Skip to content

Releases: google/osv-scanner

v1.9.2

19 Dec 04:02
1e295ee
Compare
Choose a tag to compare

Changelog

Fixes:

  • Bug #1327 Parsing crash on malformed pnpm lockfile.
  • Bug #1377 Warn if a vulnerability is ignored multiple times in the same config.
  • Bug #1394 Guided remediation: handle extraneous/missing packages in package-lock.json more leniently.
  • Bug #1443 Go call analysis now works with Go version up to v1.23.4.
  • Bug #1436 Only fetch Maven snapshots and releases when enabled.
  • Bug #1456 Remove redundant calls from PreFetch.

New Contributors

Full Changelog: v1.9.1...v1.9.2

v1.9.1

31 Oct 00:20
b13f37e
Compare
Choose a tag to compare

OSV-Scanner v2 is coming soon! The next release will start with version v2.0.0-alpha1.

Here's a peek at some of the exciting upcoming features:

  • Standalone container image scanning support.
    • Including support for Alpine and Debian images.
  • Refactored internals to use osv-scalibr library for better extraction capabilities.
  • HTML output format for clearer vulnerability results.
  • More control over output format and logging.
  • ...and more!

Importantly, the CLI interface of osv-scanner will be maintained with minimal breaking changes.
Most breaking changes will only be in the API. More details in the upcoming alpha release.


This is the final feature v1 release of osv-scanner, future releases for v1 will only contain bug fixes.

v1.9.1

Features:

  • Feature #1295 Support offline database in fix subcommand.
  • Feature #1342 Add --experimental-offline-vulnerabilities and --experimental-no-resolve flags.
  • Feature #1045 Support private registries for Maven.
  • Feature #1226 Support vulnerabilities.ignore in package overrides.

Fixes:

  • Bug #604 Use correct path separator in SARIF output when on Windows.
  • Bug #330 Warn about and ignore duplicate entries in SBOMs.
  • Bug #1325 Set CharsetReader and Entity when reading pom.xml.
  • Bug #1310 Update spdx license ids.
  • Bug #1288 Sort sbom packages by PURL.
  • Bug #1285 Improve handling if docker exits with a non-zero code when trying to scan images

API Changes:

  • Deprecate auxillary public packages: As part of the V2 update described above, we have started deprecating some of the auxillary packages
    which are not commonly used to give us more room to make better API designs. These include:
    • config
    • depsdev
    • grouper
    • spdx

Misc

  • Update build to go1.23.2

New Contributors

Full Changelog: v1.9.0...v1.9.1

v1.9.0

02 Oct 06:16
1386406
Compare
Choose a tag to compare

What's Changed

Features:

  • Feature #1243 Allow explicitly ignoring the license of a package in config with license.ignore = true.
  • Feature #1249 Error if configuration file has unknown properties.
  • Feature #1271 Assume .txt files with "requirements" in their name are requirements.txt files

Fixes:

  • Bug #1242 Announce when a config file is invalid and exit with a non-zero code.
  • Bug #1241 Display (no reason given) when there is no reason in the override config.
  • Bug #1252 Don't allow LoadPath to be set via config file.
  • Bug #1279 Report all ecosystems without local databases in one single line.
  • Bug #1283 Output invalid PURLs when scanning SBOMs.
  • Bug #1278 Apply go version override to all instances of the stdlib.

Misc:

  • #1253 Deprecate ParseX() functions in pkg/lockfile in favor of their Extract equivalents.
  • #1290 Bump maximum number of concurrent requests to the OSV.dev API.

Full Changelog: v1.8.5...v1.9.0

v1.8.5

11 Sep 05:58
6f61445
Compare
Choose a tag to compare

What's Changed

Features:

  • Feature #1160 Support fetching snapshot versions from a Maven registry.
  • Feature #1177 Support composite-based package overrides. This allows for ignoring entire manifests when scanning.
  • Feature #1210 Add FIXED-VULN-IDS to guided remediation non-interactive output.

Fixes:

  • Bug #1220 Fix govulncheck calls on C code.
  • Bug #1236 Alpine package scanning now falls back to latest release version if no release version can be found.

Full Changelog: v1.8.4...v1.8.5

v1.8.4

22 Aug 04:49
4a318af
Compare
Choose a tag to compare

What's Changed

Features:

  • Feature #1177 Adds --upgrade-config flag for configuring allowed upgrades on a per-package basis. Also hide & deprecate previous --disallow-major-upgrades and --disallow-package-upgrades flags.

Fixes:

  • Bug #1123 Issue when running osv-scanner on project running with golang 1.22 #1123

Misc:

  • Feature #638 Update go policy to use stable go version for builds (updated to go 1.23)

Full Changelog: v1.8.3...v1.8.4

v1.8.3

07 Aug 04:39
18ab43f
Compare
Choose a tag to compare

Features:

  • Feature #889 OSV-Scanner now provides "vertical" output format!

Fixes:

  • Bug #1115 Ensure that semantic is passed a valid models.Ecosystem.
  • Bug #1140 Add Maven dependency management to override client.
  • Bug #1149 Handle Maven parent relative path.

Misc:

Full Changelog: v1.8.2...v1.8.3

v1.8.2

10 Jul 06:21
1ea785e
Compare
Choose a tag to compare

Features:

Fixes:

  • Bug #769 Fixed missing vulnerabilities for debian purls for --experimental-local-db.
  • Bug #1055 Ensure that package exists in affected property.
  • Bug #1072 Filter out unimportant vulnerabilities from vuln group.
  • Bug #1077 Fix rate osv-scanner deadlock.
  • Bug #924 Ensure that npm dependencies retain their "production" grouping.

New Contributors

Full Changelog: v1.8.1...v1.8.2

v1.8.1

21 Jun 02:49
46aee59
Compare
Choose a tag to compare

v1.8.0/v1.8.1:

Features:

  • Feature #35
    OSV-Scanner now scans transitive dependencies in Maven pom.xml files!
    See our documentation for more information.
  • Feature #944
    The osv-scanner.toml configuration file can now filter specific packages with new [[PackageOverrides]] sections:
    [[PackageOverrides]]
    # The package name, version, and ecosystem to match against
    name = "lib"
    # If version is not set or empty, it will match every version
    version = "1.0.0"
    ecosystem = "Go"
    # Ignore this package entirely, including license scanning
    ignore = true
    # Override the license of the package
    # This is not used if ignore = true
    license.override = ["MIT", "0BSD"]
    # effectiveUntil = 2022-11-09 # Optional exception expiry date
    reason = "abc"

Minor Updates

  • Feature #1039 The --experimental-local-db flag has been removed and replaced with a new flag --experimental-download-offline-databases which better reflects what the flag does.
    To replicate the behavior of the original --experimental-local-db flag, replace it with both --experimental-offline --experimental-download-offline-databases flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning.

Fixes:

  • Bug #1000 Standard dependencies now correctly override dependencyManagement dependencies when scanning pom.xml files in offline mode.

New Contributors

  • @np5 made their first contribution in #1029

Full Changelog: v1.7.4...v1.8.1

v1.7.4

30 May 01:58
d4657bf
Compare
Choose a tag to compare

v1.7.4:

Features:

  • Feature #943 Support scanning gradle/verification-metadata.xml files.

Misc:

  • Bug #968 Hide unimportant Debian vulnerabilities to reduce noise.

New Contributors

Full Changelog: v1.7.3...v1.7.4

v1.7.3

09 May 00:54
645d5b0
Compare
Choose a tag to compare

v1.7.3:

Features:

Fixes:

  • Bug #938 Ensure the sarif output has a stable order.
  • Bug #922 Support filtering on alias IDs in Guided Remediation.

Full Changelog: v1.7.2...v1.7.3