Softpedia >Windows >Security >Security Related >OSV-Scanner >  Changelog

OSV-Scanner Changelog

What's new in OSV-Scanner 1.7.3

May 9, 2024
  • Features:
  • Feature #934 add support for PNPM v9 lockfiles.
  • Fixes:
  • Bug #938 Ensure the sarif output has a stable order.
  • Bug #922 Support filtering on alias IDs in Guided Remediation.

New in OSV-Scanner 1.7.2 (Apr 19, 2024)

  • Fixes:
  • Bug #899 Guided Remediation: Parse paths in npmrc auth fields correctly.
  • Bug #908 Fix rust call analysis by explicitly disabling stripping of debug info.
  • Bug #914 Fix regression for go call analysis introduced in 1.7.0.

New in OSV-Scanner 1.7.0 (Mar 6, 2024)

  • Features:
  • Feature #352 Guided Remediation
  • Introducing our new experimental guided remediation feature on osv-scanner fix subcommand.
  • See our docs for detailed usage instructions.
  • Feature #805
  • Include CVSS MaxSevirity in JSON output.
  • Fixes:
  • Bug #818
  • Align GoVulncheck Go version with go.mod.
  • Bug #797
  • Don't traverse gitignored dirs for gitignore files.
  • Miscellaneous:
  • 831
  • Remove version number from the release binary name.

New in OSV-Scanner 1.6.2 (Jan 31, 2024)

  • Features:
  • Feature #694 OSV-Scanner now has subcommands!
  • The base command has been moved to scan (currently the only commands is scan). By default if you do not pass in a command, scan will be used, so CLI remains backwards compatible.
  • This is a building block to adding the guided remediation feature. See issue #352 for more details!
  • Feature #776 Add pdm lockfile support.
  • API Features:
  • Feature #754 Add dependency groups to flattened vulnerabilities output.

New in OSV-Scanner 1.6.1 (Jan 18, 2024)

  • Features:
  • Feature #694 Add support for NuGet lock files version 2.
  • Feature #655 Scan and report dependency groups (e.g. "dev dependencies") for vulnerabilities.
  • Feature #702 Created an option to skip/disable upload to code scanning.
  • Feature #732 Add option to not fail on vulnerability being found for GitHub Actions.
  • Feature #729 Verify the spdx licenses passed in to the license allowlist.
  • Fixes:
  • Bug #736 Show ecosystem and version even if git is shown if the info exists.
  • Bug #703 Return an error if both license scanning and local/offline scanning is enabled simultaneously.
  • Bug #718 Fixed parsing of SBOMs generated by the latest CycloneDX.
  • Bug #704 Get go stdlib version from go.mod.
  • API Features:
  • Feature #727 Changes to Reporter methods to add verbosity levels and to deprecate functions.

New in OSV-Scanner 1.5.0 (Dec 6, 2023)

  • Features:
  • Add experimental license scanning support! See https://osv.dev/blog/posts/introducing-license-scanning-with-osv-scanner/ for more information!
  • Support scanning renv files for the R language ecosystem.
  • Stabilize call analysis for Go!
  • Simplify return codes
  • Pre-commit hook support.
  • Fixes:
  • We now filter local packages from scans, and report the filtering of those packages.
  • Properly handle file/url paths on Windows.
  • Remove noise from failed lockfile parsing.
  • Fix filtering of aliases to also include non OSV aliases

New in OSV-Scanner 1.4.3 (Nov 2, 2023)

  • Features:
  • Add support for scanning vendored C/C++ files.
  • Scan submodules commit hashes.
  • Fixes:
  • Fix gitignore matching for root directory
  • Go binary not found should not be an error
  • handle npm/yarn aliased packages
  • fix: remove some extra newlines in sarif report

New in OSV-Scanner 1.4.2 (Oct 25, 2023)

  • Fixes:
  • Support versions with build metadata in yarn.lock files
  • Add name field to sarif rule output

New in OSV-Scanner 1.4.1 (Oct 6, 2023)

  • Features:
  • Feature #534
  • New SARIF format that separates out individual vulnerabilities, see https://github.com/google/osv-scanner/issue/216
  • Experimental Feature #57 Experimental Github Action!
  • Have a look at https://google.github.io/osv-scanner/experimental/ for how to use the new Github Action in your repo.
  • Experimental, so might change with only a minor update.
  • API Features:
  • Feature #557 Add new ecosystems, and a slice containing all of them.

New in OSV-Scanner 1.4.0 (Sep 14, 2023)

  • Features:
  • Feature #183 Add (experimental) offline mode! See our documentation for how to use it.
  • Feature #452 Add (experimental) rust call analysis, detect whether vulnerable functions are actually called in your Rust project! See our documentation for limitations and how to use this.
  • Feature #484 Detect the installed go version and checks for vulnerabilities in the standard library.
  • Feature #505 OSV-Scanner doesn't support your lockfile format? You can now use your own parser for your format, and create an intermediate osv-scanner.json for osv-scanner to scan. See our documentation for instructions.
  • API Features:
  • Feature #451 The lockfile package now support extracting dependencies directly from any io.Reader, removing the requirement of a file path.
  • Fixes:
  • Bug #457 Fix PURL mapping for Alpine packages
  • Bug #462 Use correct plural and singular forms based on count

New in OSV-Scanner 1.3.6 (Jul 19, 2023)

  • Minor Updates:
  • Feature #431
  • Update GoVulnCheck integration.
  • Feature #439
  • Create models.PURLToPackage(), and deprecate osvscanner.PURLToPackage().
  • Fixes:
  • Feature #439
  • Fix PURLToPackage not returning the full namespace of packages in ecosystems
  • that use them (e.g. golang).

New in OSV-Scanner 1.3.5 (Jun 28, 2023)

  • Features:
  • Feature #409
  • Adds an additional column to the table output which shows the severity if available.
  • API Features:
  • Feature #424
  • Feature #417
  • Feature #417
  • Update the models package to better reflect the osv schema, including:
  • Add the withdrawn field
  • Improve timestamp serialization
  • Add related field
  • Add additional ecosystem constants
  • Add new reference types
  • Add YAML tags

New in OSV-Scanner 1.3.4 (Jun 7, 2023)

  • Minor Updates:
  • Feature #390 Add an user agent to OSV API requests.

New in OSV-Scanner 1.3.3 (May 17, 2023)

  • Fixes:
  • requirements.txt misparsing lines that contain --hash.
  • Bug: Clarify when no
  • vulnerabilities are found.
  • Bug: Fix cycle in
  • requirements.txt causing infinite recursion.
  • Bug: Fix panic when
  • parsing empty lockfile.
  • API Features:
  • Feature update
  • pkg/osv to allow overriding the http client / transport

New in OSV-Scanner 1.3.2 (Apr 26, 2023)

  • Fixes:
  • Bug #341 Make the reporter public to allow calling DoScan with non nil reporters.
  • Bug #335 Improve SBOM parsing and relaxing name requirements when explicitly scanning with --sbom.
  • Bug #333 Improve scanning speed for regex heavy lockfiles by caching regex compilation.
  • Bug #349 Improve SBOM documentation and error messages.

New in OSV-Scanner 1.3.1 (Mar 30, 2023)

  • Fix segmentation fault when parsing CycloneDX without dependencies.

New in OSV-Scanner 1.3.0 (Mar 28, 2023)

  • Major Features:
  • Feature #198 GoVulnCheck integration! Try it out when scanning go code by adding the --experimental-call-analysis flag.
  • Feature #260 Support -r flag in requirements.txt files.
  • Feature #300 Make IgnoredVulns also ignore aliases.
  • Feature #304 OSV-Scanner now runs faster when there's multiple vulnerabilities.
  • Fixes:
  • Bug #249 Support yarn locks with quoted properties.
  • Bug #232 Parse nested CycloneDX components correctly.
  • Bug #257 More specific cyclone dx parsing.
  • Bug #256 Avoid panic when parsing file: dependencies in pnpm lockfiles.
  • Bug #261 Deduplicate packages that appear multiple times in Pipenv.lock files.
  • Bug #267 Properly handle comparing zero versions in Maven.
  • Bug #279 Trim leading zeros off when comparing numerical components in Maven versions.
  • Bug #291 Check if PURL is valid before adding it to queries.
  • Bug #293 Avoid infinite loops parsing Maven poms with syntax errors
  • Bug #295 Set version in the source code, this allows version to be displayed in most package managers.
  • Bug #297 Support Pipenv develop packages without versions.
  • API Features:
  • Feature #310 Improve the OSV models to allow for 3rd party use of the library.

New in OSV-Scanner 1.2.0 (Feb 23, 2023)

  • Major Features:
  • Feature #168 Support for scanning debian package status file, usually located in /var/lib/dpkg/status. Thanks @cmaritan
  • Feature #94 Specify what parser should be used in --lockfile.
  • Feature #158 Specify output format to use with the --format flag.
  • Feature #165 Respect .gitignore files by default when scanning.
  • Feature #156 Support markdown table output format. Thanks @deftdawg
  • Feature #59 Support conan.lock lockfiles and ecosystem Thanks @SSE4
  • Updated documentation! Check it out here: https://google.github.io/osv-scanner/
  • Minor Updates:
  • Feature #178 Support SPDX 2.3.
  • Feature #221 Support dependencyManagement section in Maven poms.
  • Feature #167 Make osvscanner API library public.
  • Feature #141 Retry OSV API calls to mitigate transient network issues. Thanks @davift
  • Feature #220 Vulnerability output is ordered deterministically.
  • Feature #179 Log number of packages scanned from SBOM.
  • General dependency updates
  • Fixes:
  • Bug #161 Exit with non zero exit code when there is a general error.
  • Bug #185 Properly omit Source from JSON output.

New in OSV-Scanner 1.1.0 (Jan 12, 2023)

  • This update adds support for NuGet ecosystem and various bug fixes by the community.
  • Feature #98: Support for NuGet ecosystem.
  • Bug #85: Even better support for narrow terminals by shortening osv.dev URLs.
  • Bug #105: Fix rare cases of too many open file handles.
  • Bug #131: Fix table highlighting overflow.
  • Bug #101: Now supports 32 bit systems.

New in OSV-Scanner 1.0.2 (Jan 4, 2023)

  • Move table columns so that the important column is displayed first by @another-rex in #87
  • shorten affected package to package by @another-rex in #90