What's Changed

Features:

• Feature #1160 Support fetching snapshot versions from a Maven registry.
• Feature #1177 Support composite-based package overrides. This allows for ignoring entire manifests when scanning.
• Feature #1210 Add FIXED-VULN-IDS to guided remediation non-interactive output.

Fixes:

• Bug #1220 Fix govulncheck calls on C code.
• Bug #1236 Alpine package scanning now falls back to latest release version if no release version can be found.

Full Changelog: https://github.com/google/osv-scanner/compare/v1.8.4...v1.8.5

What's Changed

Features:

• Feature #1177 Adds --upgrade-config flag for configuring allowed upgrades on a per-package basis. Also hide & deprecate previous --disallow-major-upgrades and --disallow-package-upgrades flags.

Fixes:

• Bug #1123 Issue when running osv-scanner on project running with golang 1.22 #1123

Misc:

• Feature #638 Update go policy to use stable go version for builds (updated to go 1.23)

Full Changelog: https://github.com/google/osv-scanner/compare/v1.8.3...v1.8.4

Features:

• Feature #889 OSV-Scanner now provides "vertical" output format!

Fixes:

• Bug #1115 Ensure that semantic is passed a valid models.Ecosystem.
• Bug #1140 Add Maven dependency management to override client.
• Bug #1149 Handle Maven parent relative path.

Misc:

• Feature #1091 Improved the runtime of DiffVulnerabilityResults. Thanks @neilnaveen!
• Feature #1125 Workflow for stale issue and PR management.

Full Changelog: https://github.com/google/osv-scanner/compare/v1.8.2...v1.8.3

Features:

• Feature #1014 Adding CycloneDX 1.4 and 1.5 output format. Thanks @marcwieserdev!

Fixes:

• Bug #769 Fixed missing vulnerabilities for debian purls for --experimental-local-db.
• Bug #1055 Ensure that package exists in affected property.
• Bug #1072 Filter out unimportant vulnerabilities from vuln group.
• Bug #1077 Fix rate osv-scanner deadlock.
• Bug #924 Ensure that npm dependencies retain their "production" grouping.

New Contributors

• @neilnaveen made their first contribution in https://github.com/google/osv-scanner/pull/1076
• @marcwieserdev made their first contribution in https://github.com/google/osv-scanner/pull/1014
• @GeoDerp made their first contribution in https://github.com/google/osv-scanner/pull/1073

Full Changelog: https://github.com/google/osv-scanner/compare/v1.8.1...v1.8.2

v1.8.0/v1.8.1:

Features:

• Feature #35
  OSV-Scanner now scans transitive dependencies in Maven pom.xml files!
  See our documentation for more information.
• Feature #944
  The osv-scanner.toml configuration file can now filter specific packages with new [[PackageOverrides]] sections:

  [[PackageOverrides]]
  # The package name, version, and ecosystem to match against
  name = "lib"
  # If version is not set or empty, it will match every version
  version = "1.0.0"
  ecosystem = "Go"
  # Ignore this package entirely, including license scanning
  ignore = true
  # Override the license of the package
  # This is not used if ignore = true
  license.override = ["MIT", "0BSD"]
  # effectiveUntil = 2022-11-09 # Optional exception expiry date
  reason = "abc"
  

Minor Updates

• Feature #1039 The --experimental-local-db flag has been removed and replaced with a new flag --experimental-download-offline-databases which better reflects what the flag does.
  To replicate the behavior of the original --experimental-local-db flag, replace it with both --experimental-offline --experimental-download-offline-databases flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning.

Fixes:

• Bug #1000 Standard dependencies now correctly override dependencyManagement dependencies when scanning pom.xml files in offline mode.

New Contributors

• @np5 made their first contribution in https://github.com/google/osv-scanner/pull/1029

Full Changelog: https://github.com/google/osv-scanner/compare/v1.7.4...v1.8.1

v1.7.4:

Features:

• Feature #943 Support scanning gradle/verification-metadata.xml files.

Misc:

• Bug #968 Hide unimportant Debian vulnerabilities to reduce noise.

New Contributors

• @khorben made their first contribution in https://github.com/google/osv-scanner/pull/969

Full Changelog: https://github.com/google/osv-scanner/compare/v1.7.3...v1.7.4

v1.7.3:

Features:

• Feature #934 add support for PNPM v9 lockfiles.

Fixes:

• Bug #938 Ensure the sarif output has a stable order.
• Bug #922 Support filtering on alias IDs in Guided Remediation.

Full Changelog: https://github.com/google/osv-scanner/compare/v1.7.2...v1.7.3

v1.7.2:

Fixes:

• Bug #899 Guided Remediation: Parse paths in npmrc auth fields correctly.
• Bug #908 Fix rust call analysis by explicitly disabling stripping of debug info.
• Bug #914 Fix regression for go call analysis introduced in 1.7.0.

v1.7.1:

(There was no Github release for this version)

Fixes

• Bug #856
  Add retry logic to make calls to OSV.dev API more resilient. This combined with changes in OSV.dev's API should result in much less timeout errors.

API Features

• Feature #781
  add MakeVersionRequestsWithContext()
• Feature #857
  API and networking related errors now has their own error and exit code (Exit Code 129)

New Contributors

• @DavidKorczynski made their first contribution in https://github.com/google/osv-scanner/pull/846
• @tuananh made their first contribution in https://github.com/google/osv-scanner/pull/781
• @omercnet made their first contribution in https://github.com/google/osv-scanner/pull/874
• @Dor1s made their first contribution in https://github.com/google/osv-scanner/pull/877

Full Changelog: https://github.com/google/osv-scanner/compare/v1.7.0...v1.7.2

This version introduces our new guided remediation feature for npm! Try it with osv-scanner fix today!

Features

• Feature #352 Guided Remediation
  Introducing our new experimental guided remediation feature on osv-scanner fix subcommand.
  See our docs for detailed usage instructions.

• Feature #805
  Include CVSS MaxSevirity in JSON output.

Fixes

• Bug #818
  Align GoVulncheck Go version with go.mod.

• Bug #797
  Don't traverse gitignored dirs for gitignore files.

Miscellaneous

• #831
  Remove version number from the release binary name.

New Contributors

• @billielynch made their first contribution in https://github.com/google/osv-scanner/pull/826
• @AppleGamer22 made their first contribution in https://github.com/google/osv-scanner/pull/805
• @robramsaynz made their first contribution in https://github.com/google/osv-scanner/pull/797

Full Changelog: https://github.com/google/osv-scanner/compare/v1.6.2...v1.7.0

Features

• Feature #694 OSV-Scanner now has subcommands!
  The base command has been moved to scan (currently the only commands is scan). By default if you do not pass in a command, scan will be used, so CLI remains backwards compatible.

  This is a building block to adding the guided remediation feature. See issue #352 for more details!

• Feature #776 Add pdm lockfile support.

API Features

• Feature #754 Add dependency groups to flattened vulnerabilities output.

New Contributors

• @jtt made their first contribution in https://github.com/google/osv-scanner/pull/776

Full Changelog: https://github.com/google/osv-scanner/compare/v1.6.1...v1.6.2

v1.6.0/v1.6.1:

Features

• Feature #694 Add support for NuGet lock files version 2.

• Feature #655 Scan and report dependency groups (e.g. "dev dependencies") for vulnerabilities.

• Feature #702 Created an option to skip/disable upload to code scanning.

• Feature #732 Add option to not fail on vulnerability being found for GitHub Actions.

• Feature #729 Verify the spdx licenses passed in to the license allowlist.

Fixes

• Bug #736 Show ecosystem and version even if git is shown if the info exists.

• Bug #703 Return an error if both license scanning and local/offline scanning is enabled simultaneously.

• Bug #718 Fixed parsing of SBOMs generated by the latest CycloneDX.

• Bug #704 Get go stdlib version from go.mod.

API Features

• Feature #727 Changes to Reporter methods to add verbosity levels and to deprecate functions.

New Contributors

• @geekNero made their first contribution in https://github.com/google/osv-scanner/pull/718

Full Changelog: https://github.com/google/osv-scanner/compare/v1.5.0...v1.6.0-alpha3

Changelog

Features

• Feature #501 Add experimental license scanning support! See https://osv.dev/blog/posts/introducing-license-scanning-with-osv-scanner/ for more information!
• Feature #642 Support scanning renv files for the R language ecosystem.
• Feature #513 Stabilize call analysis for Go! The experimental --experimental-call-analysis flag has now been updated to:

  --call-analysis=<language/all>
  --no-call-analysis=<language/all>
  

  with call analysis for Go enabled by default. See https://google.github.io/osv-scanner/usage/#scanning-with-call-analysis for the documentation!
• Feature #676 Simplify return codes:
  • Return 0 if there are no findings or errors.
  • Return 1 if there are any findings (license violations or vulnerabilities).
  • Return 128 if no packages are found.
• Feature #651 CVSS v4.0 support.
• Feature #60 Pre-commit hook support.

Fixes

• Bug #639 We now filter local packages from scans, and report the filtering of those packages.
• Bug #645 Properly handle file/url paths on Windows.
• Bug #660 Remove noise from failed lockfile parsing.
• Bug #649 No longer include vendored libraries in C/C++ package analysis.
• Bug #634 Fix filtering of aliases to also include non OSV aliases

New Contributors

• @hogo6002 made their first contribution in https://github.com/google/osv-scanner/pull/665
• @pandatix made their first contribution in https://github.com/google/osv-scanner/pull/651
• @kemzeb made their first contribution in https://github.com/google/osv-scanner/pull/669

Full Changelog: https://github.com/google/osv-scanner/compare/v1.4.3...v1.5.0

Features

• Feature #621
  Add support for scanning vendored C/C++ files.
• Feature #581
  Scan submodules commit hashes.

Fixes

• Bug #626
  Fix gitignore matching for root directory
• Bug #622
  Go binary not found should not be an error
• Bug #588
  handle npm/yarn aliased packages
• Bug #607
  fix: remove some extra newlines in sarif report

New Contributors

• @cuixq made their first contribution in https://github.com/google/osv-scanner/pull/610
• @josieang made their first contribution in https://github.com/google/osv-scanner/pull/614

Full Changelog: https://github.com/google/osv-scanner/compare/v1.4.2...v1.4.3

v1.4.2:

Some minor fixes in this release.

Fixes

• Bug #574
  Support versions with build metadata in yarn.lock files
• Bug #599
  Add name field to sarif rule output

Full Changelog: https://github.com/google/osv-scanner/compare/v1.4.1...v1.4.2

v1.4.1:

Features

• Feature #534
  New SARIF format that separates out individual vulnerabilities, see https://github.com/google/osv-scanner/issue/216
• Experimental Feature #57 Experimental Github Action!
  Have a look at https://google.github.io/osv-scanner/experimental/ for how to use the new Github Action in your repo.
  Experimental, so might change with only a minor update.

API Features

• Feature #557 Add new ecosystems, and a slice containing all of them.

v1.4.0:

Features

• Feature #183 Add (experimental) offline mode! See our documentation for how to use it.
• Feature #452 Add (experimental) rust call analysis, detect whether vulnerable functions are actually called in your Rust project! See our documentation for limitations and how to use this.
• Feature #484 Detect the installed go version and checks for vulnerabilities in the standard library.
• Feature #505 OSV-Scanner doesn't support your lockfile format? You can now use your own parser for your format, and create an intermediate osv-scanner.json for osv-scanner to scan. See our documentation for instructions.

API Features

• Feature #451 The lockfile package now support extracting dependencies directly from any io.Reader, removing the requirement of a file path.

Fixes

• Bug #457 Fix PURL mapping for Alpine packages
• Bug #462 Use correct plural and singular forms based on count

New Contributors

• @theinfosecguy made their first contribution in https://github.com/google/osv-scanner/pull/441

Full Changelog: https://github.com/google/osv-scanner/compare/v1.3.6...v1.4.0

Minor Updates

• Feature #431
  Update GoVulnCheck integration.
• Feature #439
  Create models.PURLToPackage(), and deprecate osvscanner.PURLToPackage().

Fixes

• Feature #439
  Fix PURLToPackage not returning the full namespace of packages in ecosystems
  that use them (e.g. golang).

New Contributors

• @julieqiu made their first contribution in https://github.com/google/osv-scanner/pull/431

Full Changelog: https://github.com/google/osv-scanner/compare/v1.3.5...v1.3.6

v1.3.5:

Features

• Feature #409
  Adds an additional column to the table output which shows the severity if available.

API Features

• Feature #424
• Feature #417
• Feature #417
  • Update the models package to better reflect the osv schema, including:
    • Add the withdrawn field
    • Improve timestamp serialization
    • Add related field
    • Add additional ecosystem constants
    • Add new reference types
    • Add YAML tags

New Contributors

• @giovanni-bozzano made their first contribution in https://github.com/google/osv-scanner/pull/409

Full Changelog: https://github.com/google/osv-scanner/compare/v1.3.4...v1.3.5

Minor Updates

• Feature #390 Add an user agent to OSV API requests.

Full Changelog: https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4

v1.3.3:

Fixes

• Bug #369 Fix
  requirements.txt misparsing lines that contain --hash.
• Bug #237 Clarify when no
  vulnerabilities are found.
• Bug #354 Fix cycle in
  requirements.txt causing infinite recursion.
• Bug #367 Fix panic when
  parsing empty lockfile.

API Features

• Feature #357 Update
  pkg/osv to allow overriding the http client / transport

New Contributors

• @jeffmendoza made their first contribution in https://github.com/google/osv-scanner/pull/357
• @robotdana made their first contribution in https://github.com/google/osv-scanner/pull/367
• @khareyash05 made their first contribution in https://github.com/google/osv-scanner/pull/368

Full Changelog: https://github.com/google/osv-scanner/compare/v1.3.2...v1.3.3