Sourced from golang.org/x/vuln's\r\nreleases.
\r\n\r\n\r\nv1.1.0
\r\nThis release brings minor improvements to govulncheck inner workings\r\nand a few bug fixes (#66139, #65590).
\r\nIntegration
\r\nGovulncheck JSON now also contains scan mode as part of the
\r\nConfig
\r\nmessage.Further, the
\r\nPosition
\r\nin trace frames now contains only paths relative to their enclosing\r\nmodule. This could potentially break some existing clients, hence the\r\nbump of the minor version.Note that this change is made to allow for easier preservation of\r\nprivacy by the clients as now the file positions do not contain\r\ninformation about the local machine. This is also a portable solution.\r\nClients can reconstruct full paths for their local machine by joining\r\nthe
\r\nPosition
relative paths with paths of the enclosing\r\nmodules on the local machine.v1.0.4
\r\nThis release brings an improved overhaul of the govulncheck textual\r\noutput. Findings at each detected level of precision (
\r\nsymbol,\r\npackage, or module
) are communicated in their own section.By default, only the section with the user-specified precision mode\r\nis shown followed by a summary of other sections. A detailed description\r\nwith all of the sections can be obtained using a newly introduced\r\n
\r\n-show verbose
option.This release also brings improvements and fixes for error messages\r\nand binaries (#59731).
\r\nIntegration
\r\ngovulncheck (streaming) JSON now includes the code position of the\r\nvulnerable symbol. Where applicable, the
\r\n.Position
of the\r\nlast entry of a finding's trace is the code location defining the\r\n.Function
.v1.0.3
\r\nThe major feature brought by this release is govulncheck
\r\n-mode\r\nextract
option. It enables users to extract a blob abstraction of\r\na binary whose size is typically much smaller than the binary itself.\r\nThe blob can be passed to govulncheck for analysis with the-mode\r\nbinary
option. The users should not rely on the contents or the\r\nrepresentation of the blob.This release also brings several bug fixes (#65124, #65155,\r\nand #65130).
\r\nv1.0.2
\r\nThis release brings minor improvements to the govulncheck textual\r\noutput and fixes for error messages (#59623, #64681),\r\nfixed version suggestion (#62276),\r\ndocumentation (e.g., #60166),\r\nand issues in dependencies (e.g., #64112).
\r\nSupport for analyzing stripped darwin binaries in govulncheck is\r\nadded as well (#61051).
\r\nIntegration
\r\ngovulncheck (streaming) JSON now emits an OSV message for each\r\nvulnerability associated with user modules and its transitive\r\ndependencies, regardless of the module version.
\r\nAs usual, govulncheck emits a module-level Finding if a vulnerability\r\nfor a module applies to the current module version.
\r\n
a7188c6
\r\ninternal/openvex: add vex types4b737a9
\r\ninternal/sarif: compute relative paths for findings7bf0c05
\r\ninternal/sarif: remove unused field7b0e650
\r\ngo.mod: update golang.org/x dependenciesf1b1098
\r\ninternal/sarif,internal/scan,internal/traces: clean up tests33791bc
\r\ninternal/sarif: add region part of the physical locationd00c170
\r\ninternal/sarif: add code flows9fbf042
\r\ncmd/govulncheck: clean up testefaa3ce
\r\ncmd/govulncheck: make test case config data7838670
\r\ncmd/govulncheck: add comment capability to fixups