v1.6.1

v1.6.0/v1.6.1:

Features

• Feature #694 Add support for NuGet lock files version 2.

• Feature #655 Scan and report dependency groups (e.g. "dev dependencies") for vulnerabilities.

• Feature #702 Created an option to skip/disable upload to code scanning.

• Feature #732 Add option to not fail on vulnerability being found for GitHub Actions.

• Feature #729 Verify the spdx licenses passed in to the license allowlist.

Fixes

• Bug #736 Show ecosystem and version even if git is shown if the info exists.

• Bug #703 Return an error if both license scanning and local/offline scanning is enabled simultaneously.

• Bug #718 Fixed parsing of SBOMs generated by the latest CycloneDX.

• Bug #704 Get go stdlib version from go.mod.

API Features

• Feature #727 Changes to Reporter methods to add verbosity levels and to deprecate functions.

New Contributors

• @geekNero made their first contribution in #718

Full Changelog: v1.5.0...v1.6.0-alpha3

v1.5.0

Changelog

Features

• Feature #501 Add experimental license scanning support! See https://osv.dev/blog/posts/introducing-license-scanning-with-osv-scanner/ for more information!
• Feature #642 Support scanning renv files for the R language ecosystem.
• Feature #513 Stabilize call analysis for Go! The experimental --experimental-call-analysis flag has now been updated to:

  --call-analysis=<language/all>
  --no-call-analysis=<language/all>
  

  with call analysis for Go enabled by default. See https://google.github.io/osv-scanner/usage/#scanning-with-call-analysis for the documentation!
• Feature #676 Simplify return codes:
  • Return 0 if there are no findings or errors.
  • Return 1 if there are any findings (license violations or vulnerabilities).
  • Return 128 if no packages are found.
• Feature #651 CVSS v4.0 support.
• Feature #60 Pre-commit hook support.

Fixes

• Bug #639 We now filter local packages from scans, and report the filtering of those packages.
• Bug #645 Properly handle file/url paths on Windows.
• Bug #660 Remove noise from failed lockfile parsing.
• Bug #649 No longer include vendored libraries in C/C++ package analysis.
• Bug #634 Fix filtering of aliases to also include non OSV aliases

New Contributors

• @hogo6002 made their first contribution in #665
• @pandatix made their first contribution in #651
• @kemzeb made their first contribution in #669

Full Changelog: v1.4.3...v1.5.0

v1.4.3

Features

• Feature #621
  Add support for scanning vendored C/C++ files.
• Feature #581
  Scan submodules commit hashes.

Fixes

• Bug #626
  Fix gitignore matching for root directory
• Bug #622
  Go binary not found should not be an error
• Bug #588
  handle npm/yarn aliased packages
• Bug #607
  fix: remove some extra newlines in sarif report

New Contributors

• @cuixq made their first contribution in #610
• @josieang made their first contribution in #614

Full Changelog: v1.4.2...v1.4.3

v1.4.2

v1.4.2:

Some minor fixes in this release.

Fixes

• Bug #574
  Support versions with build metadata in yarn.lock files
• Bug #599
  Add name field to sarif rule output

Full Changelog: v1.4.1...v1.4.2

v1.4.1

v1.4.1:

Features

• Feature #534
  New SARIF format that separates out individual vulnerabilities, see https://github.com/google/osv-scanner/issue/216
• Experimental Feature #57 Experimental Github Action!
  Have a look at https://google.github.io/osv-scanner/experimental/ for how to use the new Github Action in your repo.
  Experimental, so might change with only a minor update.

API Features

• Feature #557 Add new ecosystems, and a slice containing all of them.

v1.4.0

v1.4.0:

Features

• Feature #183 Add (experimental) offline mode! See our documentation for how to use it.
• Feature #452 Add (experimental) rust call analysis, detect whether vulnerable functions are actually called in your Rust project! See our documentation for limitations and how to use this.
• Feature #484 Detect the installed go version and checks for vulnerabilities in the standard library.
• Feature #505 OSV-Scanner doesn't support your lockfile format? You can now use your own parser for your format, and create an intermediate osv-scanner.json for osv-scanner to scan. See our documentation for instructions.

API Features

• Feature #451 The lockfile package now support extracting dependencies directly from any io.Reader, removing the requirement of a file path.

Fixes

• Bug #457 Fix PURL mapping for Alpine packages
• Bug #462 Use correct plural and singular forms based on count

New Contributors

• @theinfosecguy made their first contribution in #441

Full Changelog: v1.3.6...v1.4.0

v1.3.6

Minor Updates

• Feature #431
  Update GoVulnCheck integration.
• Feature #439
  Create models.PURLToPackage(), and deprecate osvscanner.PURLToPackage().

Fixes

• Feature #439
  Fix PURLToPackage not returning the full namespace of packages in ecosystems
  that use them (e.g. golang).

New Contributors

• @julieqiu made their first contribution in #431

Full Changelog: v1.3.5...v1.3.6

v1.3.5

v1.3.5:

Features

• Feature #409
  Adds an additional column to the table output which shows the severity if available.

API Features

• Feature #424
• Feature #417
• Feature #417
  • Update the models package to better reflect the osv schema, including:
    • Add the withdrawn field
    • Improve timestamp serialization
    • Add related field
    • Add additional ecosystem constants
    • Add new reference types
    • Add YAML tags

New Contributors

• @giovanni-bozzano made their first contribution in #409

Full Changelog: v1.3.4...v1.3.5

v1.3.4

Minor Updates

• Feature #390 Add an user agent to OSV API requests.

Full Changelog: v1.3.3...v1.3.4

v1.3.3

v1.3.3:

Fixes

• Bug #369 Fix
  requirements.txt misparsing lines that contain --hash.
• Bug #237 Clarify when no
  vulnerabilities are found.
• Bug #354 Fix cycle in
  requirements.txt causing infinite recursion.
• Bug #367 Fix panic when
  parsing empty lockfile.

API Features

• Feature #357 Update
  pkg/osv to allow overriding the http client / transport

New Contributors

• @jeffmendoza made their first contribution in #357
• @robotdana made their first contribution in #367
• @khareyash05 made their first contribution in #368

Full Changelog: v1.3.2...v1.3.3