Skip to content

Releases: google/osv-scanner

v1.3.6

19 Jul 05:47
@github-actions github-actions
v1.3.6
b5f7502
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.3.6

Minor Updates

  • Feature #431
    Update GoVulnCheck integration.
  • Feature #439
    Create models.PURLToPackage(), and deprecate osvscanner.PURLToPackage().

Fixes

  • Feature #439
    Fix PURLToPackage not returning the full namespace of packages in ecosystems
    that use them (e.g. golang).

New Contributors

Full Changelog: v1.3.5...v1.3.6

Contributors

julieqiu
Assets 10

v1.3.5

28 Jun 06:16
@github-actions github-actions
v1.3.5
62df1c5
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.3.5

v1.3.5:

Features

  • Feature #409
    Adds an additional column to the table output which shows the severity if available.

API Features

  • Feature #424
  • Feature #417
  • Feature #417
    • Update the models package to better reflect the osv schema, including:
      • Add the withdrawn field
      • Improve timestamp serialization
      • Add related field
      • Add additional ecosystem constants
      • Add new reference types
      • Add YAML tags

New Contributors

Full Changelog: v1.3.4...v1.3.5

Contributors

giovanni-bozzano
Assets 10

v1.3.4

07 Jun 03:57
@github-actions github-actions
v1.3.4
b5af6c7
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.3.4

Minor Updates

Full Changelog: v1.3.3...v1.3.4

Assets 10

v1.3.3

17 May 05:05
@github-actions github-actions
v1.3.3
dbeadde
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.3.3

v1.3.3:

Fixes

  • Bug #369 Fix
    requirements.txt misparsing lines that contain --hash.
  • Bug #237 Clarify when no
    vulnerabilities are found.
  • Bug #354 Fix cycle in
    requirements.txt causing infinite recursion.
  • Bug #367 Fix panic when
    parsing empty lockfile.

API Features

  • Feature #357 Update
    pkg/osv to allow overriding the http client / transport

New Contributors

Full Changelog: v1.3.2...v1.3.3

Contributors

robotdana, jeffmendoza, and khareyash05
Assets 10

v1.3.2

26 Apr 04:56
@github-actions github-actions
v1.3.2
c6d02d1
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.3.2

Fixes

  • Bug #341 Make the reporter public to allow calling DoScan with non nil reporters.
  • Bug #335 Improve SBOM parsing and relaxing name requirements when explicitly scanning with --sbom.
  • Bug #333 Improve scanning speed for regex heavy lockfiles by caching regex compilation.
  • Bug #349 Improve SBOM documentation and error messages.

New Contributors

Full Changelog: v1.3.1...v1.3.2

Contributors

dbtedman
Assets 10

v1.3.1

30 Mar 04:36
@github-actions github-actions
v1.3.1
7c08000
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.3.1

Changelog

Fixes

  • Bug #319 Fix segmentation fault when parsing CycloneDX without dependencies.

Full Changelog: v1.3.0...v1.3.1

Assets 10

v1.3.0

28 Mar 03:28
@github-actions github-actions
v1.3.0
cfe6d75
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.3.0

What's Changed

Major Features:

  • Feature #198 GoVulnCheck integration! Try it out when scanning go code by adding the --experimental-call-analysis flag.
  • Feature #260 Support -r flag in requirements.txt files.
  • Feature #300 Make IgnoredVulns also ignore aliases.
  • Feature #304 OSV-Scanner now runs faster when there's multiple vulnerabilities.

Fixes

  • Bug #249 Support yarn locks with quoted properties.
  • Bug #232 Parse nested CycloneDX components correctly.
  • Bug #257 More specific cyclone dx parsing.
  • Bug #256 Avoid panic when parsing file: dependencies in pnpm lockfiles.
  • Bug #261 Deduplicate packages that appear multiple times in Pipenv.lock files.
  • Bug #267 Properly handle comparing zero versions in Maven.
  • Bug #279 Trim leading zeros off when comparing numerical components in Maven versions.
  • Bug #291 Check if PURL is valid before adding it to queries.
  • Bug #293 Avoid infinite loops parsing Maven poms with syntax errors
  • Bug #295 Set version in the source code, this allows version to be displayed in most package managers.
  • Bug #297 Support Pipenv develop packages without versions.

API Features

  • Feature #310 Improve the OSV models to allow for 3rd party use of the library.

New Contributors

Full Changelog: v1.2.0...v1.3.0

Contributors

calebbrown, raboof, and spencerschrock
Assets 10

v1.2.0

23 Feb 01:36
@github-actions github-actions
v1.2.0
9647b49
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2.0

Major Features:

Minor Updates:

Fixes

  • Bug #161 Exit with non zero exit code when there is a general error.
  • Bug #185 Properly omit Source from JSON output.

New Contributors

Full Changes: v1.1.0...v1.2.0

Contributors

SSE4, deftdawg, and 6 other contributors
Assets 10

v1.1.0

12 Jan 03:49
@github-actions github-actions
v1.1.0
a6c6cd7
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.1.0

What's Changed

This update adds support for NuGet ecosystem and various bug fixes by the community.

  • Feature #98: Support for NuGet ecosystem.
  • Feature #71: Now supports Pipfile.lock scanning.
  • Bug #85: Even better support for narrow terminals by shortening osv.dev URLs.
  • Bug #105: Fix rare cases of too many open file handles.
  • Bug #131: Fix table highlighting overflow.
  • Bug #101: Now supports 32 bit systems.

New Contributors

Full Changelog: v1.0.2...v1.1.0

Contributors

wolf99, jfhovinne, and 9 other contributors
Assets 10

v1.0.2

20 Dec 04:11
@oliverchang oliverchang
v1.0.2
e206217
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.2

This is a minor patch release to mitigate human readable output issues on narrow terminals (#85).

What's Changed

  • Move table columns so that the important column is displayed first by @another-rex in #87
  • shorten affected package to package by @another-rex in #90

New Contributors

Full Changelog: v1.0.1...v1.0.2

Contributors

stevehipwell, hi-artem, and another-rex
Assets 10