v1.9.1

OSV-Scanner v2 is coming soon! The next release will start with version v2.0.0-alpha1.

Here's a peek at some of the exciting upcoming features:

• Standalone container image scanning support.
  • Including support for Alpine and Debian images.
• Refactored internals to use osv-scalibr library for better extraction capabilities.
• HTML output format for clearer vulnerability results.
• More control over output format and logging.
• ...and more!

Importantly, the CLI interface of osv-scanner will be maintained with minimal breaking changes.
Most breaking changes will only be in the API. More details in the upcoming alpha release.

---

This is the final feature v1 release of osv-scanner, future releases for v1 will only contain bug fixes.

v1.9.1

Features:

• Feature #1295 Support offline database in fix subcommand.
• Feature #1342 Add --experimental-offline-vulnerabilities and --experimental-no-resolve flags.
• Feature #1045 Support private registries for Maven.
• Feature #1226 Support vulnerabilities.ignore in package overrides.

Fixes:

• Bug #604 Use correct path separator in SARIF output when on Windows.
• Bug #330 Warn about and ignore duplicate entries in SBOMs.
• Bug #1325 Set CharsetReader and Entity when reading pom.xml.
• Bug #1310 Update spdx license ids.
• Bug #1288 Sort sbom packages by PURL.
• Bug #1285 Improve handling if docker exits with a non-zero code when trying to scan images

API Changes:

• Deprecate auxillary public packages: As part of the V2 update described above, we have started deprecating some of the auxillary packages
  which are not commonly used to give us more room to make better API designs. These include:
  • config
  • depsdev
  • grouper
  • spdx

Misc

• Update build to go1.23.2

New Contributors

• @emmanuel-ferdman made their first contribution in #1351

Full Changelog: v1.9.0...v1.9.1

v1.9.0

What's Changed

Features:

• Feature #1243 Allow explicitly ignoring the license of a package in config with license.ignore = true.
• Feature #1249 Error if configuration file has unknown properties.
• Feature #1271 Assume .txt files with "requirements" in their name are requirements.txt files

Fixes:

• Bug #1242 Announce when a config file is invalid and exit with a non-zero code.
• Bug #1241 Display (no reason given) when there is no reason in the override config.
• Bug #1252 Don't allow LoadPath to be set via config file.
• Bug #1279 Report all ecosystems without local databases in one single line.
• Bug #1283 Output invalid PURLs when scanning SBOMs.
• Bug #1278 Apply go version override to all instances of the stdlib.

Misc:

• #1253 Deprecate ParseX() functions in pkg/lockfile in favor of their Extract equivalents.
• #1290 Bump maximum number of concurrent requests to the OSV.dev API.

Full Changelog: v1.8.5...v1.9.0

v1.8.5

What's Changed

Features:

• Feature #1160 Support fetching snapshot versions from a Maven registry.
• Feature #1177 Support composite-based package overrides. This allows for ignoring entire manifests when scanning.
• Feature #1210 Add FIXED-VULN-IDS to guided remediation non-interactive output.

Fixes:

• Bug #1220 Fix govulncheck calls on C code.
• Bug #1236 Alpine package scanning now falls back to latest release version if no release version can be found.

Full Changelog: v1.8.4...v1.8.5

v1.8.4

What's Changed

Features:

• Feature #1177 Adds --upgrade-config flag for configuring allowed upgrades on a per-package basis. Also hide & deprecate previous --disallow-major-upgrades and --disallow-package-upgrades flags.

Fixes:

• Bug #1123 Issue when running osv-scanner on project running with golang 1.22 #1123

Misc:

• Feature #638 Update go policy to use stable go version for builds (updated to go 1.23)

Full Changelog: v1.8.3...v1.8.4

v1.8.3

Features:

• Feature #889 OSV-Scanner now provides "vertical" output format!

Fixes:

• Bug #1115 Ensure that semantic is passed a valid models.Ecosystem.
• Bug #1140 Add Maven dependency management to override client.
• Bug #1149 Handle Maven parent relative path.

Misc:

• Feature #1091 Improved the runtime of DiffVulnerabilityResults. Thanks @neilnaveen!
• Feature #1125 Workflow for stale issue and PR management.

Full Changelog: v1.8.2...v1.8.3

v1.8.2

Features:

• Feature #1014 Adding CycloneDX 1.4 and 1.5 output format. Thanks @marcwieserdev!

Fixes:

• Bug #769 Fixed missing vulnerabilities for debian purls for --experimental-local-db.
• Bug #1055 Ensure that package exists in affected property.
• Bug #1072 Filter out unimportant vulnerabilities from vuln group.
• Bug #1077 Fix rate osv-scanner deadlock.
• Bug #924 Ensure that npm dependencies retain their "production" grouping.

New Contributors

• @neilnaveen made their first contribution in #1076
• @marcwieserdev made their first contribution in #1014
• @GeoDerp made their first contribution in #1073

Full Changelog: v1.8.1...v1.8.2

v1.8.1

v1.8.0/v1.8.1:

Features:

• Feature #35
  OSV-Scanner now scans transitive dependencies in Maven pom.xml files!
  See our documentation for more information.
• Feature #944
  The osv-scanner.toml configuration file can now filter specific packages with new [[PackageOverrides]] sections:

  [[PackageOverrides]]
  # The package name, version, and ecosystem to match against
  name = "lib"
  # If version is not set or empty, it will match every version
  version = "1.0.0"
  ecosystem = "Go"
  # Ignore this package entirely, including license scanning
  ignore = true
  # Override the license of the package
  # This is not used if ignore = true
  license.override = ["MIT", "0BSD"]
  # effectiveUntil = 2022-11-09 # Optional exception expiry date
  reason = "abc"

Minor Updates

• Feature #1039 The --experimental-local-db flag has been removed and replaced with a new flag --experimental-download-offline-databases which better reflects what the flag does.
  To replicate the behavior of the original --experimental-local-db flag, replace it with both --experimental-offline --experimental-download-offline-databases flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning.

Fixes:

• Bug #1000 Standard dependencies now correctly override dependencyManagement dependencies when scanning pom.xml files in offline mode.

New Contributors

• @np5 made their first contribution in #1029

Full Changelog: v1.7.4...v1.8.1

v1.7.4

v1.7.4:

Features:

• Feature #943 Support scanning gradle/verification-metadata.xml files.

Misc:

• Bug #968 Hide unimportant Debian vulnerabilities to reduce noise.

New Contributors

• @khorben made their first contribution in #969

Full Changelog: v1.7.3...v1.7.4

v1.7.3

v1.7.3:

Features:

• Feature #934 add support for PNPM v9 lockfiles.

Fixes:

• Bug #938 Ensure the sarif output has a stable order.
• Bug #922 Support filtering on alias IDs in Guided Remediation.

Full Changelog: v1.7.2...v1.7.3

v1.7.2

v1.7.2:

Fixes:

• Bug #899 Guided Remediation: Parse paths in npmrc auth fields correctly.
• Bug #908 Fix rust call analysis by explicitly disabling stripping of debug info.
• Bug #914 Fix regression for go call analysis introduced in 1.7.0.

v1.7.1:

(There was no Github release for this version)

Fixes

• Bug #856
  Add retry logic to make calls to OSV.dev API more resilient. This combined with changes in OSV.dev's API should result in much less timeout errors.

API Features

• Feature #781
  add MakeVersionRequestsWithContext()
• Feature #857
  API and networking related errors now has their own error and exit code (Exit Code 129)

New Contributors

• @DavidKorczynski made their first contribution in #846
• @tuananh made their first contribution in #781
• @omercnet made their first contribution in #874
• @Dor1s made their first contribution in #877

Full Changelog: v1.7.0...v1.7.2