v0.7.0
This version adds support for extra databases, which has a bunch of cool use-cases including drafting OSVs locally before submitting them to databases, and exotic use of the OSV specification to check for things that are not technically vulnerabilities but are still undesirable (e.g. dependencies that are end of life, deprecated, unmaintained, or whose license means they can't be used in a project).
When combined with the ability to provide arbitrary packages via CSVs, this can also make it easier for communities who are not yet represented as an official ecosystem in the OSV specification as they can still begin to author security advisories using the OSV spec with a proposed ecosystem name that the detector can use.
Because extra databases are configured in config files, the detector also now supports ignoring specific parts of config files; note that by default the detector assumes you trust any config file it finds, including any extra databases that are configured (remote or otherwise) - it is up to you to decide if you don't want any extra databases to be loaded.
In addition to the above, the detector also now supports parsing mix.lock
files for the Hex ecosystem, understands the new last_affected
event in OVSs, and uses a unique exit code when it cannot find any supported lockfiles in the provided arguments which can be useful for tooling.
What's Changed
- support extra databases (#114)
- adjust error message to indicate directories must have "at least one" lockfile (#137)
- support skipping specific parts of configs (#141)
- remove
--cache-all-databases
flag (#143) - support
last_affected
in OSVs (#142) - support parsing
mix.lock
(#124) - use a unique exit code to indicate that no lockfiles could be found in the given args (#138)
Full Changelog: v0.6.2...v0.7.0