Vulnerability scanner written in Go which uses the data provided by https://osv.dev
APACHE-2.0 License
Bot releases are visible (Hide)
Full Changelog: https://github.com/google/osv-scanner/compare/v1.8.4...v1.8.5
Published by github-actions[bot] about 2 months ago
--upgrade-config
flag for configuring allowed upgrades on a per-package basis. Also hide & deprecate previous --disallow-major-upgrades
and --disallow-package-upgrades
flags.Full Changelog: https://github.com/google/osv-scanner/compare/v1.8.3...v1.8.4
Published by github-actions[bot] 2 months ago
semantic
is passed a valid models.Ecosystem
.Full Changelog: https://github.com/google/osv-scanner/compare/v1.8.2...v1.8.3
Published by github-actions[bot] 3 months ago
--experimental-local-db
.package
exists in affected
property.Full Changelog: https://github.com/google/osv-scanner/compare/v1.8.1...v1.8.2
Published by github-actions[bot] 4 months ago
pom.xml
files!osv-scanner.toml
configuration file can now filter specific packages with new [[PackageOverrides]]
sections:
[[PackageOverrides]]
# The package name, version, and ecosystem to match against
name = "lib"
# If version is not set or empty, it will match every version
version = "1.0.0"
ecosystem = "Go"
# Ignore this package entirely, including license scanning
ignore = true
# Override the license of the package
# This is not used if ignore = true
license.override = ["MIT", "0BSD"]
# effectiveUntil = 2022-11-09 # Optional exception expiry date
reason = "abc"
--experimental-local-db
flag has been removed and replaced with a new flag --experimental-download-offline-databases
which better reflects what the flag does.--experimental-local-db
flag, replace it with both --experimental-offline --experimental-download-offline-databases
flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning.dependencyManagement
dependencies when scanning pom.xml
files in offline mode.Full Changelog: https://github.com/google/osv-scanner/compare/v1.7.4...v1.8.1
Published by github-actions[bot] 5 months ago
Full Changelog: https://github.com/google/osv-scanner/compare/v1.7.3...v1.7.4
Published by github-actions[bot] 5 months ago
Full Changelog: https://github.com/google/osv-scanner/compare/v1.7.2...v1.7.3
Published by github-actions[bot] 6 months ago
(There was no Github release for this version)
MakeVersionRequestsWithContext()
Full Changelog: https://github.com/google/osv-scanner/compare/v1.7.0...v1.7.2
Published by github-actions[bot] 8 months ago
This version introduces our new guided remediation feature for npm! Try it with osv-scanner fix
today!
Feature #352 Guided Remediation
Introducing our new experimental guided remediation feature on osv-scanner fix
subcommand.
See our docs for detailed usage instructions.
Feature #805
Include CVSS MaxSevirity in JSON output.
Bug #818
Align GoVulncheck Go version with go.mod.
Bug #797
Don't traverse gitignored dirs for gitignore files.
Full Changelog: https://github.com/google/osv-scanner/compare/v1.6.2...v1.7.0
Published by github-actions[bot] 9 months ago
Feature #694 OSV-Scanner now has subcommands!
The base command has been moved to scan
(currently the only commands is scan
). By default if you do not pass in a command, scan
will be used, so CLI remains backwards compatible.
This is a building block to adding the guided remediation feature. See issue #352 for more details!
Feature #776 Add pdm lockfile support.
Full Changelog: https://github.com/google/osv-scanner/compare/v1.6.1...v1.6.2
Published by github-actions[bot] 9 months ago
Feature #694 Add support for NuGet lock files version 2.
Feature #655 Scan and report dependency groups (e.g. "dev dependencies") for vulnerabilities.
Feature #702 Created an option to skip/disable upload to code scanning.
Feature #732 Add option to not fail on vulnerability being found for GitHub Actions.
Feature #729 Verify the spdx licenses passed in to the license allowlist.
Bug #736 Show ecosystem and version even if git is shown if the info exists.
Bug #703 Return an error if both license scanning and local/offline scanning is enabled simultaneously.
Bug #718 Fixed parsing of SBOMs generated by the latest CycloneDX.
Bug #704 Get go stdlib version from go.mod.
Reporter
methods to add verbosity levels and to deprecate functions.Full Changelog: https://github.com/google/osv-scanner/compare/v1.5.0...v1.6.0-alpha3
Published by github-actions[bot] 11 months ago
renv
files for the R language ecosystem.--experimental-call-analysis
flag has now been updated to:
--call-analysis=<language/all>
--no-call-analysis=<language/all>
with call analysis for Go enabled by default. See https://google.github.io/osv-scanner/usage/#scanning-with-call-analysis for the documentation!Full Changelog: https://github.com/google/osv-scanner/compare/v1.4.3...v1.5.0
Published by github-actions[bot] 12 months ago
Full Changelog: https://github.com/google/osv-scanner/compare/v1.4.2...v1.4.3
Published by github-actions[bot] 12 months ago
Some minor fixes in this release.
yarn.lock
filesFull Changelog: https://github.com/google/osv-scanner/compare/v1.4.1...v1.4.2
Published by github-actions[bot] about 1 year ago
Published by github-actions[bot] about 1 year ago
go
version and checks for vulnerabilities in the standard library.osv-scanner.json
for osv-scanner to scan. See our documentation for instructions.Full Changelog: https://github.com/google/osv-scanner/compare/v1.3.6...v1.4.0
Published by github-actions[bot] over 1 year ago
models.PURLToPackage()
, and deprecate osvscanner.PURLToPackage()
.PURLToPackage
not returning the full namespace of packages in ecosystemsFull Changelog: https://github.com/google/osv-scanner/compare/v1.3.5...v1.3.6
Published by github-actions[bot] over 1 year ago
Full Changelog: https://github.com/google/osv-scanner/compare/v1.3.4...v1.3.5
Published by github-actions[bot] over 1 year ago
Full Changelog: https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4
Published by github-actions[bot] over 1 year ago
--hash
.pkg/osv
to allow overriding the http client / transportFull Changelog: https://github.com/google/osv-scanner/compare/v1.3.2...v1.3.3