Releases: google/osv-scanner
Releases · google/osv-scanner
v1.9.2
Changelog
Fixes:
- Bug #1327 Parsing crash on malformed pnpm lockfile.
- Bug #1377 Warn if a vulnerability is ignored multiple times in the same config.
- Bug #1394 Guided remediation: handle extraneous/missing packages in package-lock.json more leniently.
- Bug #1443 Go call analysis now works with Go version up to v1.23.4.
- Bug #1436 Only fetch Maven snapshots and releases when enabled.
- Bug #1456 Remove redundant calls from PreFetch.
New Contributors
- @ivmeta made their first contribution in #1327
- @janniclas made their first contribution in #1398
Full Changelog: v1.9.1...v1.9.2
v1.9.1
OSV-Scanner v2 is coming soon! The next release will start with version v2.0.0-alpha1
.
Here's a peek at some of the exciting upcoming features:
- Standalone container image scanning support.
- Including support for Alpine and Debian images.
- Refactored internals to use
osv-scalibr
library for better extraction capabilities. - HTML output format for clearer vulnerability results.
- More control over output format and logging.
- ...and more!
Importantly, the CLI interface of osv-scanner will be maintained with minimal breaking changes.
Most breaking changes will only be in the API. More details in the upcoming alpha release.
This is the final feature v1 release of osv-scanner, future releases for v1 will only contain bug fixes.
v1.9.1
Features:
- Feature #1295 Support offline database in fix subcommand.
- Feature #1342 Add
--experimental-offline-vulnerabilities
and--experimental-no-resolve
flags. - Feature #1045 Support private registries for Maven.
- Feature #1226 Support
vulnerabilities.ignore
in package overrides.
Fixes:
- Bug #604 Use correct path separator in SARIF output when on Windows.
- Bug #330 Warn about and ignore duplicate entries in SBOMs.
- Bug #1325 Set CharsetReader and Entity when reading pom.xml.
- Bug #1310 Update spdx license ids.
- Bug #1288 Sort sbom packages by PURL.
- Bug #1285 Improve handling if
docker
exits with a non-zero code when trying to scan images
API Changes:
- Deprecate auxillary public packages: As part of the V2 update described above, we have started deprecating some of the auxillary packages
which are not commonly used to give us more room to make better API designs. These include:config
depsdev
grouper
spdx
Misc
- Update build to go1.23.2
New Contributors
- @emmanuel-ferdman made their first contribution in #1351
Full Changelog: v1.9.0...v1.9.1
v1.9.0
What's Changed
Features:
- Feature #1243 Allow explicitly ignoring the license of a package in config with
license.ignore = true
. - Feature #1249 Error if configuration file has unknown properties.
- Feature #1271 Assume
.txt
files with "requirements" in their name arerequirements.txt
files
Fixes:
- Bug #1242 Announce when a config file is invalid and exit with a non-zero code.
- Bug #1241 Display
(no reason given)
when there is no reason in the override config. - Bug #1252 Don't allow
LoadPath
to be set via config file. - Bug #1279 Report all ecosystems without local databases in one single line.
- Bug #1283 Output invalid PURLs when scanning SBOMs.
- Bug #1278 Apply go version override to all instances of the
stdlib
.
Misc:
- #1253 Deprecate
ParseX()
functions inpkg/lockfile
in favor of theirExtract
equivalents. - #1290 Bump maximum number of concurrent requests to the OSV.dev API.
Full Changelog: v1.8.5...v1.9.0
v1.8.5
What's Changed
Features:
- Feature #1160 Support fetching snapshot versions from a Maven registry.
- Feature #1177 Support composite-based package overrides. This allows for ignoring entire manifests when scanning.
- Feature #1210 Add FIXED-VULN-IDS to guided remediation non-interactive output.
Fixes:
- Bug #1220 Fix govulncheck calls on C code.
- Bug #1236 Alpine package scanning now falls back to latest release version if no release version can be found.
Full Changelog: v1.8.4...v1.8.5
v1.8.4
What's Changed
Features:
- Feature #1177 Adds
--upgrade-config
flag for configuring allowed upgrades on a per-package basis. Also hide & deprecate previous--disallow-major-upgrades
and--disallow-package-upgrades
flags.
Fixes:
Misc:
- Feature #638 Update go policy to use stable go version for builds (updated to go 1.23)
Full Changelog: v1.8.3...v1.8.4
v1.8.3
Features:
- Feature #889 OSV-Scanner now provides "vertical" output format!
Fixes:
- Bug #1115 Ensure that
semantic
is passed a validmodels.Ecosystem
. - Bug #1140 Add Maven dependency management to override client.
- Bug #1149 Handle Maven parent relative path.
Misc:
- Feature #1091 Improved the runtime of DiffVulnerabilityResults. Thanks @neilnaveen!
- Feature #1125 Workflow for stale issue and PR management.
Full Changelog: v1.8.2...v1.8.3
v1.8.2
Features:
- Feature #1014 Adding CycloneDX 1.4 and 1.5 output format. Thanks @marcwieserdev!
Fixes:
- Bug #769 Fixed missing vulnerabilities for debian purls for
--experimental-local-db
. - Bug #1055 Ensure that
package
exists inaffected
property. - Bug #1072 Filter out unimportant vulnerabilities from vuln group.
- Bug #1077 Fix rate osv-scanner deadlock.
- Bug #924 Ensure that npm dependencies retain their "production" grouping.
New Contributors
- @neilnaveen made their first contribution in #1076
- @marcwieserdev made their first contribution in #1014
- @GeoDerp made their first contribution in #1073
Full Changelog: v1.8.1...v1.8.2
v1.8.1
v1.8.0/v1.8.1:
Features:
- Feature #35
OSV-Scanner now scans transitive dependencies in Mavenpom.xml
files!
See our documentation for more information. - Feature #944
Theosv-scanner.toml
configuration file can now filter specific packages with new[[PackageOverrides]]
sections:[[PackageOverrides]] # The package name, version, and ecosystem to match against name = "lib" # If version is not set or empty, it will match every version version = "1.0.0" ecosystem = "Go" # Ignore this package entirely, including license scanning ignore = true # Override the license of the package # This is not used if ignore = true license.override = ["MIT", "0BSD"] # effectiveUntil = 2022-11-09 # Optional exception expiry date reason = "abc"
Minor Updates
- Feature #1039 The
--experimental-local-db
flag has been removed and replaced with a new flag--experimental-download-offline-databases
which better reflects what the flag does.
To replicate the behavior of the original--experimental-local-db
flag, replace it with both--experimental-offline --experimental-download-offline-databases
flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning.
Fixes:
- Bug #1000 Standard dependencies now correctly override
dependencyManagement
dependencies when scanningpom.xml
files in offline mode.
New Contributors
Full Changelog: v1.7.4...v1.8.1
v1.7.4
v1.7.4:
Features:
- Feature #943 Support scanning gradle/verification-metadata.xml files.
Misc:
- Bug #968 Hide unimportant Debian vulnerabilities to reduce noise.
New Contributors
Full Changelog: v1.7.3...v1.7.4
v1.7.3
v1.7.3:
Features:
- Feature #934 add support for PNPM v9 lockfiles.
Fixes:
- Bug #938 Ensure the sarif output has a stable order.
- Bug #922 Support filtering on alias IDs in Guided Remediation.
Full Changelog: v1.7.2...v1.7.3