Releases: google/osv-scanner
v1.9.0
What's Changed
Features:
- Feature #1243 Allow explicitly ignoring the license of a package in config with
license.ignore = true
. - Feature #1249 Error if configuration file has unknown properties.
- Feature #1271 Assume
.txt
files with "requirements" in their name arerequirements.txt
files
Fixes:
- Bug #1242 Announce when a config file is invalid and exit with a non-zero code.
- Bug #1241 Display
(no reason given)
when there is no reason in the override config. - Bug #1252 Don't allow
LoadPath
to be set via config file. - Bug #1279 Report all ecosystems without local databases in one single line.
- Bug #1283 Output invalid PURLs when scanning SBOMs.
- Bug #1278 Apply go version override to all instances of the
stdlib
.
Misc:
- #1253 Deprecate
ParseX()
functions inpkg/lockfile
in favor of theirExtract
equivalents. - #1290 Bump maximum number of concurrent requests to the OSV.dev API.
Full Changelog: v1.8.5...v1.9.0
v1.8.5
What's Changed
Features:
- Feature #1160 Support fetching snapshot versions from a Maven registry.
- Feature #1177 Support composite-based package overrides. This allows for ignoring entire manifests when scanning.
- Feature #1210 Add FIXED-VULN-IDS to guided remediation non-interactive output.
Fixes:
- Bug #1220 Fix govulncheck calls on C code.
- Bug #1236 Alpine package scanning now falls back to latest release version if no release version can be found.
Full Changelog: v1.8.4...v1.8.5
v1.8.4
What's Changed
Features:
- Feature #1177 Adds
--upgrade-config
flag for configuring allowed upgrades on a per-package basis. Also hide & deprecate previous--disallow-major-upgrades
and--disallow-package-upgrades
flags.
Fixes:
Misc:
- Feature #638 Update go policy to use stable go version for builds (updated to go 1.23)
Full Changelog: v1.8.3...v1.8.4
v1.8.3
Features:
- Feature #889 OSV-Scanner now provides "vertical" output format!
Fixes:
- Bug #1115 Ensure that
semantic
is passed a validmodels.Ecosystem
. - Bug #1140 Add Maven dependency management to override client.
- Bug #1149 Handle Maven parent relative path.
Misc:
- Feature #1091 Improved the runtime of DiffVulnerabilityResults. Thanks @neilnaveen!
- Feature #1125 Workflow for stale issue and PR management.
Full Changelog: v1.8.2...v1.8.3
v1.8.2
Features:
- Feature #1014 Adding CycloneDX 1.4 and 1.5 output format. Thanks @marcwieserdev!
Fixes:
- Bug #769 Fixed missing vulnerabilities for debian purls for
--experimental-local-db
. - Bug #1055 Ensure that
package
exists inaffected
property. - Bug #1072 Filter out unimportant vulnerabilities from vuln group.
- Bug #1077 Fix rate osv-scanner deadlock.
- Bug #924 Ensure that npm dependencies retain their "production" grouping.
New Contributors
- @neilnaveen made their first contribution in #1076
- @marcwieserdev made their first contribution in #1014
- @GeoDerp made their first contribution in #1073
Full Changelog: v1.8.1...v1.8.2
v1.8.1
v1.8.0/v1.8.1:
Features:
- Feature #35
OSV-Scanner now scans transitive dependencies in Mavenpom.xml
files!
See our documentation for more information. - Feature #944
Theosv-scanner.toml
configuration file can now filter specific packages with new[[PackageOverrides]]
sections:[[PackageOverrides]] # The package name, version, and ecosystem to match against name = "lib" # If version is not set or empty, it will match every version version = "1.0.0" ecosystem = "Go" # Ignore this package entirely, including license scanning ignore = true # Override the license of the package # This is not used if ignore = true license.override = ["MIT", "0BSD"] # effectiveUntil = 2022-11-09 # Optional exception expiry date reason = "abc"
Minor Updates
- Feature #1039 The
--experimental-local-db
flag has been removed and replaced with a new flag--experimental-download-offline-databases
which better reflects what the flag does.
To replicate the behavior of the original--experimental-local-db
flag, replace it with both--experimental-offline --experimental-download-offline-databases
flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning.
Fixes:
- Bug #1000 Standard dependencies now correctly override
dependencyManagement
dependencies when scanningpom.xml
files in offline mode.
New Contributors
Full Changelog: v1.7.4...v1.8.1
v1.7.4
v1.7.4:
Features:
- Feature #943 Support scanning gradle/verification-metadata.xml files.
Misc:
- Bug #968 Hide unimportant Debian vulnerabilities to reduce noise.
New Contributors
Full Changelog: v1.7.3...v1.7.4
v1.7.3
v1.7.3:
Features:
- Feature #934 add support for PNPM v9 lockfiles.
Fixes:
- Bug #938 Ensure the sarif output has a stable order.
- Bug #922 Support filtering on alias IDs in Guided Remediation.
Full Changelog: v1.7.2...v1.7.3
v1.7.2
v1.7.2:
Fixes:
- Bug #899 Guided Remediation: Parse paths in npmrc auth fields correctly.
- Bug #908 Fix rust call analysis by explicitly disabling stripping of debug info.
- Bug #914 Fix regression for go call analysis introduced in 1.7.0.
v1.7.1:
(There was no Github release for this version)
Fixes
- Bug #856
Add retry logic to make calls to OSV.dev API more resilient. This combined with changes in OSV.dev's API should result in much less timeout errors.
API Features
- Feature #781
addMakeVersionRequestsWithContext()
- Feature #857
API and networking related errors now has their own error and exit code (Exit Code 129)
New Contributors
- @DavidKorczynski made their first contribution in #846
- @tuananh made their first contribution in #781
- @omercnet made their first contribution in #874
- @Dor1s made their first contribution in #877
Full Changelog: v1.7.0...v1.7.2
v1.7.0
This version introduces our new guided remediation feature for npm! Try it with osv-scanner fix
today!
Features
-
Feature #352 Guided Remediation
Introducing our new experimental guided remediation feature onosv-scanner fix
subcommand.
See our docs for detailed usage instructions. -
Feature #805
Include CVSS MaxSevirity in JSON output.
Fixes
-
Bug #818
Align GoVulncheck Go version with go.mod. -
Bug #797
Don't traverse gitignored dirs for gitignore files.
Miscellaneous
- #831
Remove version number from the release binary name.
New Contributors
- @billielynch made their first contribution in #826
- @AppleGamer22 made their first contribution in #805
- @robramsaynz made their first contribution in #797
Full Changelog: v1.6.2...v1.7.0