- Feature #501 Add experimental license scanning support! See https://osv.dev/blog/posts/introducing-license-scanning-with-osv-scanner/ for more information!
- Feature #642
Support scanning
renv
files for the R language ecosystem. - Feature #513
Stabilize call analysis for Go! The experimental
--experimental-call-analysis
flag has now been updated to:with call analysis for Go enabled by default. See https://google.github.io/osv-scanner/usage/#scanning-with-call-analysis for the documentation!--call-analysis=<language/all> --no-call-analysis=<language/all>
- Feature #676
Simplify return codes:
- Return 0 if there are no findings or errors.
- Return 1 if there are any findings (license violations or vulnerabilities).
- Return 128 if no packages are found.
- Feature #651 CVSS v4.0 support.
- Feature #60 Pre-commit hook support.
- Bug #639 We now filter local packages from scans, and report the filtering of those packages.
- Bug #645 Properly handle file/url paths on Windows.
- Bug #660 Remove noise from failed lockfile parsing.
- Bug #649 No longer include vendored libraries in C/C++ package analysis.
- Bug #634 Fix filtering of aliases to also include non OSV aliases
- The minimum go version has been updated to go1.21 from go1.18.
- Feature #621 Add support for scanning vendored C/C++ files.
- Feature #581 Scan submodules commit hashes.
- Bug #626 Fix gitignore matching for root directory
- Bug #622 Go binary not found should not be an error
- Bug #588 handle npm/yarn aliased packages
- Bug #607 fix: remove some extra newlines in sarif report
- Bug #574
Support versions with build metadata in
yarn.lock
files - Bug #599 Add name field to sarif rule output
- Feature #534 New SARIF format that separates out individual vulnerabilities, see https://github.com/google/osv-scanner/issue/216
- Experimental Feature #57 Experimental Github Action! Have a look at https://google.github.io/osv-scanner/experimental/ for how to use the new Github Action in your repo. Experimental, so might change with only a minor update.
- Feature #557 Add new ecosystems, and a slice containing all of them.
- Feature #183 Add (experimental) offline mode! See our documentation for how to use it.
- Feature #452 Add (experimental) rust call analysis, detect whether vulnerable functions are actually called in your Rust project! See our documentation for limitations and how to use this.
- Feature #484 Detect the installed
go
version and checks for vulnerabilities in the standard library. - Feature #505 OSV-Scanner doesn't support your lockfile format? You can now use your own parser for your format, and create an intermediate
osv-scanner.json
for osv-scanner to scan. See our documentation for instructions.
- Feature #451 The lockfile package now support extracting dependencies directly from any io.Reader, removing the requirement of a file path.
- Bug #457 Fix PURL mapping for Alpine packages
- Bug #462 Use correct plural and singular forms based on count
- Feature #431 Update GoVulnCheck integration.
- Feature #439
Create
models.PURLToPackage()
, and deprecateosvscanner.PURLToPackage()
.
- Feature #439
Fix
PURLToPackage
not returning the full namespace of packages in ecosystems that use them (e.g. golang).
- Feature #409 Adds an additional column to the table output which shows the severity if available.
- Feature #424
- Feature #417
- Feature #417
- Update the models package to better reflect the osv schema, including:
- Add the withdrawn field
- Improve timestamp serialization
- Add related field
- Add additional ecosystem constants
- Add new reference types
- Add YAML tags
- Update the models package to better reflect the osv schema, including:
- Feature #390 Add an user agent to OSV API requests.
- Bug #369 Fix
requirements.txt misparsing lines that contain
--hash
. - Bug #237 Clarify when no vulnerabilities are found.
- Bug #354 Fix cycle in requirements.txt causing infinite recursion.
- Bug #367 Fix panic when parsing empty lockfile.
- Feature #357 Update
pkg/osv
to allow overriding the http client / transport
- Bug #341 Make the reporter public to allow calling DoScan with non nil reporters.
- Bug #335 Improve SBOM
parsing and relaxing name requirements when explicitly scanning with
--sbom
. - Bug #333 Improve scanning speed for regex heavy lockfiles by caching regex compilation.
- Bug #349 Improve SBOM documentation and error messages.
- Bug #319 Fix segmentation fault when parsing CycloneDX without dependencies.
- Feature #198 GoVulnCheck
integration! Try it out when scanning go code by adding the
--experimental-call-analysis
flag. - Feature #260 Support
-r
flag inrequirements.txt
files. - Feature #300 Make
IgnoredVulns
also ignore aliases. - Feature #304 OSV-Scanner now runs faster when there's multiple vulnerabilities.
- Bug #249 Support yarn locks with quoted properties.
- Bug #232 Parse nested CycloneDX components correctly.
- Bug #257 More specific cyclone dx parsing.
- Bug #256 Avoid panic
when parsing
file:
dependencies inpnpm
lockfiles. - Bug #261 Deduplicate
packages that appear multiple times in
Pipenv.lock
files. - Bug #267 Properly handle comparing zero versions in Maven.
- Bug #279 Trim leading zeros off when comparing numerical components in Maven versions.
- Bug #291 Check if PURL is valid before adding it to queries.
- Bug #293 Avoid infinite loops parsing Maven poms with syntax errors
- Bug #295 Set version in the source code, this allows version to be displayed in most package managers.
- Bug #297 Support Pipenv develop packages without versions.
- Feature #310 Improve the OSV models to allow for 3rd party use of the library.
- Feature #168 Support for
scanning debian package status file, usually located in
/var/lib/dpkg/status
. Thanks @cmaritan - Feature #94 Specify what
parser should be used in
--lockfile
. - Feature #158 Specify
output format to use with the
--format
flag. - Feature #165 Respect
.gitignore
files by default when scanning. - Feature #156 Support markdown table output format. Thanks @deftdawg
- Feature #59 Support
conan.lock
lockfiles and ecosystem Thanks @SSE4 - Updated documentation! Check it out here: https://google.github.io/osv-scanner/
- Feature #178 Support SPDX 2.3.
- Feature #221 Support dependencyManagement section in Maven poms.
- Feature #167 Make osvscanner API library public.
- Feature #141 Retry OSV API calls to mitigate transient network issues. Thanks @davift
- Feature #220 Vulnerability output is ordered deterministically.
- Feature #179 Log number of packages scanned from SBOM.
- General dependency updates
- Bug #161 Exit with non zero exit code when there is a general error.
- Bug #185 Properly omit Source from JSON output.
This update adds support for NuGet ecosystem and various bug fixes by the community.
- Feature #98: Support for NuGet ecosystem.
- Feature #71: Now supports Pipfile.lock scanning.
- Bug #85: Even better support for narrow terminals by shortening osv.dev URLs.
- Bug #105: Fix rare cases of too many open file handles.
- Bug #131: Fix table highlighting overflow.
- Bug #101: Now supports 32 bit systems.
This is a minor patch release to mitigate human readable output issues on narrow terminals (#85).
- Bug #85: Better support for narrow terminals.
Various bug fixes and improvements. Many thanks to the amazing contributions and suggestions from the community!
- Feature: ARM64 builds are now also available!
- Feature #46: Gradle lockfile support.
- Feature #50: Add version command.
- Bug #52: Fixes 0 exit code being wrongly emitted when vulnerabilities are present.