v1.8.4

What's Changed

Features:

• Feature #1177 Adds --upgrade-config flag for configuring allowed upgrades on a per-package basis. Also hide & deprecate previous --disallow-major-upgrades and --disallow-package-upgrades flags.

Fixes:

• Bug #1123 Issue when running osv-scanner on project running with golang 1.22 #1123

Misc:

• Feature #638 Update go policy to use stable go version for builds (updated to go 1.23)

Full Changelog: v1.8.3...v1.8.4

v1.8.3

Features:

• Feature #889 OSV-Scanner now provides "vertical" output format!

Fixes:

• Bug #1115 Ensure that semantic is passed a valid models.Ecosystem.
• Bug #1140 Add Maven dependency management to override client.
• Bug #1149 Handle Maven parent relative path.

Misc:

• Feature #1091 Improved the runtime of DiffVulnerabilityResults. Thanks @neilnaveen!
• Feature #1125 Workflow for stale issue and PR management.

Full Changelog: v1.8.2...v1.8.3

v1.8.2

Features:

• Feature #1014 Adding CycloneDX 1.4 and 1.5 output format. Thanks @marcwieserdev!

Fixes:

• Bug #769 Fixed missing vulnerabilities for debian purls for --experimental-local-db.
• Bug #1055 Ensure that package exists in affected property.
• Bug #1072 Filter out unimportant vulnerabilities from vuln group.
• Bug #1077 Fix rate osv-scanner deadlock.
• Bug #924 Ensure that npm dependencies retain their "production" grouping.

New Contributors

• @neilnaveen made their first contribution in #1076
• @marcwieserdev made their first contribution in #1014
• @GeoDerp made their first contribution in #1073

Full Changelog: v1.8.1...v1.8.2

v1.8.1

v1.8.0/v1.8.1:

Features:

• Feature #35
  OSV-Scanner now scans transitive dependencies in Maven pom.xml files!
  See our documentation for more information.
• Feature #944
  The osv-scanner.toml configuration file can now filter specific packages with new [[PackageOverrides]] sections:

  [[PackageOverrides]]
  # The package name, version, and ecosystem to match against
  name = "lib"
  # If version is not set or empty, it will match every version
  version = "1.0.0"
  ecosystem = "Go"
  # Ignore this package entirely, including license scanning
  ignore = true
  # Override the license of the package
  # This is not used if ignore = true
  license.override = ["MIT", "0BSD"]
  # effectiveUntil = 2022-11-09 # Optional exception expiry date
  reason = "abc"

Minor Updates

• Feature #1039 The --experimental-local-db flag has been removed and replaced with a new flag --experimental-download-offline-databases which better reflects what the flag does.
  To replicate the behavior of the original --experimental-local-db flag, replace it with both --experimental-offline --experimental-download-offline-databases flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning.

Fixes:

• Bug #1000 Standard dependencies now correctly override dependencyManagement dependencies when scanning pom.xml files in offline mode.

New Contributors

• @np5 made their first contribution in #1029

Full Changelog: v1.7.4...v1.8.1

v1.7.4

v1.7.4:

Features:

• Feature #943 Support scanning gradle/verification-metadata.xml files.

Misc:

• Bug #968 Hide unimportant Debian vulnerabilities to reduce noise.

New Contributors

• @khorben made their first contribution in #969

Full Changelog: v1.7.3...v1.7.4

v1.7.3

v1.7.3:

Features:

• Feature #934 add support for PNPM v9 lockfiles.

Fixes:

• Bug #938 Ensure the sarif output has a stable order.
• Bug #922 Support filtering on alias IDs in Guided Remediation.

Full Changelog: v1.7.2...v1.7.3

v1.7.2

v1.7.2:

Fixes:

• Bug #899 Guided Remediation: Parse paths in npmrc auth fields correctly.
• Bug #908 Fix rust call analysis by explicitly disabling stripping of debug info.
• Bug #914 Fix regression for go call analysis introduced in 1.7.0.

v1.7.1:

(There was no Github release for this version)

Fixes

• Bug #856
  Add retry logic to make calls to OSV.dev API more resilient. This combined with changes in OSV.dev's API should result in much less timeout errors.

API Features

• Feature #781
  add MakeVersionRequestsWithContext()
• Feature #857
  API and networking related errors now has their own error and exit code (Exit Code 129)

New Contributors

• @DavidKorczynski made their first contribution in #846
• @tuananh made their first contribution in #781
• @omercnet made their first contribution in #874
• @Dor1s made their first contribution in #877

Full Changelog: v1.7.0...v1.7.2

v1.7.0

This version introduces our new guided remediation feature for npm! Try it with osv-scanner fix today!

Features

• Feature #352 Guided Remediation
  Introducing our new experimental guided remediation feature on osv-scanner fix subcommand.
  See our docs for detailed usage instructions.

• Feature #805
  Include CVSS MaxSevirity in JSON output.

Fixes

• Bug #818
  Align GoVulncheck Go version with go.mod.

• Bug #797
  Don't traverse gitignored dirs for gitignore files.

Miscellaneous

• #831
  Remove version number from the release binary name.

New Contributors

• @billielynch made their first contribution in #826
• @AppleGamer22 made their first contribution in #805
• @robramsaynz made their first contribution in #797

Full Changelog: v1.6.2...v1.7.0

v1.6.2

Features

• Feature #694 OSV-Scanner now has subcommands!
  The base command has been moved to scan (currently the only commands is scan). By default if you do not pass in a command, scan will be used, so CLI remains backwards compatible.

  This is a building block to adding the guided remediation feature. See issue #352 for more details!

• Feature #776 Add pdm lockfile support.

API Features

• Feature #754 Add dependency groups to flattened vulnerabilities output.

New Contributors

• @jtt made their first contribution in #776

Full Changelog: v1.6.1...v1.6.2

v1.6.1

v1.6.0/v1.6.1:

Features

• Feature #694 Add support for NuGet lock files version 2.

• Feature #655 Scan and report dependency groups (e.g. "dev dependencies") for vulnerabilities.

• Feature #702 Created an option to skip/disable upload to code scanning.

• Feature #732 Add option to not fail on vulnerability being found for GitHub Actions.

• Feature #729 Verify the spdx licenses passed in to the license allowlist.

Fixes

• Bug #736 Show ecosystem and version even if git is shown if the info exists.

• Bug #703 Return an error if both license scanning and local/offline scanning is enabled simultaneously.

• Bug #718 Fixed parsing of SBOMs generated by the latest CycloneDX.

• Bug #704 Get go stdlib version from go.mod.

API Features

• Feature #727 Changes to Reporter methods to add verbosity levels and to deprecate functions.

New Contributors

• @geekNero made their first contribution in #718

Full Changelog: v1.5.0...v1.6.0-alpha3