v1.7.0

This version introduces our new guided remediation feature for npm! Try it with osv-scanner fix today!

Features

• Feature #352 Guided Remediation
  Introducing our new experimental guided remediation feature on osv-scanner fix subcommand.
  See our docs for detailed usage instructions.

• Feature #805
  Include CVSS MaxSevirity in JSON output.

Fixes

• Bug #818
  Align GoVulncheck Go version with go.mod.

• Bug #797
  Don't traverse gitignored dirs for gitignore files.

Miscellaneous

• #831
  Remove version number from the release binary name.

New Contributors

• @billielynch made their first contribution in #826
• @AppleGamer22 made their first contribution in #805
• @robramsaynz made their first contribution in #797

Full Changelog: v1.6.2...v1.7.0

v1.6.2

Features

• Feature #694 OSV-Scanner now has subcommands!
  The base command has been moved to scan (currently the only commands is scan). By default if you do not pass in a command, scan will be used, so CLI remains backwards compatible.

  This is a building block to adding the guided remediation feature. See issue #352 for more details!

• Feature #776 Add pdm lockfile support.

API Features

• Feature #754 Add dependency groups to flattened vulnerabilities output.

New Contributors

• @jtt made their first contribution in #776

Full Changelog: v1.6.1...v1.6.2

v1.6.1

v1.6.0/v1.6.1:

Features

• Feature #694 Add support for NuGet lock files version 2.

• Feature #655 Scan and report dependency groups (e.g. "dev dependencies") for vulnerabilities.

• Feature #702 Created an option to skip/disable upload to code scanning.

• Feature #732 Add option to not fail on vulnerability being found for GitHub Actions.

• Feature #729 Verify the spdx licenses passed in to the license allowlist.

Fixes

• Bug #736 Show ecosystem and version even if git is shown if the info exists.

• Bug #703 Return an error if both license scanning and local/offline scanning is enabled simultaneously.

• Bug #718 Fixed parsing of SBOMs generated by the latest CycloneDX.

• Bug #704 Get go stdlib version from go.mod.

API Features

• Feature #727 Changes to Reporter methods to add verbosity levels and to deprecate functions.

New Contributors

• @geekNero made their first contribution in #718

Full Changelog: v1.5.0...v1.6.0-alpha3

v1.5.0

Changelog

Features

• Feature #501 Add experimental license scanning support! See https://osv.dev/blog/posts/introducing-license-scanning-with-osv-scanner/ for more information!
• Feature #642 Support scanning renv files for the R language ecosystem.
• Feature #513 Stabilize call analysis for Go! The experimental --experimental-call-analysis flag has now been updated to:

  --call-analysis=<language/all>
  --no-call-analysis=<language/all>
  

  with call analysis for Go enabled by default. See https://google.github.io/osv-scanner/usage/#scanning-with-call-analysis for the documentation!
• Feature #676 Simplify return codes:
  • Return 0 if there are no findings or errors.
  • Return 1 if there are any findings (license violations or vulnerabilities).
  • Return 128 if no packages are found.
• Feature #651 CVSS v4.0 support.
• Feature #60 Pre-commit hook support.

Fixes

• Bug #639 We now filter local packages from scans, and report the filtering of those packages.
• Bug #645 Properly handle file/url paths on Windows.
• Bug #660 Remove noise from failed lockfile parsing.
• Bug #649 No longer include vendored libraries in C/C++ package analysis.
• Bug #634 Fix filtering of aliases to also include non OSV aliases

New Contributors

• @hogo6002 made their first contribution in #665
• @pandatix made their first contribution in #651
• @kemzeb made their first contribution in #669

Full Changelog: v1.4.3...v1.5.0

v1.4.3

Features

• Feature #621
  Add support for scanning vendored C/C++ files.
• Feature #581
  Scan submodules commit hashes.

Fixes

• Bug #626
  Fix gitignore matching for root directory
• Bug #622
  Go binary not found should not be an error
• Bug #588
  handle npm/yarn aliased packages
• Bug #607
  fix: remove some extra newlines in sarif report

New Contributors

• @cuixq made their first contribution in #610
• @josieang made their first contribution in #614

Full Changelog: v1.4.2...v1.4.3

v1.4.2

v1.4.2:

Some minor fixes in this release.

Fixes

• Bug #574
  Support versions with build metadata in yarn.lock files
• Bug #599
  Add name field to sarif rule output

Full Changelog: v1.4.1...v1.4.2

v1.4.1

v1.4.1:

Features

• Feature #534
  New SARIF format that separates out individual vulnerabilities, see https://github.com/google/osv-scanner/issue/216
• Experimental Feature #57 Experimental Github Action!
  Have a look at https://google.github.io/osv-scanner/experimental/ for how to use the new Github Action in your repo.
  Experimental, so might change with only a minor update.

API Features

• Feature #557 Add new ecosystems, and a slice containing all of them.

v1.4.0

v1.4.0:

Features

• Feature #183 Add (experimental) offline mode! See our documentation for how to use it.
• Feature #452 Add (experimental) rust call analysis, detect whether vulnerable functions are actually called in your Rust project! See our documentation for limitations and how to use this.
• Feature #484 Detect the installed go version and checks for vulnerabilities in the standard library.
• Feature #505 OSV-Scanner doesn't support your lockfile format? You can now use your own parser for your format, and create an intermediate osv-scanner.json for osv-scanner to scan. See our documentation for instructions.

API Features

• Feature #451 The lockfile package now support extracting dependencies directly from any io.Reader, removing the requirement of a file path.

Fixes

• Bug #457 Fix PURL mapping for Alpine packages
• Bug #462 Use correct plural and singular forms based on count

New Contributors

• @theinfosecguy made their first contribution in #441

Full Changelog: v1.3.6...v1.4.0

v1.3.6

Minor Updates

• Feature #431
  Update GoVulnCheck integration.
• Feature #439
  Create models.PURLToPackage(), and deprecate osvscanner.PURLToPackage().

Fixes

• Feature #439
  Fix PURLToPackage not returning the full namespace of packages in ecosystems
  that use them (e.g. golang).

New Contributors

• @julieqiu made their first contribution in #431

Full Changelog: v1.3.5...v1.3.6

v1.3.5

v1.3.5:

Features

• Feature #409
  Adds an additional column to the table output which shows the severity if available.

API Features

• Feature #424
• Feature #417
• Feature #417
  • Update the models package to better reflect the osv schema, including:
    • Add the withdrawn field
    • Improve timestamp serialization
    • Add related field
    • Add additional ecosystem constants
    • Add new reference types
    • Add YAML tags

New Contributors

• @giovanni-bozzano made their first contribution in #409

Full Changelog: v1.3.4...v1.3.5