine the minimal changes required to remove vulnerabilities.
 - Prioritising direct dependency upgrades by the total number of transitive vulnerabilities fixed.
-- Prioritising vulnerabilities by dependency depth, severity, and whether or not to care about dev-only dependencies.
+- Prioritising vulnerabilities by dependency depth, severity, and whether to care about dev-only dependencies.
 - Modification of package manifest and lockfiles (e.g. `package.json`/`package-lock.json`) to fix vulnerabilities.
 - Different strategies with different risk/reward ratios (e.g. in-place fixes vs relocking).
 
@@ -674,7 +674,7 @@ Relocking recomputes your entire dependency graph based on your manifest file, t
 
 Selecting the "Relock" option will bring you to the relock information page. Here, you can see which vulnerabilities are present after relocking.
 
-In addition to relocking, it may be possible to further remove vulnerabilities by bumping the required version constraints of your direct dependencies. You may choose to apply these patches by selecting them on the relock page then choosing the "Apply pending patches" option. The dependency graph will then be recomputed and you may continue to select more options.
+In addition to relocking, it may be possible to further remove vulnerabilities by bumping the required version constraints of your direct dependencies. You may choose to apply these patches by selecting them on the relock page then choosing the "Apply pending patches" option. The dependency graph will then be recomputed, and you may continue to select more options.
 
 ![Screenshot of the interactive relock results screen with some relaxation patches selected](images/guided-remediation-relock-patches.png)
 
@@ -800,7 +800,7 @@ For more information, see [Offline Mode](./offline-mode.md).
 Remediation in npm `workspaces` is only partially supported:
 
 - In-place updates should function correctly on the workspace `package-lock.json`.
-- Dependency relaxation can change dependencies in the `package.json` file being being scanned. This means only dependencies declared in the root package can be changed.
+- Dependency relaxation can change dependencies in the `package.json` file being scanned. This means only dependencies declared in the root package can be changed.
   - You can remediate the individual `package.json` files of each workspace, but this will be unaware of any packages or constraints caused by sibling workspaces.
 - The `node_modules/` in workspaces are not deleted when relocking, which may impact the resulting dependency graph when running `npm install`.
 - Each workspace package is considered dependency depth 1 from the root workspace.

docs/migration-guide.md

@@ -19,7 +19,7 @@ Most experimental commands have now been stablized, all experimental versions of
 
 ---
 
-Container scanning and the `--docker/-D` flag has been migrated to it's own command.
+Container scanning and the `--docker/-D` flag has been migrated to its own command.
 
 ```bash
 osv-scanner scan image <image-name>

docs/output.md

@@ -127,7 +127,7 @@ This feature is in beta as part of OSV-Scanner v2, please [share your feedback h
 
 ### JSON
 
-JSON output allows you to get all of the information osv-scanner found in a machine readable format.
+JSON output allows you to get all the information osv-scanner found in a machine-readable format.
 
 ```bash
 osv-scanner scan --format json your/project/dir

docs/supported_languages_and_lockfiles.md

@@ -18,7 +18,7 @@ nav_order: 2
 {:toc}
 </details>
 
-Artifact and manifest extraction logic is implemented in [OSV-Scalibr](https://github.com/google/osv-scalibr) as a standalone library. OSV-Scanner tightly integrates with OSV-Scalibr to provide a end to end vulnerability scanner for developers.
+Artifact and manifest extraction logic is implemented in [OSV-Scalibr](https://github.com/google/osv-scalibr) as a standalone library. OSV-Scanner tightly integrates with OSV-Scalibr to provide an end to end vulnerability scanner for developers.
 
 ## Core Concept
 
@@ -84,7 +84,7 @@ Vendored dependencies have been directly copied into the project folder, but do
 
 OSV-Scanner supports transitive dependency scanning for Maven pom.xml. This feature is enabled by default when scanning, but it can be disabled using the `--no-resolve` flag. It is also disabled in the [offline mode](./offline-mode.md).
 
-OSV-Scanner uses [deps.dev’s resolver library](https://pkg.go.dev/deps.dev/util/resolve) to compute the dependency graph of a project. This graph includes all of the direct and transitive dependencies. By default, [deps.dev API](https://docs.deps.dev/api/v3/index.html) is queried for package versions and requirements. The support for private registries is [coming soon](https://github.com/google/osv-scanner/issues/1045).
+OSV-Scanner uses [deps.dev’s resolver library](https://pkg.go.dev/deps.dev/util/resolve) to compute the dependency graph of a project. This graph includes all the direct and transitive dependencies. By default, [deps.dev API](https://docs.deps.dev/api/v3/index.html) is queried for package versions and requirements. The support for private registries is [coming soon](https://github.com/google/osv-scanner/issues/1045).
 
 After the dependency resolution, the OSV database is queried for the vulnerabilities associated with these dependencies as usual.
 

docs/usage.md

@@ -72,7 +72,7 @@ osv-scanner scan -L package-lock.json --format json
 
 ### Override config file
 
-The `--config` flag can be used to specify a global config override to apply to all of the files you are scanning.
+The `--config` flag can be used to specify a global config override to apply to all the files you are scanning.
 
 See [Config](./configuration.md) for more details.
 

internal/ci/vulnerability_result_diff.go

@@ -120,7 +120,7 @@ func DiffVulnerabilityResultsByOccurrences(oldRes, newRes models.VulnerabilityRe
 	}
 
 	for k, oldVulnCount := range oldResMap {
-		// If the new result has less vulnerabilities than the old result remove the entry from the new result.
+		// If the new result has fewer vulnerabilities than the old result remove the entry from the new result.
 		// `map`'s default value is 0 when empty, and delete also works fine when the entry is empty
 		if newResMap[k] <= oldVulnCount {
 			delete(newResMap, k)

internal/clients/clientimpl/osvmatcher/cachedosvmatcher.go

@@ -102,7 +102,7 @@ func (matcher *CachedOSVMatcher) doQueries(ctx context.Context, invs []*extracto
 
 	if err != nil {
 		// Deadline being exceeded is likely caused by a long paging time
-		// if that's the case, we can should return what we already got, and
+		// if that's the case, we should return what we already got, and
 		// then let the caller know it is not all the results.
 		if errors.Is(err, context.DeadlineExceeded) {
 			deadlineExceeded = true

internal/clients/clientimpl/osvmatcher/osvmatcher.go

@@ -17,7 +17,7 @@ const (
 	maxConcurrentRequests = 1000
 )
 
-// OSVMatcher implements the VulnerabilityMatcher interface with a osv.dev client.
+// OSVMatcher implements the VulnerabilityMatcher interface with an osv.dev client.
 // It sends out requests for every package version and does not perform caching.
 type OSVMatcher struct {
 	Client osvdev.OSVClient
@@ -47,7 +47,7 @@ func (matcher *OSVMatcher) MatchVulnerabilities(ctx context.Context, pkgs []*ext
 
 		if err != nil {
 			// Deadline being exceeded is likely caused by a long paging time
-			// if that's the case, we can should return what we already got, and
+			// if that's the case, we should return what we already got, and
 			// then let the caller know it is not all the results.
 			if errors.Is(err, context.DeadlineExceeded) {
 				deadlineExceeded = true
@@ -141,7 +141,7 @@ func queryForBatchWithPaging(ctx context.Context, c *osvdev.OSVClient, queries [
 		if nextPageResp != nil {
 			for i, res := range nextPageResp.Results {
 				batchResp.Results[nextPageIndexMap[i]].Vulns = append(batchResp.Results[nextPageIndexMap[i]].Vulns, res.Vulns...)
-				// Set next page token so caller knows whether this is all of the results
+				// Set next page token so caller knows whether this is all the results
 				// even if it is being cancelled.
 				batchResp.Results[nextPageIndexMap[i]].NextPageToken = res.NextPageToken
 			}

internal/customgitignore/dir_test.go

@@ -364,7 +364,7 @@ func TestRecursivelyParsingGitignoreFilesFromMidTreeFile(t *testing.T) {
 func TestNonRecursivelyParsingGitignoreFilesFromMidTreeFile(t *testing.T) {
 	t.Parallel()
 
-	// expect this to be have the same results as TestNonRecursivelyParsingGitignoreFilesFromMidTree
+	// expect this to have the same results as TestNonRecursivelyParsingGitignoreFilesFromMidTree
 	//   because the a_file is inside the that tests start-dir
 
 	// Create a specific git repo with .gitignore files

internal/customgitignore/walk_up_to_root.go

@@ -32,7 +32,7 @@ import (
 //
 // The actual parsing is intended to be similar to how tools
 // like rg work, but means that `path` may not necessarily be
-// the root of a git repo, and can produces these parsing
+// the root of a git repo, and can produce these parsing
 // behaviours:
 //
 // `path` is a plain dir:

internal/datasource/http_auth.go

@@ -47,7 +47,7 @@ type HTTPAuthentication struct {
 }
 
 // Get makes an http GET request with the given http.Client.
-// The Authorization Header will automatically be populated according from the fields in the HTTPAuthentication.
+// The Authorization Header will automatically be populated according to the fields in the HTTPAuthentication.
 func (auth *HTTPAuthentication) Get(ctx context.Context, httpClient *http.Client, url string) (*http.Response, error) {
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
 	if err != nil {

internal/output/sarif.go

@@ -252,7 +252,7 @@ func PrintSARIFReport(vulnResult *models.VulnerabilityResults, outputWriter io.W
 		helpText := createSARIFHelpText(gv)
 
 		// Pick the "best" description from the alias group based on the source.
-		// Set short description to the first entry with a non empty summary
+		// Set short description to the first entry with a non-empty summary
 		// Set long description to the same entry as short description
 		// or use a random long description.
 		var shortDescription, longDescription string

internal/output/sbom/cyclonedx_common.go

@@ -68,7 +68,7 @@ func addVulnerabilities(vulnerabilities map[string]cyclonedx.Vulnerability, pack
 			continue
 		}
 
-		// It doesn't exists yet, lets add it
+		// It doesn't exist yet, lets add it
 		vulnerabilities[vulnerability.ID] = cyclonedx.Vulnerability{
 			ID:          vulnerability.ID,
 			Updated:     formatDateIfExists(vulnerability.Modified),

internal/resolution/dependency_subgraph.go

@@ -118,7 +118,7 @@ func (ds *DependencySubgraph) IsDevOnly(groups map[manifest.RequirementKey][]str
 		if e.Type.HasAttr(dep.Dev) {
 			continue
 		}
-		// As a workaround for npm workspaces, check for the a Dev attr in the direct dependency's dependencies.
+		// As a workaround for npm workspaces, check for the Dev attr in the direct dependency's dependencies.
 		for _, e2 := range ds.Nodes[e.To].Children {
 			if !e2.Type.HasAttr(dep.Dev) {
 				return false

internal/resolution/resolve.go

@@ -181,7 +181,7 @@ func resolvePostProcess(ctx context.Context, cl client.ResolutionClient, m manif
 				vk := rv.VersionKey
 				vk.VersionType = resolve.Concrete
 				if _, err := cl.Version(ctx, vk); err != nil {
-					// Not a soft requirement - try find a match.
+					// Not a soft requirement - try to find a match.
 					vk.VersionType = resolve.Requirement
 					vks, err := cl.MatchingVersions(ctx, vk)
 					if err != nil || len(vks) == 0 {

internal/sourceanalysis/rust.go

@@ -252,7 +252,7 @@ func rustBuildSource(source models.SourceInfo) ([]string, error) {
 	for _, de := range entries {
 		// We only want .d files, which is generated for each output binary from cargo
 		// These files contains a string to the full path of output binary/library file.
-		// This is a reasonably reliable way to identify the output in a cross platform way.
+		// This is a reasonably reliable way to identify the output in a cross-platform way.
 		if de.IsDir() || !strings.HasSuffix(de.Name(), ".d") {
 			continue
 		}

internal/testutility/mock_http.go

@@ -51,7 +51,7 @@ func (m *MockHTTPServer) SetResponseFromFile(t *testing.T, path string, filename
 
 // SetAuthorization sets the contents of the 'Authorization' header the server expects for all endpoints.
 //
-// The incoming requests' headers must match the auth string exactly, otherwise the server will response with 401 Unauthorized.
+// The incoming requests' headers must match the auth string exactly, otherwise the server will respond with 401 Unauthorized.
 // If authorization is unset or empty, the server will not require authorization.
 func (m *MockHTTPServer) SetAuthorization(t *testing.T, auth string) {
 	t.Helper()

internal/utility/purl/package_grouper.go

@@ -29,7 +29,7 @@ func Group(packageSources []models.PackageSource) (map[string]models.PackageVuln
 
 				uniquePackages[packageURL.ToString()] = packageVulns
 			} else {
-				// Entry does not exists yet, lets create it
+				// Entry does not exist yet, lets create it
 				newPackageVuln := models.PackageVulns{
 					Package: models.PackageInfo{
 						Name:      pkg.Package.Name,

internal/utility/semverlike/version-semver-like.go

@@ -9,7 +9,7 @@ import (
 	"github.com/google/osv-scanner/v2/internal/cachedregexp"
 )
 
-// Components is individual components of each semver segment.
+// Components are individual components of each semver segment.
 type Components []*big.Int
 
 func (components *Components) Fetch(n int) *big.Int {

scripts/generate_mock_resolution_universe/main.go

@@ -250,7 +250,7 @@ func makeUniverse(cl *client.DepsDevClient) (clienttest.ResolutionUniverse, erro
 	}
 
 	// Get all vulns for all versions of all packages.
-	// It's easier to re-query this than to try use the vulnerability client's cache.
+	// It's easier to re-query this than to try to use the vulnerability client's cache.
 	batchQueries := make([]*osvdev.Query, len(pks))
 	for i, pk := range pks {
 		batchQueries[i] = &osvdev.Query{