OSV-Scanner v2 is coming soon! The next release will start with version v2.0.0-alpha1
.
Here's a peek at some of the exciting upcoming features:
- Standalone container image scanning support.
- Including support for Alpine and Debian images.
- Refactored internals to use
osv-scalibr
library for better extraction capabilities. - HTML output format for clearer vulnerability results.
- More control over output format and logging.
- ...and more!
Importantly, the CLI interface of osv-scanner will be maintained with minimal breaking changes. Most breaking changes will only be in the API. More details in the upcoming alpha release.
This is the final feature v1 release of osv-scanner, future releases for v1 will only contain bug fixes.
- Feature #1295 Support offline database in fix subcommand.
- Feature #1342 Add
--experimental-offline-vulnerabilities
and--experimental-no-resolve
flags. - Feature #1045 Support private registries for Maven.
- Feature #1226 Support support
vulnerabilities.ignore
in package overrides.
- Bug #604 Use correct path separator in SARIF output when on Windows.
- Bug #330 Warn about and ignore duplicate entries in SBOMs.
- Bug #1325 Set CharsetReader and Entity when reading pom.xml.
- Bug #1310 Update spdx license ids.
- Bug #1288 Sort sbom packages by PURL.
- Bug #1285 Improve handling if
docker
exits with a non-zero code when trying to scan images
- Deprecate auxillary public packages: As part of the V2 update described above, we have started deprecating some of the auxillary packages
which are not commonly used to give us more room to make better API designs. These include:
config
depsdev
grouper
spdx
- Feature #1243 Allow explicitly ignoring the license of a package in config with
license.ignore = true
. - Feature #1249 Error if configuration file has unknown properties.
- Feature #1271 Assume
.txt
files with "requirements" in their name arerequirements.txt
files
- Bug #1242 Announce when a config file is invalid and exit with a non-zero code.
- Bug #1241 Display
(no reason given)
when there is no reason in the override config. - Bug #1252 Don't allow
LoadPath
to be set via config file. - Bug #1279 Report all ecosystems without local databases in one single line.
- Bug #1283 Output invalid PURLs when scanning SBOMs.
- Bug #1278 Apply go version override to all instances of the
stdlib
.
- #1253 Deprecate
ParseX()
functions inpkg/lockfile
in favor of theirExtract
equivalents. - #1290 Bump maximum number of concurrent requests to the OSV.dev API.
- Feature #1160 Support fetching snapshot versions from a Maven registry.
- Feature #1177 Support composite-based package overrides. This allows for ignoring entire manifests when scanning.
- Feature #1210 Add FIXED-VULN-IDS to guided remediation non-interactive output.
- Bug #1220 Fix govulncheck calls on C code.
- Bug #1236 Alpine package scanning now falls back to latest release version if no release version can be found.
- Feature #1177 Adds
--upgrade-config
flag for configuring allowed upgrades on a per-package basis. Also hide & deprecate previous--disallow-major-upgrades
and--disallow-package-upgrades
flags.
- Bug #1123 Issue when running osv-scanner on project running with golang 1.22 #1123
- Feature #638 Update go policy to use stable go version for builds (updated to go 1.23)
- Feature #889 OSV-Scanner now provides "vertical" output format!
- Bug #1115 Ensure that
semantic
is passed a validmodels.Ecosystem
. - Bug #1140 Add Maven dependency management to override client.
- Bug #1149 Handle Maven parent relative path.
- Feature #1091 Improved the runtime of DiffVulnerabilityResults. Thanks @neilnaveen!
- Feature #1125 Workflow for stale issue and PR management.
- Feature #1014 Adding CycloneDX 1.4 and 1.5 output format. Thanks @marcwieserdev!
- Bug #769 Fixed missing vulnerabilities for debian purls for
--experimental-local-db
. - Bug #1055 Ensure that
package
exists inaffected
property. - Bug #1072 Filter out unimportant vulnerabilities from vuln group.
- Bug #1077 Fix rate osv-scanner deadlock.
- Bug #924 Ensure that npm dependencies retain their "production" grouping.
- Feature #35
OSV-Scanner now scans transitive dependencies in Maven
pom.xml
files! See our documentation for more information. - Feature #944
The
osv-scanner.toml
configuration file can now filter specific packages with new[[PackageOverrides]]
sections:[[PackageOverrides]] # The package name, version, and ecosystem to match against name = "lib" # If version is not set or empty, it will match every version version = "1.0.0" ecosystem = "Go" # Ignore this package entirely, including license scanning ignore = true # Override the license of the package # This is not used if ignore = true license.override = ["MIT", "0BSD"] # effectiveUntil = 2022-11-09 # Optional exception expiry date reason = "abc"
- Feature #1039 The
--experimental-local-db
flag has been removed and replaced with a new flag--experimental-download-offline-databases
which better reflects what the flag does. To replicate the behavior of the original--experimental-local-db
flag, replace it with both--experimental-offline --experimental-download-offline-databases
flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning.
- Bug #1000 Standard dependencies now correctly override
dependencyManagement
dependencies when scanningpom.xml
files in offline mode.
- Feature #943 Support scanning gradle/verification-metadata.xml files.
- Bug #968 Hide unimportant Debian vulnerabilities to reduce noise.
- Feature #934 add support for PNPM v9 lockfiles.
- Bug #938 Ensure the sarif output has a stable order.
- Bug #922 Support filtering on alias IDs in Guided Remediation.
- Bug #899 Guided Remediation: Parse paths in npmrc auth fields correctly.
- Bug #908 Fix rust call analysis by explicitly disabling stripping of debug info.
- Bug #914 Fix regression for go call analysis introduced in 1.7.0.
(There is no Github release for this version)
- Bug #856 Add retry logic to make calls to OSV.dev API more resilient. This combined with changes in OSV.dev's API should result in much less timeout errors.
- Feature #781
add
MakeVersionRequestsWithContext()
- Feature #857 API and networking related errors now has their own error and exit code (Exit Code 129)
-
Feature #352 Guided Remediation Introducing our new experimental guided remediation feature on
osv-scanner fix
subcommand. See our docs for detailed usage instructions. -
Feature #805 Include CVSS MaxSeverity in JSON output.
-
Bug #818 Align GoVulncheck Go version with go.mod.
-
Bug #797 Don't traverse gitignored dirs for gitignore files.
- #831 Remove version number from the release binary name.
-
Feature #694 Add subcommands! OSV-Scanner now has subcommands! The base command has been moved to
scan
(currently the only commands isscan
). By default if you do not pass in a command,scan
will be used, so CLI remains backwards compatible.This is a building block to adding the guided remediation feature. See issue #352 for more details!
-
Feature #776 Add pdm lockfile support.
- Feature #754 Add dependency groups to flattened vulnerabilities output.
-
Feature #694 Add support for NuGet lock files version 2.
-
Feature #655 Scan and report dependency groups (e.g. "dev dependencies") for vulnerabilities.
-
Feature #702 Created an option to skip/disable upload to code scanning.
-
Feature #732 Add option to not fail on vulnerability being found for GitHub Actions.
-
Feature #729 Verify the spdx licenses passed in to the license allowlist.
-
Bug #736 Show ecosystem and version even if git is shown if the info exists.
-
Bug #703 Return an error if both license scanning and local/offline scanning is enabled simultaneously.
-
Bug #718 Fixed parsing of SBOMs generated by the latest CycloneDX.
-
Bug #704 Get go stdlib version from go.mod.
- Feature #727
Changes to
Reporter
methods to add verbosity levels and to deprecate functions.
- Feature #501 Add experimental license scanning support! See https://osv.dev/blog/posts/introducing-license-scanning-with-osv-scanner/ for more information!
- Feature #642
Support scanning
renv
files for the R language ecosystem. - Feature #513
Stabilize call analysis for Go! The experimental
--experimental-call-analysis
flag has now been updated to:with call analysis for Go enabled by default. See https://google.github.io/osv-scanner/usage/#scanning-with-call-analysis for the documentation!--call-analysis=<language/all> --no-call-analysis=<language/all>
- Feature #676
Simplify return codes:
- Return 0 if there are no findings or errors.
- Return 1 if there are any findings (license violations or vulnerabilities).
- Return 128 if no packages are found.
- Feature #651 CVSS v4.0 support.
- Feature #60 Pre-commit hook support.
- Bug #639 We now filter local packages from scans, and report the filtering of those packages.
- Bug #645 Properly handle file/url paths on Windows.
- Bug #660 Remove noise from failed lockfile parsing.
- Bug #649 No longer include vendored libraries in C/C++ package analysis.
- Bug #634 Fix filtering of aliases to also include non OSV aliases
- The minimum go version has been updated to go1.21 from go1.18.
- Feature #621 Add support for scanning vendored C/C++ files.
- Feature #581 Scan submodules commit hashes.
- Bug #626 Fix gitignore matching for root directory
- Bug #622 Go binary not found should not be an error
- Bug #588 handle npm/yarn aliased packages
- Bug #607 fix: remove some extra newlines in sarif report
- Bug #574
Support versions with build metadata in
yarn.lock
files - Bug #599 Add name field to sarif rule output
- Feature #534 New SARIF format that separates out individual vulnerabilities, see https://github.com/google/osv-scanner/issue/216
- Experimental Feature #57 Experimental Github Action! Have a look at https://google.github.io/osv-scanner/experimental/ for how to use the new Github Action in your repo. Experimental, so might change with only a minor update.
- Feature #557 Add new ecosystems, and a slice containing all of them.
- Feature #183 Add (experimental) offline mode! See our documentation for how to use it.
- Feature #452 Add (experimental) rust call analysis, detect whether vulnerable functions are actually called in your Rust project! See our documentation for limitations and how to use this.
- Feature #484 Detect the installed
go
version and checks for vulnerabilities in the standard library. - Feature #505 OSV-Scanner doesn't support your lockfile format? You can now use your own parser for your format, and create an intermediate
osv-scanner.json
for osv-scanner to scan. See our documentation for instructions.
- Feature #451 The lockfile package now support extracting dependencies directly from any io.Reader, removing the requirement of a file path.
- Bug #457 Fix PURL mapping for Alpine packages
- Bug #462 Use correct plural and singular forms based on count
- Feature #431 Update GoVulnCheck integration.
- Feature #439
Create
models.PURLToPackage()
, and deprecateosvscanner.PURLToPackage()
.
- Feature #439
Fix
PURLToPackage
not returning the full namespace of packages in ecosystems that use them (e.g. golang).
- Feature #409 Adds an additional column to the table output which shows the severity if available.
- Feature #424
- Feature #417
- Feature #417
- Update the models package to better reflect the osv schema, including:
- Add the withdrawn field
- Improve timestamp serialization
- Add related field
- Add additional ecosystem constants
- Add new reference types
- Add YAML tags
- Update the models package to better reflect the osv schema, including:
- Feature #390 Add an user agent to OSV API requests.
- Bug #369 Fix
requirements.txt misparsing lines that contain
--hash
. - Bug #237 Clarify when no vulnerabilities are found.
- Bug #354 Fix cycle in requirements.txt causing infinite recursion.
- Bug #367 Fix panic when parsing empty lockfile.
- Feature #357 Update
pkg/osv
to allow overriding the http client / transport
- Bug #341 Make the reporter public to allow calling DoScan with non nil reporters.
- Bug #335 Improve SBOM
parsing and relaxing name requirements when explicitly scanning with
--sbom
. - Bug #333 Improve scanning speed for regex heavy lockfiles by caching regex compilation.
- Bug #349 Improve SBOM documentation and error messages.
- Bug #319 Fix segmentation fault when parsing CycloneDX without dependencies.
- Feature #198 GoVulnCheck
integration! Try it out when scanning go code by adding the
--experimental-call-analysis
flag. - Feature #260 Support
-r
flag inrequirements.txt
files. - Feature #300 Make
IgnoredVulns
also ignore aliases. - Feature #304 OSV-Scanner now runs faster when there's multiple vulnerabilities.
- Bug #249 Support yarn locks with quoted properties.
- Bug #232 Parse nested CycloneDX components correctly.
- Bug #257 More specific cyclone dx parsing.
- Bug #256 Avoid panic
when parsing
file:
dependencies inpnpm
lockfiles. - Bug #261 Deduplicate
packages that appear multiple times in
Pipenv.lock
files. - Bug #267 Properly handle comparing zero versions in Maven.
- Bug #279 Trim leading zeros off when comparing numerical components in Maven versions.
- Bug #291 Check if PURL is valid before adding it to queries.
- Bug #293 Avoid infinite loops parsing Maven poms with syntax errors
- Bug #295 Set version in the source code, this allows version to be displayed in most package managers.
- Bug #297 Support Pipenv develop packages without versions.
- Feature #310 Improve the OSV models to allow for 3rd party use of the library.
- Feature #168 Support for
scanning debian package status file, usually located in
/var/lib/dpkg/status
. Thanks @cmaritan - Feature #94 Specify what
parser should be used in
--lockfile
. - Feature #158 Specify
output format to use with the
--format
flag. - Feature #165 Respect
.gitignore
files by default when scanning. - Feature #156 Support markdown table output format. Thanks @deftdawg
- Feature #59 Support
conan.lock
lockfiles and ecosystem Thanks @SSE4 - Updated documentation! Check it out here: https://google.github.io/osv-scanner/
- Feature #178 Support SPDX 2.3.
- Feature #221 Support dependencyManagement section in Maven poms.
- Feature #167 Make osvscanner API library public.
- Feature #141 Retry OSV API calls to mitigate transient network issues. Thanks @davift
- Feature #220 Vulnerability output is ordered deterministically.
- Feature #179 Log number of packages scanned from SBOM.
- General dependency updates
- Bug #161 Exit with non zero exit code when there is a general error.
- Bug #185 Properly omit Source from JSON output.
This update adds support for NuGet ecosystem and various bug fixes by the community.
- Feature #98: Support for NuGet ecosystem.
- Feature #71: Now supports Pipfile.lock scanning.
- Bug #85: Even better support for narrow terminals by shortening osv.dev URLs.
- Bug #105: Fix rare cases of too many open file handles.
- Bug #131: Fix table highlighting overflow.
- Bug #101: Now supports 32 bit systems.
This is a minor patch release to mitigate human readable output issues on narrow terminals (#85).
- Bug #85: Better support for narrow terminals.
Various bug fixes and improvements. Many thanks to the amazing contributions and suggestions from the community!
- Feature: ARM64 builds are now also available!
- Feature #46: Gradle lockfile support.
- Feature #50: Add version command.
- Bug #52: Fixes 0 exit code being wrongly emitted when vulnerabilities are present.