osv-scanner
Vulnerability scanner written in Go which uses the data provided by https://osv.dev
APACHE-2.0 License
Bot releases are visible (Hide)
Published by github-actions[bot] over 1 year ago
Fixes
- Bug #341 Make the reporter public to allow calling DoScan with non nil reporters.
-
Bug #335 Improve SBOM parsing and relaxing name requirements when explicitly scanning with
--sbom. - Bug #333 Improve scanning speed for regex heavy lockfiles by caching regex compilation.
- Bug #349 Improve SBOM documentation and error messages.
New Contributors
- @dbtedman made their first contribution in https://github.com/google/osv-scanner/pull/325
Full Changelog: https://github.com/google/osv-scanner/compare/v1.3.1...v1.3.2
Published by github-actions[bot] over 1 year ago
Changelog
Fixes
- Bug #319 Fix segmentation fault when parsing CycloneDX without dependencies.
Full Changelog: https://github.com/google/osv-scanner/compare/v1.3.0...v1.3.1
Published by github-actions[bot] over 1 year ago
What's Changed
Major Features:
-
Feature #198 GoVulnCheck integration! Try it out when scanning go code by adding the
--experimental-call-analysisflag. -
Feature #260 Support
-rflag inrequirements.txtfiles. -
Feature #300 Make
IgnoredVulnsalso ignore aliases. - Feature #304 OSV-Scanner now runs faster when there's multiple vulnerabilities.
Fixes
- Bug #249 Support yarn locks with quoted properties.
- Bug #232 Parse nested CycloneDX components correctly.
- Bug #257 More specific cyclone dx parsing.
-
Bug #256 Avoid panic when parsing
file:dependencies inpnpmlockfiles. -
Bug #261 Deduplicate packages that appear multiple times in
Pipenv.lockfiles. - Bug #267 Properly handle comparing zero versions in Maven.
- Bug #279 Trim leading zeros off when comparing numerical components in Maven versions.
- Bug #291 Check if PURL is valid before adding it to queries.
- Bug #293 Avoid infinite loops parsing Maven poms with syntax errors
- Bug #295 Set version in the source code, this allows version to be displayed in most package managers.
- Bug #297 Support Pipenv develop packages without versions.
API Features
- Feature #310 Improve the OSV models to allow for 3rd party use of the library.
New Contributors
- @raboof made their first contribution in https://github.com/google/osv-scanner/pull/253
- @spencerschrock made their first contribution in https://github.com/google/osv-scanner/pull/294
- @calebbrown made their first contribution in https://github.com/google/osv-scanner/pull/310
Full Changelog: https://github.com/google/osv-scanner/compare/v1.2.0...v1.3.0
Published by github-actions[bot] over 1 year ago
Major Features:
-
Feature #168 Support for scanning debian package status file, usually located in
/var/lib/dpkg/status. Thanks @cmaritan -
Feature #94 Specify what parser should be used in
--lockfile. -
Feature #158 Specify output format to use with the
--formatflag. -
Feature #165 Respect
.gitignorefiles by default when scanning. - Feature #156 Support markdown table output format. Thanks @deftdawg
-
Feature #59 Support
conan.locklockfiles and ecosystem Thanks @SSE4 - Updated documentation! Check it out here: https://google.github.io/osv-scanner/
Minor Updates:
- Feature #178 Support SPDX 2.3.
- Feature #221 Support dependencyManagement section in Maven poms.
- Feature #167 Make osvscanner API library public.
- Feature #141 Retry OSV API calls to mitigate transient network issues. Thanks @davift
- Feature #220 Vulnerability output is ordered deterministically.
- Feature #179 Log number of packages scanned from SBOM.
- General dependency updates
Fixes
- Bug #161 Exit with non zero exit code when there is a general error.
- Bug #185 Properly omit Source from JSON output.
New Contributors
- @inferno-chromium made their first contribution in https://github.com/google/osv-scanner/pull/139
- @davift made their first contribution in https://github.com/google/osv-scanner/pull/141
- @SSE4 made their first contribution in https://github.com/google/osv-scanner/pull/59
- @deftdawg made their first contribution in https://github.com/google/osv-scanner/pull/156
- @hayleycd made their first contribution in https://github.com/google/osv-scanner/pull/171
- @michaelkedar made their first contribution in https://github.com/google/osv-scanner/pull/191
- @dependabot made their first contribution in https://github.com/google/osv-scanner/pull/222
Full Changes: https://github.com/google/osv-scanner/compare/v1.1.0...v1.2.0
Published by github-actions[bot] almost 2 years ago
What's Changed
This update adds support for NuGet ecosystem and various bug fixes by the community.
- Feature #98: Support for NuGet ecosystem.
- Feature #71: Now supports Pipfile.lock scanning.
- Bug #85: Even better support for narrow terminals by shortening osv.dev URLs.
- Bug #105: Fix rare cases of too many open file handles.
- Bug #131: Fix table highlighting overflow.
- Bug #101: Now supports 32 bit systems.
New Contributors
- @chenrui333 made their first contribution in https://github.com/google/osv-scanner/pull/89
- @myersg86 made their first contribution in https://github.com/google/osv-scanner/pull/103
- @kpcyrd made their first contribution in https://github.com/google/osv-scanner/pull/104
- @shawnfunke made their first contribution in https://github.com/google/osv-scanner/pull/98
- @andrewpollock made their first contribution in https://github.com/google/osv-scanner/pull/116
- @wolf99 made their first contribution in https://github.com/google/osv-scanner/pull/100
- @newdominic made their first contribution in https://github.com/google/osv-scanner/pull/66
- @cmaritan made their first contribution in https://github.com/google/osv-scanner/pull/107
- @jfhovinne made their first contribution in https://github.com/google/osv-scanner/pull/109
- @ChronicLynx made their first contribution in https://github.com/google/osv-scanner/pull/127
- @rhysd made their first contribution in https://github.com/google/osv-scanner/pull/131
Full Changelog: https://github.com/google/osv-scanner/compare/v1.0.2...v1.1.0
Published by oliverchang almost 2 years ago
This is a minor patch release to mitigate human readable output issues on narrow terminals (#85).
What's Changed
- Move table columns so that the important column is displayed first by @another-rex in https://github.com/google/osv-scanner/pull/87
- shorten affected package to package by @another-rex in https://github.com/google/osv-scanner/pull/90
New Contributors
- @hi-artem made their first contribution in https://github.com/google/osv-scanner/pull/77
- @stevehipwell made their first contribution in https://github.com/google/osv-scanner/pull/68
Full Changelog: https://github.com/google/osv-scanner/compare/v1.0.1...v1.0.2
Published by oliverchang almost 2 years ago
Various bug fixes and improvements. Many thanks to the amazing contributions and suggestions from the community!
ARM64 builds are now also available!
What's Changed
- Fixed #52 - Raise exit code properly on vulnerabilities. by @iurisilvio in https://github.com/google/osv-scanner/pull/53
- feat: add version command by @jwillker in https://github.com/google/osv-scanner/pull/50
- Enable arm64 build target by @another-rex in https://github.com/google/osv-scanner/pull/56
- Ci updates by @cpanato in https://github.com/google/osv-scanner/pull/48
- Add gradle lockfile support by @abhisek in https://github.com/google/osv-scanner/pull/46
- Update README.md by @helmutkemper in https://github.com/google/osv-scanner/pull/58
New Contributors
- @iurisilvio made their first contribution in https://github.com/google/osv-scanner/pull/53
- @jwillker made their first contribution in https://github.com/google/osv-scanner/pull/50
- @cpanato made their first contribution in https://github.com/google/osv-scanner/pull/48
- @abhisek made their first contribution in https://github.com/google/osv-scanner/pull/46
- @helmutkemper made their first contribution in https://github.com/google/osv-scanner/pull/58
Full Changelog: https://github.com/google/osv-scanner/compare/v1.0.0...v1.0.1
Published by github-actions[bot] almost 2 years ago
1.0 release for OSV-Scanner!
