Skip to content

Releases: google/osv-scanner

v1.7.3

09 May 00:54
@github-actions github-actions
v1.7.3
645d5b0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.7.3 Latest
Latest

v1.7.3:

Features:

Fixes:

  • Bug #938 Ensure the sarif output has a stable order.
  • Bug #922 Support filtering on alias IDs in Guided Remediation.

Full Changelog: v1.7.2...v1.7.3

Assets 10

v1.7.2

19 Apr 00:53
@github-actions github-actions
v1.7.2
032296d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.7.2

v1.7.2:

Fixes:

  • Bug #899 Guided Remediation: Parse paths in npmrc auth fields correctly.
  • Bug #908 Fix rust call analysis by explicitly disabling stripping of debug info.
  • Bug #914 Fix regression for go call analysis introduced in 1.7.0.

v1.7.1:

(There was no Github release for this version)

Fixes

  • Bug #856
    Add retry logic to make calls to OSV.dev API more resilient. This combined with changes in OSV.dev's API should result in much less timeout errors.

API Features

  • Feature #781
    add MakeVersionRequestsWithContext()
  • Feature #857
    API and networking related errors now has their own error and exit code (Exit Code 129)

New Contributors

Full Changelog: v1.7.0...v1.7.2

Contributors

tuananh, omercnet, and 2 other contributors
Assets 10

v1.7.0

06 Mar 04:34
@github-actions github-actions
v1.7.0
037c354
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.7.0

This version introduces our new guided remediation feature for npm! Try it with osv-scanner fix today!

Features

  • Feature #352 Guided Remediation
    Introducing our new experimental guided remediation feature on osv-scanner fix subcommand.
    See our docs for detailed usage instructions.

  • Feature #805
    Include CVSS MaxSevirity in JSON output.

Fixes

  • Bug #818
    Align GoVulncheck Go version with go.mod.

  • Bug #797
    Don't traverse gitignored dirs for gitignore files.

Miscellaneous

  • #831
    Remove version number from the release binary name.

New Contributors

Full Changelog: v1.6.2...v1.7.0

Contributors

robramsaynz, AppleGamer22, and billielynch
Assets 10

v1.6.2

31 Jan 04:13
@github-actions github-actions
v1.6.2
5b4066c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.6.2

Features

  • Feature #694 OSV-Scanner now has subcommands!
    The base command has been moved to scan (currently the only commands is scan). By default if you do not pass in a command, scan will be used, so CLI remains backwards compatible.

    This is a building block to adding the guided remediation feature. See issue #352 for more details!

  • Feature #776 Add pdm lockfile support.

API Features

  • Feature #754 Add dependency groups to flattened vulnerabilities output.

New Contributors

  • @jtt made their first contribution in #776

Full Changelog: v1.6.1...v1.6.2

Contributors

jtt
Assets 10

v1.6.1

18 Jan 01:37
@github-actions github-actions
v1.6.1
f6b0443
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.6.1

v1.6.0/v1.6.1:

Features

  • Feature #694 Add support for NuGet lock files version 2.

  • Feature #655 Scan and report dependency groups (e.g. "dev dependencies") for vulnerabilities.

  • Feature #702 Created an option to skip/disable upload to code scanning.

  • Feature #732 Add option to not fail on vulnerability being found for GitHub Actions.

  • Feature #729 Verify the spdx licenses passed in to the license allowlist.

Fixes

  • Bug #736 Show ecosystem and version even if git is shown if the info exists.

  • Bug #703 Return an error if both license scanning and local/offline scanning is enabled simultaneously.

  • Bug #718 Fixed parsing of SBOMs generated by the latest CycloneDX.

  • Bug #704 Get go stdlib version from go.mod.

API Features

  • Feature #727 Changes to Reporter methods to add verbosity levels and to deprecate functions.

New Contributors

Full Changelog: v1.5.0...v1.6.0-alpha3

Contributors

geekNero
Assets 10

v1.5.0

06 Dec 03:58
@github-actions github-actions
v1.5.0
060799c
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.5.0

Changelog

Features

Fixes

  • Bug #639 We now filter local packages from scans, and report the filtering of those packages.
  • Bug #645 Properly handle file/url paths on Windows.
  • Bug #660 Remove noise from failed lockfile parsing.
  • Bug #649 No longer include vendored libraries in C/C++ package analysis.
  • Bug #634 Fix filtering of aliases to also include non OSV aliases

New Contributors

Full Changelog: v1.4.3...v1.5.0

Contributors

hogo6002, pandatix, and kemzeb
Assets 10

v1.4.3

02 Nov 01:12
@github-actions github-actions
v1.4.3
6316373
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.4.3

Features

Fixes

  • Bug #626
    Fix gitignore matching for root directory
  • Bug #622
    Go binary not found should not be an error
  • Bug #588
    handle npm/yarn aliased packages
  • Bug #607
    fix: remove some extra newlines in sarif report

New Contributors

Full Changelog: v1.4.2...v1.4.3

Contributors

josieang and cuixq
Assets 10

v1.4.2

25 Oct 04:18
@github-actions github-actions
v1.4.2
1372552
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.4.2

v1.4.2:

Some minor fixes in this release.

Fixes

  • Bug #574
    Support versions with build metadata in yarn.lock files
  • Bug #599
    Add name field to sarif rule output

Full Changelog: v1.4.1...v1.4.2

Assets 10

v1.4.1

06 Oct 00:56
@github-actions github-actions
v1.4.1
c509779
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.4.1

v1.4.1:

Features

API Features

  • Feature #557 Add new ecosystems, and a slice containing all of them.
Assets 10

v1.4.0

14 Sep 02:02
@github-actions github-actions
v1.4.0
51fc4fd
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.4.0

v1.4.0:

Features

  • Feature #183 Add (experimental) offline mode! See our documentation for how to use it.
  • Feature #452 Add (experimental) rust call analysis, detect whether vulnerable functions are actually called in your Rust project! See our documentation for limitations and how to use this.
  • Feature #484 Detect the installed go version and checks for vulnerabilities in the standard library.
  • Feature #505 OSV-Scanner doesn't support your lockfile format? You can now use your own parser for your format, and create an intermediate osv-scanner.json for osv-scanner to scan. See our documentation for instructions.

API Features

  • Feature #451 The lockfile package now support extracting dependencies directly from any io.Reader, removing the requirement of a file path.

Fixes

  • Bug #457 Fix PURL mapping for Alpine packages
  • Bug #462 Use correct plural and singular forms based on count

New Contributors

Full Changelog: v1.3.6...v1.4.0

Contributors

theinfosecguy
Assets 10