v1.7.3:

Features:

• Feature #934 add support for PNPM v9 lockfiles.

Fixes:

• Bug #938 Ensure the sarif output has a stable order.
• Bug #922 Support filtering on alias IDs in Guided Remediation.

Full Changelog: https://github.com/google/osv-scanner/compare/v1.7.2...v1.7.3

v1.7.2:

Fixes:

• Bug #899 Guided Remediation: Parse paths in npmrc auth fields correctly.
• Bug #908 Fix rust call analysis by explicitly disabling stripping of debug info.
• Bug #914 Fix regression for go call analysis introduced in 1.7.0.

v1.7.1:

(There was no Github release for this version)

Fixes

• Bug #856 Add retry logic to make calls to OSV.dev API more resilient. This combined with changes in OSV.dev's API should result in much less timeout errors.

API Features

• Feature #781 add MakeVersionRequestsWithContext()
• Feature #857 API and networking related errors now has their own error and exit code (Exit Code 129)

New Contributors

• @DavidKorczynski made their first contribution in https://github.com/google/osv-scanner/pull/846
• @tuananh made their first contribution in https://github.com/google/osv-scanner/pull/781
• @omercnet made their first contribution in https://github.com/google/osv-scanner/pull/874
• @Dor1s made their first contribution in https://github.com/google/osv-scanner/pull/877

Full Changelog: https://github.com/google/osv-scanner/compare/v1.7.0...v1.7.2

This version introduces our new guided remediation feature for npm! Try it with osv-scanner fix today!

Features

• Feature #352 Guided Remediation Introducing our new experimental guided remediation feature on osv-scanner fix subcommand. See our docs for detailed usage instructions.

• Feature #805 Include CVSS MaxSevirity in JSON output.

Fixes

• Bug #818 Align GoVulncheck Go version with go.mod.

• Bug #797 Don't traverse gitignored dirs for gitignore files.

Miscellaneous

• #831 Remove version number from the release binary name.

New Contributors

• @billielynch made their first contribution in https://github.com/google/osv-scanner/pull/826
• @AppleGamer22 made their first contribution in https://github.com/google/osv-scanner/pull/805
• @robramsaynz made their first contribution in https://github.com/google/osv-scanner/pull/797

Full Changelog: https://github.com/google/osv-scanner/compare/v1.6.2...v1.7.0

Features

• Feature #694 OSV-Scanner now has subcommands! The base command has been moved to scan (currently the only commands is scan). By default if you do not pass in a command, scan will be used, so CLI remains backwards compatible.

  This is a building block to adding the guided remediation feature. See issue #352 for more details!

• Feature #776 Add pdm lockfile support.

API Features

• Feature #754 Add dependency groups to flattened vulnerabilities output.

New Contributors

• @jtt made their first contribution in https://github.com/google/osv-scanner/pull/776

Full Changelog: https://github.com/google/osv-scanner/compare/v1.6.1...v1.6.2

v1.6.0/v1.6.1:

Features

• Feature #694 Add support for NuGet lock files version 2.

• Feature #655 Scan and report dependency groups (e.g. "dev dependencies") for vulnerabilities.

• Feature #702 Created an option to skip/disable upload to code scanning.

• Feature #732 Add option to not fail on vulnerability being found for GitHub Actions.

• Feature #729 Verify the spdx licenses passed in to the license allowlist.

Fixes

• Bug #736 Show ecosystem and version even if git is shown if the info exists.

• Bug #703 Return an error if both license scanning and local/offline scanning is enabled simultaneously.

• Bug #718 Fixed parsing of SBOMs generated by the latest CycloneDX.

• Bug #704 Get go stdlib version from go.mod.

API Features

• Feature #727 Changes to Reporter methods to add verbosity levels and to deprecate functions.

New Contributors

• @geekNero made their first contribution in https://github.com/google/osv-scanner/pull/718

Full Changelog: https://github.com/google/osv-scanner/compare/v1.5.0...v1.6.0-alpha3

Changelog

Features

• Feature #501 Add experimental license scanning support! See https://osv.dev/blog/posts/introducing-license-scanning-with-osv-scanner/ for more information!
• Feature #642 Support scanning renv files for the R language ecosystem.
• Feature #513 Stabilize call analysis for Go! The experimental --experimental-call-analysis flag has now been updated to:

  --call-analysis=<language/all>
  --no-call-analysis=<language/all>
  

  with call analysis for Go enabled by default. See https://google.github.io/osv-scanner/usage/#scanning-with-call-analysis for the documentation!
• Feature #676 Simplify return codes:
  • Return 0 if there are no findings or errors.
  • Return 1 if there are any findings (license violations or vulnerabilities).
  • Return 128 if no packages are found.
• Feature #651 CVSS v4.0 support.
• Feature #60 Pre-commit hook support.

Fixes

• Bug #639 We now filter local packages from scans, and report the filtering of those packages.
• Bug #645 Properly handle file/url paths on Windows.
• Bug #660 Remove noise from failed lockfile parsing.
• Bug #649 No longer include vendored libraries in C/C++ package analysis.
• Bug #634 Fix filtering of aliases to also include non OSV aliases

New Contributors

• @hogo6002 made their first contribution in https://github.com/google/osv-scanner/pull/665
• @pandatix made their first contribution in https://github.com/google/osv-scanner/pull/651
• @kemzeb made their first contribution in https://github.com/google/osv-scanner/pull/669

Full Changelog: https://github.com/google/osv-scanner/compare/v1.4.3...v1.5.0

Features

• Feature #621 Add support for scanning vendored C/C++ files.
• Feature #581 Scan submodules commit hashes.

Fixes

• Bug #626 Fix gitignore matching for root directory
• Bug #622 Go binary not found should not be an error
• Bug #588 handle npm/yarn aliased packages
• Bug #607 fix: remove some extra newlines in sarif report

New Contributors

• @cuixq made their first contribution in https://github.com/google/osv-scanner/pull/610
• @josieang made their first contribution in https://github.com/google/osv-scanner/pull/614

Full Changelog: https://github.com/google/osv-scanner/compare/v1.4.2...v1.4.3

v1.4.2:

Some minor fixes in this release.

Fixes

• Bug #574 Support versions with build metadata in yarn.lock files
• Bug #599 Add name field to sarif rule output

Full Changelog: https://github.com/google/osv-scanner/compare/v1.4.1...v1.4.2

v1.4.1:

Features

• Feature #534 New SARIF format that separates out individual vulnerabilities, see https://github.com/google/osv-scanner/issue/216
• Experimental Feature #57 Experimental Github Action! Have a look at https://google.github.io/osv-scanner/experimental/ for how to use the new Github Action in your repo. Experimental, so might change with only a minor update.

API Features

• Feature #557 Add new ecosystems, and a slice containing all of them.

v1.4.0:

Features

• Feature #183 Add (experimental) offline mode! See our documentation for how to use it.
• Feature #452 Add (experimental) rust call analysis, detect whether vulnerable functions are actually called in your Rust project! See our documentation for limitations and how to use this.
• Feature #484 Detect the installed go version and checks for vulnerabilities in the standard library.
• Feature #505 OSV-Scanner doesn't support your lockfile format? You can now use your own parser for your format, and create an intermediate osv-scanner.json for osv-scanner to scan. See our documentation for instructions.

API Features

• Feature #451 The lockfile package now support extracting dependencies directly from any io.Reader, removing the requirement of a file path.

Fixes

• Bug #457 Fix PURL mapping for Alpine packages
• Bug #462 Use correct plural and singular forms based on count

New Contributors

• @theinfosecguy made their first contribution in https://github.com/google/osv-scanner/pull/441

Full Changelog: https://github.com/google/osv-scanner/compare/v1.3.6...v1.4.0