Skip to content

Latest commit

 

History

History
314 lines (241 loc) · 12.7 KB

CHANGELOG.md

File metadata and controls

314 lines (241 loc) · 12.7 KB

v1.5.0:

Features

Fixes

  • Bug #639 We now filter local packages from scans, and report the filtering of those packages.
  • Bug #645 Properly handle file/url paths on Windows.
  • Bug #660 Remove noise from failed lockfile parsing.
  • Bug #649 No longer include vendored libraries in C/C++ package analysis.
  • Bug #634 Fix filtering of aliases to also include non OSV aliases

Miscellaneous

  • The minimum go version has been updated to go1.21 from go1.18.

v1.4.3:

Features

Fixes

  • Bug #626 Fix gitignore matching for root directory
  • Bug #622 Go binary not found should not be an error
  • Bug #588 handle npm/yarn aliased packages
  • Bug #607 fix: remove some extra newlines in sarif report

v1.4.2:

Fixes

  • Bug #574 Support versions with build metadata in yarn.lock files
  • Bug #599 Add name field to sarif rule output

v1.4.1:

Features

API Features

  • Feature #557 Add new ecosystems, and a slice containing all of them.

v1.4.0:

Features

  • Feature #183 Add (experimental) offline mode! See our documentation for how to use it.
  • Feature #452 Add (experimental) rust call analysis, detect whether vulnerable functions are actually called in your Rust project! See our documentation for limitations and how to use this.
  • Feature #484 Detect the installed go version and checks for vulnerabilities in the standard library.
  • Feature #505 OSV-Scanner doesn't support your lockfile format? You can now use your own parser for your format, and create an intermediate osv-scanner.json for osv-scanner to scan. See our documentation for instructions.

API Features

  • Feature #451 The lockfile package now support extracting dependencies directly from any io.Reader, removing the requirement of a file path.

Fixes

  • Bug #457 Fix PURL mapping for Alpine packages
  • Bug #462 Use correct plural and singular forms based on count

v1.3.6:

Minor Updates

  • Feature #431 Update GoVulnCheck integration.
  • Feature #439 Create models.PURLToPackage(), and deprecate osvscanner.PURLToPackage().

Fixes

  • Feature #439 Fix PURLToPackage not returning the full namespace of packages in ecosystems that use them (e.g. golang).

v1.3.5:

Features

  • Feature #409 Adds an additional column to the table output which shows the severity if available.

API Features

  • Feature #424
  • Feature #417
  • Feature #417
    • Update the models package to better reflect the osv schema, including:
      • Add the withdrawn field
      • Improve timestamp serialization
      • Add related field
      • Add additional ecosystem constants
      • Add new reference types
      • Add YAML tags

v1.3.4:

Minor Updates

v1.3.3:

Fixes

  • Bug #369 Fix requirements.txt misparsing lines that contain --hash.
  • Bug #237 Clarify when no vulnerabilities are found.
  • Bug #354 Fix cycle in requirements.txt causing infinite recursion.
  • Bug #367 Fix panic when parsing empty lockfile.

API Features

  • Feature #357 Update pkg/osv to allow overriding the http client / transport

v1.3.2:

Fixes

  • Bug #341 Make the reporter public to allow calling DoScan with non nil reporters.
  • Bug #335 Improve SBOM parsing and relaxing name requirements when explicitly scanning with --sbom.
  • Bug #333 Improve scanning speed for regex heavy lockfiles by caching regex compilation.
  • Bug #349 Improve SBOM documentation and error messages.

v1.3.1:

Fixes

  • Bug #319 Fix segmentation fault when parsing CycloneDX without dependencies.

v1.3.0:

Major Features:

  • Feature #198 GoVulnCheck integration! Try it out when scanning go code by adding the --experimental-call-analysis flag.
  • Feature #260 Support -r flag in requirements.txt files.
  • Feature #300 Make IgnoredVulns also ignore aliases.
  • Feature #304 OSV-Scanner now runs faster when there's multiple vulnerabilities.

Fixes

  • Bug #249 Support yarn locks with quoted properties.
  • Bug #232 Parse nested CycloneDX components correctly.
  • Bug #257 More specific cyclone dx parsing.
  • Bug #256 Avoid panic when parsing file: dependencies in pnpm lockfiles.
  • Bug #261 Deduplicate packages that appear multiple times in Pipenv.lock files.
  • Bug #267 Properly handle comparing zero versions in Maven.
  • Bug #279 Trim leading zeros off when comparing numerical components in Maven versions.
  • Bug #291 Check if PURL is valid before adding it to queries.
  • Bug #293 Avoid infinite loops parsing Maven poms with syntax errors
  • Bug #295 Set version in the source code, this allows version to be displayed in most package managers.
  • Bug #297 Support Pipenv develop packages without versions.

API Features

  • Feature #310 Improve the OSV models to allow for 3rd party use of the library.

v1.2.0:

Major Features:

Minor Updates:

  • Feature #178 Support SPDX 2.3.
  • Feature #221 Support dependencyManagement section in Maven poms.
  • Feature #167 Make osvscanner API library public.
  • Feature #141 Retry OSV API calls to mitigate transient network issues. Thanks @davift
  • Feature #220 Vulnerability output is ordered deterministically.
  • Feature #179 Log number of packages scanned from SBOM.
  • General dependency updates

Fixes

  • Bug #161 Exit with non zero exit code when there is a general error.
  • Bug #185 Properly omit Source from JSON output.

v1.1.0:

This update adds support for NuGet ecosystem and various bug fixes by the community.

  • Feature #98: Support for NuGet ecosystem.
  • Feature #71: Now supports Pipfile.lock scanning.
  • Bug #85: Even better support for narrow terminals by shortening osv.dev URLs.
  • Bug #105: Fix rare cases of too many open file handles.
  • Bug #131: Fix table highlighting overflow.
  • Bug #101: Now supports 32 bit systems.

v1.0.2

This is a minor patch release to mitigate human readable output issues on narrow terminals (#85).

  • Bug #85: Better support for narrow terminals.

v1.0.1

Various bug fixes and improvements. Many thanks to the amazing contributions and suggestions from the community!

  • Feature: ARM64 builds are now also available!
  • Feature #46: Gradle lockfile support.
  • Feature #50: Add version command.
  • Bug #52: Fixes 0 exit code being wrongly emitted when vulnerabilities are present.