Feature #2815 Add support for the CycloneDX 1.7 specification (bumps cyclonedx-go to v0.11.0).
Feature #2799 Enable .csproj and Central Package Management (nugetcpm) source scanning plugins by default.
Feature #2871 Extract and parse Alpine OS distro version (e.g. Alpine:v3.17, Alpine:edge) from PURL distro qualifiers to scan packages under their respective Alpine ecosystems.
Feature #2801 Enable the swift/packageresolved plugin by default to support SwiftURL vulnerability scans.
Feature #2666 Add a Docker-based variant of the pre-commit hook in .pre-commit-hooks.yaml to avoid local compilation.
Feature #2637 Add a new configuration setting ScanGoModVersion (disabled by default) to avoid parsing toolchain version directives directly from go.mod, preventing misleading warnings.
Feature #2772 Scan container images built with Canonical Chisel by enabling the os/chisel extractor plugin.
Fixes:
Bug #2807 Sanitize package name, source, and version fields in the vertical output format to prevent GitHub Actions workflow command injection vulnerabilities from crafted lock files.
Bug #2876 Improve HTML scan report usability by supporting standard click modifiers (Ctrl/Cmd/middle click) to open vulnerabilities in new tabs, and preserving scroll position when switching tabs.
Bug #2783 Keep transitive dependency scanning enabled when specifying the --offline-vulnerabilities flag.
Bug #2808 Deduplicate equivalent OSV matcher requests before executing bulk queries to reduce API overhead.
Bug #2837 Prevent panics during offline matcher scans (e.g. on unsupported GitHub Actions ecosystem) by avoiding parsing errors when checking version ranges.
Bug #2836 Ensure the scanner returns an exit code of 0 when --help or -h is explicitly requested.
Misc:
Update Go version to 1.26.4.
Update osv-scalibr to v0.4.6-0.20260612031204-164402d9140e.
Tag built Docker and GitHub Action images with the major version (e.g. :v2) to allow users to pin to a major version (#2857).
New Contributors
@herdiyana256 made their first contribution in https://github.com/google/osv-scanner/pull/2801
@zhijie-yang made their first contribution in https://github.com/google/osv-scanner/pull/2772
@francose made their first contribution in https://github.com/google/osv-scanner/pull/2837
@rohan-patnaik made their first contribution in https://github.com/google/osv-scanner/pull/2808
@evilgensec made their first contribution in https://github.com/google/osv-scanner/pull/2807
@gotgolem made their first contribution in https://github.com/google/osv-scanner/pull/2783
@Khuzaimx made their first contribution in https://github.com/google/osv-scanner/pull/2857
Full Changelog: https://github.com/google/osv-scanner/compare/v2.3.8...v2.4.0
v2.3.8 — 2026-05-08 other
v2.3.8
Fixes:
Fix installation issues with go install due to dependency conflicts (downgrade containerd/cgroups/v3, moby/buildkit and opencontainers/runtime-spec). (#2782)
Bug #2762 Skip packages with short commit hashes instead of aborting scan.
Bug #2781 Secure file path handling with os.OpenRoot.
Bug #2766 Correct typos across docs, configs, and Go source.
Misc:
Update osv-scalibr to v0.4.6-0.20260504042738-9293bfa4f86f.
v2.3.6 — 2026-05-01 security
v2.3.6
Features:
Feature #2658 Support regex matching for package name overrides.
Feature #2510 Scan Homebrew inventory using git repository metadata.
Fixes:
Bug #2750 Sanitize \r/\n in default/table/vertical output to prevent GitHub Actions workflow command injection.
Bug #2641 Correctly output packages from osv-scanner.json source in spdx format.
Bug #2729 Increase color contrast of vulnerability stats.
Bug #2664 Remove second newline at end of vertical output.
Bug #2669 Sanitize \r in gh-annotations to prevent GitHub Actions workflow command injection.
Misc:
Update osv-scalibr to v0.4.6-0.20260428235529-7791e288d6c1.
Update Go version to 1.26.2 (#2706).
New Contributors
@djvirus9 made their first contribution in https://github.com/google/osv-scanner/pull/2669
@jonjensen made their first contribution in https://github.com/google/osv-scanner/pull/2695
@dosisod made their first contribution in https://github.com/google/osv-scanner/pull/2729
@ibondarenko1 made their first contribution in https://github.com/google/osv-scanner/pull/2748
@sjhddh made their first contribution in https://github.com/google/osv-scanner/pull/2744
@Mananshah237 made their first contribution in https://github.com/google/osv-scanner/pull/2641
@majiayu000 made their first contribution in https://github.com/google/osv-scanner/pull/2658
@hits313 made their first contribution in https://github.com/google/osv-scanner/pull/2750
Full Changelog: https://github.com/google/osv-scanner/compare/v2.3.5...v2.3.6
v2.3.5 — 2026-03-25 feature
v2.3.5
v2.3.5
Features:
Feature #2571 Enable transitive scanning for Python requirements.txt files using the deps.dev API.
Feature #2649 Add ability to allow unsafe plugins, logging a warning when any unsafe plugin is enabled.
Fixes:
Bug #2630 Improve startup performance on Windows Terminal by updating lipgloss.
Bug #2599 Ensure the package deprecation enricher respects the same configuration as other plugins.
Bug #2600 Ensure the Java extractor plugin for call analysis respects the same configuration as other plugins.
Misc:
Update osv-scalibr from v0.4.2 to v0.4.5. Release notes: v0.4.3, v0.4.4, v0.4.5.
Fix broken release workflow.
New Contributors
@gurusai-voleti made their first contribution in https://github.com/google/osv-scanner/pull/2520
@hopkincame made their first contribution in https://github.com/google/osv-scanner/pull/2564
@tobyhawker made their first contribution in https://github.com/google/osv-scanner/pull/2639
Full Changelog: https://github.com/google/osv-scanner/compare/v2.3.3...v2.3.5
v2.3.3 — 2026-02-12 feature
v2.3.3
Features:
Feature #2458 Add --exclude flag to skip paths during scanning.
Feature #2475 Add base image info to container scanning output header (in table, markdown and vertical formats).
Misc:
Update Go version to 1.25.7.
Update osv-scalibr from v0.4.1 to v0.4.2. Release note.
Refactor to better align with osv-scalibr plugins and inventory data structure.
Full Changelog: https://github.com/google/osv-scanner/compare/v2.3.2...v2.3.3
v2.3.2 — 2026-01-15 security
v2.3.2
v2.3.2
This release includes performance improvements for local scanning, reducing memory usage and avoiding unnecessary advisory loading. It also fixes issues with MCP's get_vulnerability_details tool, git queries in osv-scanner.json, and ignore entry tracking, along with documentation updates.
Bug #2456 Properly track if an ignore entry has been used
Bug #2450Performance: Avoid loading the entire advisory unless it will actually be used
Bug #2445Performance: Don't read the entire zip into memory
Bug #2433 Allow specifying user agent in v2 osvscanner package
Misc:
Misc #2453 Switch from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3
Misc #2447 Include bun.lock as a supported lockfile
Misc #2444 Document GoVersionOverride in configuration.md
New Contributors
@catatsuy made their first contribution in https://github.com/google/osv-scanner/pull/2437
@google-labs-jules[bot] made their first contribution in https://github.com/google/osv-scanner/pull/2444
@fumblehool made their first contribution in https://github.com/google/osv-scanner/pull/2447
@scop made their first contribution in https://github.com/google/osv-scanner/pull/2453
@Ankitsinghsisodya made their first contribution in https://github.com/google/osv-scanner/pull/2457
Full Changelog: https://github.com/google/osv-scanner/compare/v2.3.1...v2.3.2
v2.3.1 — 2025-12-11 feature
v2.3.1
v2.3.1
Features:
Feature #2370 Add support for the packagedeprecation plugin via the new --experimental-flag-deprecated-packages flag. The result is available in all output formats except SPDX.
Fixes:
Bug #2395 Fix license scanning to correctly match new deps.dev package names.
Bug #2259 Fix lookup of Go packages with major versions by including the subpath of Go PURLs, preventing false positives.
Misc:
Updated Go version to v1.25.5 to support Go reachability analysis for the latest version.
v2.3.0 — 2025-11-19 feature
v2.3.0
This release migrates to the new osv.dev and osv-schema proto bindings for its internal data models (#2328). This is primarily an internal change and should not impact users.
Features:
Feature #2321 Add support for license checks for RubyGems.
Feature #2294 Replace requirementsenhanceable extractor with transitive enricher.
@brabster made their first contribution in https://github.com/google/osv-scanner/pull/2072
@Aejkatappaja made their first contribution in https://github.com/google/osv-scanner/pull/2032
@dizzydroid made their first contribution in https://github.com/google/osv-scanner/pull/2106
Full Changelog: https://github.com/google/osv-scanner/compare/v2.1.0...v2.2.0
v2.1.0 — 2025-07-11 security
v2.1.0
v2.1.0
Features:
Feature #2038 Add CycloneDX location field to the output source string.
Feature #2036 Include upstream source information in vulnerability grouping to improve accuracy.
Feature #1970 Hide unimportant vulnerabilities by default to reduce noise, and adds a --show-all-vulns flag to show all.
Feature #2003 Add experimental summary output format for the reporter.
Feature #1988 Add support for CycloneDX 1.6 report format.
Feature #1987 Add support for gems.locked files used by Bundler.
Feature #1980 Enable transitive dependency extraction for Python requirements.txt files.
Feature #1961 Deprecate the --sbom flag in favor of the existing -L/--lockfile flag for scanning SBOMs.
Feature #1963 Stabilize various experimental fields in the output by moving them out of the experimental struct.
Feature #1957 Use a dedicated exit code for invalid configuration files.
Fixes:
Bug #2046 Correctly set the user agent string for all outgoing requests.
Bug #2019 Use more natural language in the descriptions for extractor-related flags.
Bug #1982 Correctly parse Ubuntu package information with suffixes (e.g. :Pro, :LTS).
Bug #2000 Ensure CDATA content in XML is correctly outputted in guided remediation.
Bug #1949 Fix filtering of package types in vulnerability counts.
New Contributors
@Vialathor made their first contribution in https://github.com/google/osv-scanner/pull/1949
Full Changelog: https://github.com/google/osv-scanner/compare/v2.0.3...v2.1.0
v2.0.3 — 2025-06-16 feature
v2.0.3
v2.0.3
Features:
Feature #1943 Added a flag to suppress "no package sources found" error.
Feature #1844 Allow flags to be passed after scan targets, e.g. osv-scanner ./scan-this-dir --format=vertical, by updating to cli/v3
Feature #1882 Added a stable tag to container images for releases that follow semantic versioning.
Feature #1846 Experimental: Add --experimental-extractors and --experimental-disable-extractors flags to allow for more granular control over which OSV-Scalibr dependency extractors are used.
Fixes:
Bug #1856 Improve XML output by guessing and matching the indentation of existing <dependency> elements.
Bug #1850 Prevent escaping of single quotes in XML attributes for better readability and correctness.
Bug #1922 Prevent a potential panic in MatchVulnerabilities when the API response is nil, particularly on timeout.
Bug #1916 Add the "ubuntu" namespace to the debian purl type to correctly parse dpkg BOMs generated on Ubuntu.
Bug #1871 Ensure inventories are sorted by PURL in addition to name and version to prevent incorrect deduplication of packages.
Bug #1919 Improve error reporting by including the underlying error when the response body from a Maven registry cannot be read.
Bug #1857 Fix an issue where SPDX output is not correctly outputted because it was getting overwritten.
Bug #1873 Fix the GitHub Action to not ignore general errors during execution.
Bug #1955 Fix issue causing error messages to be spammed when not running in a git repository.
Bug #1930 Fix issue where Maven client loses auth data during extraction.
Misc:
Update dependencies and updated golang to 1.24.4
New Contributors
@jacj9 made their first contribution in https://github.com/google/osv-scanner/pull/1860
@ikkebr made their first contribution in https://github.com/google/osv-scanner/pull/1830
@LeonLow97 made their first contribution in https://github.com/google/osv-scanner/pull/1882
@osv-robot made their first contribution in https://github.com/google/osv-scanner/pull/1912
@laojianzi made their first contribution in https://github.com/google/osv-scanner/pull/1922
@Avgor46 made their first contribution in https://github.com/google/osv-scanner/pull/1916
Full Changelog: https://github.com/google/osv-scanner/compare/v2.0.2...v2.0.3
v2.0.2 — 2025-04-30 other
v2.0.2
Fixes:
Bug #1842 Fix an issue in the GitHub Action where call analysis for Go projects using the tool directive (Go 1.24+) in go.mod files would fail. The scanner image has been updated to use a newer Go version.
Bug #1806 Fix an issue where license overrides were not correctly reflected in the final scan results and license summary.
Fix #1825, #1809, #1805, #1803, #1787 Enhance XML output stability and consistency by preserving original spacing and minimizing unnecessary escaping. This helps reduce differences when XML files are processed.
New Contributors
@s-index made their first contribution in https://github.com/google/osv-scanner/pull/1812
@shahar-h made their first contribution in https://github.com/google/osv-scanner/pull/1842
Full Changelog: https://github.com/google/osv-scanner/compare/v2.0.1...v2.0.2
v2.0.1 — 2025-04-03 feature
v2.0.1
Changelog
### Features:
Feature #1730 Add support for extracting dependencies from .NET packages.config and packages.lock.json files.
Feature #1770 Add support for extracting dependencies from rust binaries compiled with cargo-auditable.
Feature #1761 Improve output when scanning for OS packages, we now show binary packages associated with a source package in the table output.
### Fixes:
Bug #1752 Fix paging depth issue when querying the osv.dev API.
Bug #1747 Ensure osv-reporter prints warnings instead of errors for certain messages to return correct exit code (related to osv-scanner-action#65).
Bug #1717 Fix issue where nested CycloneDX components were not being parsed.
Bug #1744 Fix issue where empty CycloneDX SBOMs was causing a panic.
Bug #1726 De-duplicate references in CycloneDX report output for improved validity.
Bug #1727 Remove automatic opening of HTML reports in the browser (fixes #1721).
Bug #1735 Require a tag when scanning container images to prevent potential errors.
@AlexLaroche made their first contribution in https://github.com/google/osv-scanner/pull/1730
@kuscar made their first contribution in https://github.com/google/osv-scanner/pull/1726
Full Changelog: https://github.com/google/osv-scanner/compare/v2.0.0...v2.0.1
v2.0.0 — 2025-03-17 security
v2.0.0
This release merges the improvements, features, and fixes from v2.0.0-rc1, v2.0.0-beta2, and v2.0.0-beta1.
Important: This release includes several breaking changes aimed at future-proofing OSV-Scanner. Please consult our comprehensive Migration Guide to ensure a smooth upgrade.
Features:
Layer and base image-aware container scanning:
Rewritten support for Debian, Ubuntu, and Alpine container images.
Layer level analysis and vulnerability breakdown.
Supports Go, Java, Node, and Python artifacts within supported distros.
Fix #1616 Filter out Ubuntu unimportant vulnerabilities.
Fix #1585 Fixed issue where base images are occasionally duplicated.
Fix #1597 Fixed issue where SBOM parsers are not correctly parsing CycloneDX files when using the bom.xml filename.
Fix #1566 Fixed issue where offline scanning returns different results from online scanning.
Fix #1538 Reduce memory usage when using guided remediation.
We encourage everyone to upgrade to OSV-Scanner v2.0.0 and experience these powerful new capabilities! As always, your feedback is invaluable, so please don't hesitate to share your thoughts and suggestions.
Full Changelog: https://github.com/google/osv-scanner/compare/v1.9.2...v2.0.0
v2.0.0-rc1 — 2025-03-10 security
v2.0.0-rc1
Our first release candidate for OSV-Scanner V2, which includes various breaking changes osv-scanner to help future proof osv-scanner in V2! See the changelog for beta1 and beta2 for the full list of changes.
We've also added a migration guide here: https://google.github.io/osv-scanner/migration-guide.html
As always, please feel free to give us your feedback!
Fix #1661 Add spinner to iframs in the HTML report.
Fix #1648 Updated HTML report styling to improve contrast.
Fix #1616 Display git scanning results in HTML report.
Fix #1616 Filter out Ubuntu unimportant vulnerabilities.
API changes
Feature #1666 Removes reporter, all logging now goes through slog, which you can override to change the output.
Feature #1638 All deprecated packages have been removed from the osv-scanner module, this includes the lockfile package, which has been migrated to the OSV-Scalibr library.
New Contributors
@mickem made their first contribution in https://github.com/google/osv-scanner/pull/1587
@WeizhouRen made their first contribution in https://github.com/google/osv-scanner/pull/1661
@vitorRibeiro7 made their first contribution in https://github.com/google/osv-scanner/pull/1648
Full Changelog: https://github.com/google/osv-scanner/compare/v2.0.0-beta2...v2.0.0-rc1
v2.0.0-beta2 — 2025-02-12 bugfix
v2.0.0-beta2
This second beta release brings a series of fixes and improvements to the previous release.
Feature #1584 Make skip root git repository the default behavior.
Feature #1547 Add experimental config support to the image command.
Feature #1557 Allow setting port number when using the --serve flag with the new --port flag.
Fixes
Fix #1585 Fixed issue where base images are occasionally duplicated.
Fix #1597 Fixed issue where SBOM parsers are not correctly parsing CycloneDX files when using the bom.xml filename.
Fix #1566 Fixed issue where offline scanning returns different results from online scanning.
Fix #1538 Reduce memory usage when using guided remediation.
New Contributors
@Riddhimaan-Senapati made their first contribution in https://github.com/google/osv-scanner/pull/1557
@pranjalagg made their first contribution in https://github.com/google/osv-scanner/pull/1580
Full Changelog: https://github.com/google/osv-scanner/compare/v2.0.0-beta1...v2.0.0-beta2
v2.0.0-beta1 — 2025-01-30 security
v2.0.0-beta1
Changelog
The first beta of OSV-Scanner V2 is here! This beta release introduces significant enhancements, including refactored dependency extraction capabilities, container image scanning, and guided remediation for Maven.
This beta release does not introduce any breaking CLI changes and the beta period is expected to last approximately one month. However, as this is a beta release, there may be breaking changes breaking changes in the final release compared to the first beta.
GitHub Action based on OSV-Scanner V2 is also coming soon - stay tuned!
We encourage you to try out these new features and would appreciate any feedback you might have on our discussion topics:
A significant new feature is a rewritten, layer-aware container scanning support for Debian, Ubuntu, and Alpine container images. OSV-Scanner can now analyze container images to provide:
Layers where a package was first introduced
Layer history and commands
Base images the image is based on
OS/Distro the container is running on
This layer analysis leverages OSV-Scalibr, and supports the following OSes and languages:
| Distro Support | Language Artifacts Support |
| -------------- | -------------------------- |
| Alpine OS | Go |
| Debian | Java |
| Ubuntu | Node |
| | Python |
Base image identification also leverages a new experimental API provided by https://deps.dev.
A new, interactive HTML output is now available. This provides a lot more interactivity and information compared to terminal only outputs, including:
Severity breakdown
Package and ID filtering
Vulnerability importance filtering
Full vulnerability advisory entries
And additionally for container image scanning:
Layer filtering
Image layer information
Base image identification
Guided Remediation for Maven pom.xml
Last year we released a feature called guided remediation for npm. We have now expanded support to Maven pom.xml.
With guided remediation support for Maven, you can remediate vulnerabilities in both direct and transitive dependencies through direct version updates or overriding versions through dependency management.
We’ve introduced a few new features for our Maven support:
A new remediation strategy override is introduced.
Support for reading and writing pom.xml files, including writing changes to local parent pom files.
Private registry can be specified to fetch Maven metadata.
The guided remediation support for Maven is only available in the non-interactive mode. For basic usage, run the following command:
We also introduced machine readable output for guided remediation that makes it easier to integrate guided remediation into your workflow.
For more usage details on guided remediation, please see our documentation.
Enhanced Dependency Extraction with osv-scalibr
With the help from OSV-Scalibr, we now also have expanded support for the kinds of dependencies we can extract from projects and containers:
Source manifests and lockfiles
Haskell: cabal.project.freeze, stack.yaml.lock
.NET: deps.json
Python: uv.lock
Artifacts
node_modules
Python wheels
Java uber jars
Go binaries
The full list of supported formats can be found here.
The first beta doesn’t enable every single extractor currently available in OSV-Scalibr today. We’ll continue to add more leading up to the final 2.0.0 release.
OSV-Scalibr also makes it incredibly easy to add new extractors. Please file a feature request if a format you’re interested in is missing!
New Contributors
@ivmeta made their first contribution in https://github.com/google/osv-scanner/pull/1327
@janniclas made their first contribution in https://github.com/google/osv-scanner/pull/1398
@VishalGawade1 made their first contribution in https://github.com/google/osv-scanner/pull/1390
Full Changelog: https://github.com/google/osv-scanner/compare/v1.9.1...v2.0.0-beta1
v1.9.2 — 2024-12-19 security
v1.9.2
Changelog
Fixes:
Bug #1327 Parsing crash on malformed pnpm lockfile.
Bug #1377 Warn if a vulnerability is ignored multiple times in the same config.
Bug #1394 Guided remediation: handle extraneous/missing packages in package-lock.json more leniently.
Bug #1443 Go call analysis now works with Go version up to v1.23.4.
Bug #1436 Only fetch Maven snapshots and releases when enabled.
@ivmeta made their first contribution in https://github.com/google/osv-scanner/pull/1327
@janniclas made their first contribution in https://github.com/google/osv-scanner/pull/1398
Full Changelog: https://github.com/google/osv-scanner/compare/v1.9.1...v1.9.2
v1.9.1 — 2024-10-31 security
v1.9.1
OSV-Scanner v2 is coming soon! The next release will start with version v2.0.0-alpha1.
Here's a peek at some of the exciting upcoming features:
Standalone container image scanning support.
Including support for Alpine and Debian images.
Refactored internals to use osv-scalibr library for better extraction capabilities.
HTML output format for clearer vulnerability results.
More control over output format and logging.
...and more!
Importantly, the CLI interface of osv-scanner will be maintained with minimal breaking changes.
Most breaking changes will only be in the API. More details in the upcoming alpha release.
This is the final feature v1 release of osv-scanner, future releases for v1 will only contain bug fixes.
v1.9.1
Features:
Feature #1295 Support offline database in fix subcommand.
Feature #1342 Add --experimental-offline-vulnerabilities and --experimental-no-resolve flags.
Bug #1285 Improve handling if docker exits with a non-zero code when trying to scan images
API Changes:
Deprecate auxillary public packages: As part of the V2 update described above, we have started deprecating some of the auxillary packages
which are not commonly used to give us more room to make better API designs. These include:
config
depsdev
grouper
spdx
Misc
Update build to go1.23.2
New Contributors
@emmanuel-ferdman made their first contribution in https://github.com/google/osv-scanner/pull/1351
Full Changelog: https://github.com/google/osv-scanner/compare/v1.9.0...v1.9.1
v1.9.0 — 2024-10-02 feature
v1.9.0
What's Changed
Features:
Feature #1243 Allow explicitly ignoring the license of a package in config with license.ignore = true.
Feature #1249 Error if configuration file has unknown properties.
Feature #1271 Assume .txt files with "requirements" in their name are requirements.txt files
Fixes:
Bug #1242 Announce when a config file is invalid and exit with a non-zero code.
Bug #1241 Display (no reason given) when there is no reason in the override config.
Bug #1252 Don't allow LoadPath to be set via config file.
Bug #1279 Report all ecosystems without local databases in one single line.
Bug #1283 Output invalid PURLs when scanning SBOMs.
Bug #1278 Apply go version override to all instances of the stdlib.
Misc:
#1253 Deprecate ParseX() functions in pkg/lockfile in favor of their Extract equivalents.
#1290 Bump maximum number of concurrent requests to the OSV.dev API.
Full Changelog: https://github.com/google/osv-scanner/compare/v1.8.5...v1.9.0
v1.8.5 — 2024-09-11 bugfix
v1.8.5
What's Changed
Features:
Feature #1160 Support fetching snapshot versions from a Maven registry.
Feature #1177 Support composite-based package overrides. This allows for ignoring entire manifests when scanning.
Feature #1210 Add FIXED-VULN-IDS to guided remediation non-interactive output.
Bug #1236 Alpine package scanning now falls back to latest release version if no release version can be found.
Full Changelog: https://github.com/google/osv-scanner/compare/v1.8.4...v1.8.5
v1.8.4 — 2024-08-22 feature
v1.8.4
What's Changed
Features:
Feature #1177 Adds --upgrade-config flag for configuring allowed upgrades on a per-package basis. Also hide & deprecate previous --disallow-major-upgrades and --disallow-package-upgrades flags.
Fixes:
Bug #1123 Issue when running osv-scanner on project running with golang 1.22 #1123
Misc:
Feature #638 Update go policy to use stable go version for builds (updated to go 1.23)
Full Changelog: https://github.com/google/osv-scanner/compare/v1.8.3...v1.8.4
v1.8.3 — 2024-08-07 security
v1.8.3
Features:
Feature #889 OSV-Scanner now provides "vertical" output format!
Fixes:
Bug #1115 Ensure that semantic is passed a valid models.Ecosystem.
Bug #1140 Add Maven dependency management to override client.
Bug #924 Ensure that npm dependencies retain their "production" grouping.
New Contributors
@neilnaveen made their first contribution in https://github.com/google/osv-scanner/pull/1076
@marcwieserdev made their first contribution in https://github.com/google/osv-scanner/pull/1014
@GeoDerp made their first contribution in https://github.com/google/osv-scanner/pull/1073
Full Changelog: https://github.com/google/osv-scanner/compare/v1.8.1...v1.8.2
v1.8.1 — 2024-06-21 security
v1.8.1
v1.8.0/v1.8.1:
Features:
Feature #35
OSV-Scanner now scans transitive dependencies in Maven pom.xml files!
See our documentation for more information.
Feature #944
The osv-scanner.toml configuration file can now filter specific packages with new [[PackageOverrides]] sections:
toml
[[PackageOverrides]]
# The package name, version, and ecosystem to match against
name = "lib"
# If version is not set or empty, it will match every version
version = "1.0.0"
ecosystem = "Go"
# Ignore this package entirely, including license scanning
ignore = true
# Override the license of the package
# This is not used if ignore = true
license.override = ["MIT", "0BSD"]
# effectiveUntil = 2022-11-09 # Optional exception expiry date
reason = "abc"
Minor Updates
Feature #1039 The --experimental-local-db flag has been removed and replaced with a new flag --experimental-download-offline-databases which better reflects what the flag does.
To replicate the behavior of the original --experimental-local-db flag, replace it with both --experimental-offline --experimental-download-offline-databases flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning.
Fixes:
Bug #1000 Standard dependencies now correctly override dependencyManagement dependencies when scanning pom.xml files in offline mode.
New Contributors
@np5 made their first contribution in https://github.com/google/osv-scanner/pull/1029
Full Changelog: https://github.com/google/osv-scanner/compare/v1.7.4...v1.8.1
v1.7.4 — 2024-05-30 feature
v1.7.4
v1.7.4:
Features:
Feature #943 Support scanning gradle/verification-metadata.xml files.
Misc:
Bug #968 Hide unimportant Debian vulnerabilities to reduce noise.
New Contributors
@khorben made their first contribution in https://github.com/google/osv-scanner/pull/969
Full Changelog: https://github.com/google/osv-scanner/compare/v1.7.3...v1.7.4