You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This package hasn't been updated in a long time. The following list of
changes was therefore curated to focus on features or recent bugfixes.
Changes in 1.7.2:
* Bug #899 Guided Remediation: Parse paths in npmrc auth fields correctly.
* Bug #908 Fix rust call analysis by explicitly disabling stripping of debug info.
* Bug #914 Fix regression for go call analysis introduced in 1.7.0.
Changes in 1.7.0:
* Feature #352 Guided Remediation
Introducing our new experimental guided remediation feature on osv-scanner fix subcommand.
* Feature #805 Include CVSS MaxSevirity in JSON output.
Changes in 1.6.2:
* Feature #694 OSV-Scanner now has subcommands!
The base command has been moved to scan (currently the only commands is scan). By default if you do not pass in a command, scan will be used, so CLI remains backwards compatible.
* Feature #776 Add pdm lockfile support.
Changes in 1.6.0 and 1.6.1:
* Feature #694 Add support for NuGet lock files version 2.
* Feature #655 Scan and report dependency groups (e.g. "dev dependencies") for vulnerabilities.
* Feature #702 Created an option to skip/disable upload to code scanning.
* Feature #732 Add option to not fail on vulnerability being found for GitHub Actions.
* Feature #729 Verify the spdx licenses passed in to the license allowlist.
Changes in 1.5.0:
* Feature #501 Add experimental license scanning support!
* Feature #642 Support scanning renv files for the R language ecosystem.
* Feature #513 Stabilize call analysis for Go
* Feature #676 Simplify return codes:
Return 0 if there are no findings or errors.
Return 1 if there are any findings (license violations or vulnerabilities).
Return 128 if no packages are found.
* Feature #651 CVSS v4.0 support.
* Feature #60 Pre-commit hook support.
Changes in 1.4.3:
* Feature #621 Add support for scanning vendored C/C++ files.
* Feature #581 Scan submodules commit hashes.
Changes in 1.4.1:
* Feature #534 New SARIF format that separates out individual vulnerabilities
* Experimental Feature #57 Experimental Github Action
Changes in 1.4.0:
* Feature #183 Add (experimental) offline mode
* Feature #452 Add (experimental) rust call analysis, detect whether vulnerable functions are actually called in your Rust project
* Feature #505 OSV-Scanner support custom lockfile formats
Changes in 1.3.5:
* Feature #409 Adds an additional column to the table output which shows the severity if available.
Changes in 1.3.0:
* Feature #198 GoVulnCheck integration! Try it out when scanning go code by adding the --experimental-call-analysis flag.
* Feature #260 Support -r flag in requirements.txt files.
* Feature #300 Make IgnoredVulns also ignore aliases.
* Feature #304 OSV-Scanner now runs faster when there's multiple vulnerabilities.
Changes in 1.2.0:
* Feature #168 Support for scanning debian package status file, usually located in /var/lib/dpkg/status. Thanks @cmaritan
* Feature #94 Specify what parser should be used in --lockfile.
* Feature #158 Specify output format to use with the --format flag.
* Feature #165 Respect .gitignore files by default when scanning.
* Feature #156 Support markdown table output format. Thanks @deftdawg
* Feature #59 Support conan.lock lockfiles and ecosystem Thanks @SSE4
* Updated documentation! Check it out here: https://google.github.io/osv-scanner/
Changes in 1.1.0:
* Feature #98: Support for NuGet ecosystem.
* Feature #71: Now supports Pipfile.lock scanning.
* Bug #85: Even better support for narrow terminals by shortening osv.dev URLs.
* Bug #105: Fix rare cases of too many open file handles.
* Bug #131: Fix table highlighting overflow.
* Bug #101: Now supports 32 bit systems.
Tested on NetBSD/amd64.
0 commit comments