- Feature #934 add support for PNPM v9 lockfiles.
- Bug #938 Ensure the sarif output has a stable order.
- Bug #922 Support filtering on alias IDs in Guided Remediation.
- Bug #899 Guided Remediation: Parse paths in npmrc auth fields correctly.
- Bug #908 Fix rust call analysis by explicitly disabling stripping of debug info.
- Bug #914 Fix regression for go call analysis introduced in 1.7.0.
(There is no Github release for this version)
- Bug #856 Add retry logic to make calls to OSV.dev API more resilient. This combined with changes in OSV.dev's API should result in much less timeout errors.
- Feature #781
add
MakeVersionRequestsWithContext() - Feature #857 API and networking related errors now has their own error and exit code (Exit Code 129)
-
Feature #352 Guided Remediation Introducing our new experimental guided remediation feature on
osv-scanner fixsubcommand. See our docs for detailed usage instructions. -
Feature #805 Include CVSS MaxSeverity in JSON output.
-
Bug #818 Align GoVulncheck Go version with go.mod.
-
Bug #797 Don't traverse gitignored dirs for gitignore files.
- #831 Remove version number from the release binary name.
-
Feature #694 Add subcommands! OSV-Scanner now has subcommands! The base command has been moved to
scan(currently the only commands isscan). By default if you do not pass in a command,scanwill be used, so CLI remains backwards compatible.This is a building block to adding the guided remediation feature. See issue #352 for more details!
-
Feature #776 Add pdm lockfile support.
- Feature #754 Add dependency groups to flattened vulnerabilities output.
-
Feature #694 Add support for NuGet lock files version 2.
-
Feature #655 Scan and report dependency groups (e.g. "dev dependencies") for vulnerabilities.
-
Feature #702 Created an option to skip/disable upload to code scanning.
-
Feature #732 Add option to not fail on vulnerability being found for GitHub Actions.
-
Feature #729 Verify the spdx licenses passed in to the license allowlist.
-
Bug #736 Show ecosystem and version even if git is shown if the info exists.
-
Bug #703 Return an error if both license scanning and local/offline scanning is enabled simultaneously.
-
Bug #718 Fixed parsing of SBOMs generated by the latest CycloneDX.
-
Bug #704 Get go stdlib version from go.mod.
- Feature #727
Changes to
Reportermethods to add verbosity levels and to deprecate functions.
- Feature #501 Add experimental license scanning support! See https://osv.dev/blog/posts/introducing-license-scanning-with-osv-scanner/ for more information!
- Feature #642
Support scanning
renvfiles for the R language ecosystem. - Feature #513
Stabilize call analysis for Go! The experimental
--experimental-call-analysisflag has now been updated to:with call analysis for Go enabled by default. See https://google.github.io/osv-scanner/usage/#scanning-with-call-analysis for the documentation!--call-analysis=<language/all> --no-call-analysis=<language/all> - Feature #676
Simplify return codes:
- Return 0 if there are no findings or errors.
- Return 1 if there are any findings (license violations or vulnerabilities).
- Return 128 if no packages are found.
- Feature #651 CVSS v4.0 support.
- Feature #60 Pre-commit hook support.
- Bug #639 We now filter local packages from scans, and report the filtering of those packages.
- Bug #645 Properly handle file/url paths on Windows.
- Bug #660 Remove noise from failed lockfile parsing.
- Bug #649 No longer include vendored libraries in C/C++ package analysis.
- Bug #634 Fix filtering of aliases to also include non OSV aliases
- The minimum go version has been updated to go1.21 from go1.18.
- Feature #621 Add support for scanning vendored C/C++ files.
- Feature #581 Scan submodules commit hashes.
- Bug #626 Fix gitignore matching for root directory
- Bug #622 Go binary not found should not be an error
- Bug #588 handle npm/yarn aliased packages
- Bug #607 fix: remove some extra newlines in sarif report
- Bug #574
Support versions with build metadata in
yarn.lockfiles - Bug #599 Add name field to sarif rule output
- Feature #534 New SARIF format that separates out individual vulnerabilities, see https://github.com/google/osv-scanner/issue/216
- Experimental Feature #57 Experimental Github Action! Have a look at https://google.github.io/osv-scanner/experimental/ for how to use the new Github Action in your repo. Experimental, so might change with only a minor update.
- Feature #557 Add new ecosystems, and a slice containing all of them.
- Feature #183 Add (experimental) offline mode! See our documentation for how to use it.
- Feature #452 Add (experimental) rust call analysis, detect whether vulnerable functions are actually called in your Rust project! See our documentation for limitations and how to use this.
- Feature #484 Detect the installed
goversion and checks for vulnerabilities in the standard library. - Feature #505 OSV-Scanner doesn't support your lockfile format? You can now use your own parser for your format, and create an intermediate
osv-scanner.jsonfor osv-scanner to scan. See our documentation for instructions.
- Feature #451 The lockfile package now support extracting dependencies directly from any io.Reader, removing the requirement of a file path.
- Bug #457 Fix PURL mapping for Alpine packages
- Bug #462 Use correct plural and singular forms based on count
- Feature #431 Update GoVulnCheck integration.
- Feature #439
Create
models.PURLToPackage(), and deprecateosvscanner.PURLToPackage().
- Feature #439
Fix
PURLToPackagenot returning the full namespace of packages in ecosystems that use them (e.g. golang).
- Feature #409 Adds an additional column to the table output which shows the severity if available.
- Feature #424
- Feature #417
- Feature #417
- Update the models package to better reflect the osv schema, including:
- Add the withdrawn field
- Improve timestamp serialization
- Add related field
- Add additional ecosystem constants
- Add new reference types
- Add YAML tags
- Update the models package to better reflect the osv schema, including:
- Feature #390 Add an user agent to OSV API requests.
- Bug #369 Fix
requirements.txt misparsing lines that contain
--hash. - Bug #237 Clarify when no vulnerabilities are found.
- Bug #354 Fix cycle in requirements.txt causing infinite recursion.
- Bug #367 Fix panic when parsing empty lockfile.
- Feature #357 Update
pkg/osvto allow overriding the http client / transport
- Bug #341 Make the reporter public to allow calling DoScan with non nil reporters.
- Bug #335 Improve SBOM
parsing and relaxing name requirements when explicitly scanning with
--sbom. - Bug #333 Improve scanning speed for regex heavy lockfiles by caching regex compilation.
- Bug #349 Improve SBOM documentation and error messages.
- Bug #319 Fix segmentation fault when parsing CycloneDX without dependencies.
- Feature #198 GoVulnCheck
integration! Try it out when scanning go code by adding the
--experimental-call-analysisflag. - Feature #260 Support
-rflag inrequirements.txtfiles. - Feature #300 Make
IgnoredVulnsalso ignore aliases. - Feature #304 OSV-Scanner now runs faster when there's multiple vulnerabilities.
- Bug #249 Support yarn locks with quoted properties.
- Bug #232 Parse nested CycloneDX components correctly.
- Bug #257 More specific cyclone dx parsing.
- Bug #256 Avoid panic
when parsing
file:dependencies inpnpmlockfiles. - Bug #261 Deduplicate
packages that appear multiple times in
Pipenv.lockfiles. - Bug #267 Properly handle comparing zero versions in Maven.
- Bug #279 Trim leading zeros off when comparing numerical components in Maven versions.
- Bug #291 Check if PURL is valid before adding it to queries.
- Bug #293 Avoid infinite loops parsing Maven poms with syntax errors
- Bug #295 Set version in the source code, this allows version to be displayed in most package managers.
- Bug #297 Support Pipenv develop packages without versions.
- Feature #310 Improve the OSV models to allow for 3rd party use of the library.
- Feature #168 Support for
scanning debian package status file, usually located in
/var/lib/dpkg/status. Thanks @cmaritan - Feature #94 Specify what
parser should be used in
--lockfile. - Feature #158 Specify
output format to use with the
--formatflag. - Feature #165 Respect
.gitignorefiles by default when scanning. - Feature #156 Support markdown table output format. Thanks @deftdawg
- Feature #59 Support
conan.locklockfiles and ecosystem Thanks @SSE4 - Updated documentation! Check it out here: https://google.github.io/osv-scanner/
- Feature #178 Support SPDX 2.3.
- Feature #221 Support dependencyManagement section in Maven poms.
- Feature #167 Make osvscanner API library public.
- Feature #141 Retry OSV API calls to mitigate transient network issues. Thanks @davift
- Feature #220 Vulnerability output is ordered deterministically.
- Feature #179 Log number of packages scanned from SBOM.
- General dependency updates
- Bug #161 Exit with non zero exit code when there is a general error.
- Bug #185 Properly omit Source from JSON output.
This update adds support for NuGet ecosystem and various bug fixes by the community.
- Feature #98: Support for NuGet ecosystem.
- Feature #71: Now supports Pipfile.lock scanning.
- Bug #85: Even better support for narrow terminals by shortening osv.dev URLs.
- Bug #105: Fix rare cases of too many open file handles.
- Bug #131: Fix table highlighting overflow.
- Bug #101: Now supports 32 bit systems.
This is a minor patch release to mitigate human readable output issues on narrow terminals (#85).
- Bug #85: Better support for narrow terminals.
Various bug fixes and improvements. Many thanks to the amazing contributions and suggestions from the community!
- Feature: ARM64 builds are now also available!
- Feature #46: Gradle lockfile support.
- Feature #50: Add version command.
- Bug #52: Fixes 0 exit code being wrongly emitted when vulnerabilities are present.