Releases: google/osv-scanner
Releases · google/osv-scanner
v1.3.5
v1.3.5:
Features
- Feature #409
Adds an additional column to the table output which shows the severity if available.
API Features
- Feature #424
- Feature #417
- Feature #417
- Update the models package to better reflect the osv schema, including:
- Add the withdrawn field
- Improve timestamp serialization
- Add related field
- Add additional ecosystem constants
- Add new reference types
- Add YAML tags
- Update the models package to better reflect the osv schema, including:
New Contributors
- @giovanni-bozzano made their first contribution in #409
Full Changelog: v1.3.4...v1.3.5
v1.3.4
v1.3.3
v1.3.3:
Fixes
- Bug #369 Fix
requirements.txt misparsing lines that contain--hash
. - Bug #237 Clarify when no
vulnerabilities are found. - Bug #354 Fix cycle in
requirements.txt causing infinite recursion. - Bug #367 Fix panic when
parsing empty lockfile.
API Features
- Feature #357 Update
pkg/osv
to allow overriding the http client / transport
New Contributors
- @jeffmendoza made their first contribution in #357
- @robotdana made their first contribution in #367
- @khareyash05 made their first contribution in #368
Full Changelog: v1.3.2...v1.3.3
v1.3.2
Fixes
- Bug #341 Make the reporter public to allow calling DoScan with non nil reporters.
- Bug #335 Improve SBOM parsing and relaxing name requirements when explicitly scanning with
--sbom
. - Bug #333 Improve scanning speed for regex heavy lockfiles by caching regex compilation.
- Bug #349 Improve SBOM documentation and error messages.
New Contributors
Full Changelog: v1.3.1...v1.3.2
v1.3.1
Changelog
Fixes
- Bug #319 Fix segmentation fault when parsing CycloneDX without dependencies.
Full Changelog: v1.3.0...v1.3.1
v1.3.0
What's Changed
Major Features:
- Feature #198 GoVulnCheck integration! Try it out when scanning go code by adding the
--experimental-call-analysis
flag. - Feature #260 Support
-r
flag inrequirements.txt
files. - Feature #300 Make
IgnoredVulns
also ignore aliases. - Feature #304 OSV-Scanner now runs faster when there's multiple vulnerabilities.
Fixes
- Bug #249 Support yarn locks with quoted properties.
- Bug #232 Parse nested CycloneDX components correctly.
- Bug #257 More specific cyclone dx parsing.
- Bug #256 Avoid panic when parsing
file:
dependencies inpnpm
lockfiles. - Bug #261 Deduplicate packages that appear multiple times in
Pipenv.lock
files. - Bug #267 Properly handle comparing zero versions in Maven.
- Bug #279 Trim leading zeros off when comparing numerical components in Maven versions.
- Bug #291 Check if PURL is valid before adding it to queries.
- Bug #293 Avoid infinite loops parsing Maven poms with syntax errors
- Bug #295 Set version in the source code, this allows version to be displayed in most package managers.
- Bug #297 Support Pipenv develop packages without versions.
API Features
- Feature #310 Improve the OSV models to allow for 3rd party use of the library.
New Contributors
- @raboof made their first contribution in #253
- @spencerschrock made their first contribution in #294
- @calebbrown made their first contribution in #310
Full Changelog: v1.2.0...v1.3.0
v1.2.0
Major Features:
- Feature #168 Support for scanning debian package status file, usually located in
/var/lib/dpkg/status
. Thanks @cmaritan - Feature #94 Specify what parser should be used in
--lockfile
. - Feature #158 Specify output format to use with the
--format
flag. - Feature #165 Respect
.gitignore
files by default when scanning. - Feature #156 Support markdown table output format. Thanks @deftdawg
- Feature #59 Support
conan.lock
lockfiles and ecosystem Thanks @SSE4 - Updated documentation! Check it out here: https://google.github.io/osv-scanner/
Minor Updates:
- Feature #178 Support SPDX 2.3.
- Feature #221 Support dependencyManagement section in Maven poms.
- Feature #167 Make osvscanner API library public.
- Feature #141 Retry OSV API calls to mitigate transient network issues. Thanks @davift
- Feature #220 Vulnerability output is ordered deterministically.
- Feature #179 Log number of packages scanned from SBOM.
- General dependency updates
Fixes
- Bug #161 Exit with non zero exit code when there is a general error.
- Bug #185 Properly omit Source from JSON output.
New Contributors
- @inferno-chromium made their first contribution in #139
- @davift made their first contribution in #141
- @SSE4 made their first contribution in #59
- @deftdawg made their first contribution in #156
- @hayleycd made their first contribution in #171
- @michaelkedar made their first contribution in #191
- @dependabot made their first contribution in #222
Full Changes: v1.1.0...v1.2.0
v1.1.0
What's Changed
This update adds support for NuGet ecosystem and various bug fixes by the community.
- Feature #98: Support for NuGet ecosystem.
- Feature #71: Now supports Pipfile.lock scanning.
- Bug #85: Even better support for narrow terminals by shortening osv.dev URLs.
- Bug #105: Fix rare cases of too many open file handles.
- Bug #131: Fix table highlighting overflow.
- Bug #101: Now supports 32 bit systems.
New Contributors
- @chenrui333 made their first contribution in #89
- @myersg86 made their first contribution in #103
- @kpcyrd made their first contribution in #104
- @shawnfunke made their first contribution in #98
- @andrewpollock made their first contribution in #116
- @wolf99 made their first contribution in #100
- @newdominic made their first contribution in #66
- @cmaritan made their first contribution in #107
- @jfhovinne made their first contribution in #109
- @ChronicLynx made their first contribution in #127
- @rhysd made their first contribution in #131
Full Changelog: v1.0.2...v1.1.0
v1.0.2
This is a minor patch release to mitigate human readable output issues on narrow terminals (#85).
What's Changed
- Move table columns so that the important column is displayed first by @another-rex in #87
- shorten affected package to package by @another-rex in #90
New Contributors
- @hi-artem made their first contribution in #77
- @stevehipwell made their first contribution in #68
Full Changelog: v1.0.1...v1.0.2
v1.0.1
Various bug fixes and improvements. Many thanks to the amazing contributions and suggestions from the community!
ARM64 builds are now also available!
What's Changed
- Fixed #52 - Raise exit code properly on vulnerabilities. by @iurisilvio in #53
- feat: add version command by @jwillker in #50
- Enable arm64 build target by @another-rex in #56
- Ci updates by @cpanato in #48
- Add gradle lockfile support by @abhisek in #46
- Update README.md by @helmutkemper in #58
New Contributors
- @iurisilvio made their first contribution in #53
- @jwillker made their first contribution in #50
- @cpanato made their first contribution in #48
- @abhisek made their first contribution in #46
- @helmutkemper made their first contribution in #58
Full Changelog: v1.0.0...v1.0.1