File osv-scanner.changes of Package osv-scanner
-------------------------------------------------------------------
Mon Jun 16 06:42:00 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 2.0.3:
* Features:
- Feature #1943 Added a flag to suppress "no package sources
found" error.
- Feature #1844 Allow flags to be passed after scan targets,
e.g. osv-scanner ./scan-this-dir --format=vertical, by
updating to cli/v3
- Feature #1882 Added a stable tag to container images for
releases that follow semantic versioning.
- Feature #1846 Experimental: Add --experimental-extractors and
--experimental-disable-extractors flags to allow for more
granular control over which OSV-Scalibr dependency extractors
are used.
* Fixes:
- Bug #1856 Improve XML output by guessing and matching the
indentation of existing <dependency> elements.
- Bug #1850 Prevent escaping of single quotes in XML attributes
for better readability and correctness.
- Bug #1922 Prevent a potential panic in MatchVulnerabilities
when the API response is nil, particularly on timeout.
- Bug #1916 Add the "ubuntu" namespace to the debian purl type
to correctly parse dpkg BOMs generated on Ubuntu.
- Bug #1871 Ensure inventories are sorted by PURL in addition
to name and version to prevent incorrect deduplication of
packages.
- Bug #1919 Improve error reporting by including the underlying
error when the response body from a Maven registry cannot be
read.
- Bug #1857 Fix an issue where SPDX output is not correctly
outputted because it was getting overwritten.
- Bug #1873 Fix the GitHub Action to not ignore general errors
during execution.
- Bug #1955 Fix issue causing error messages to be spammed when
not running in a git repository.
- Bug #1930 Fix issue where Maven client loses auth data during
extraction.
* Misc:
- Update dependencies and updated golang to 1.24.4
- fix(deps): update osv-scanner minor (#1951)
- chore(deps): update golang docker tag to v1.24.4 (#1933)
- chore(deps): update github/codeql-action action to v3.29.0
(#1932)
- fix(deps): update osv-scanner minor (#1914)
- chore(deps): update ossf/scorecard-action action to v2.4.2
(#1915)
- chore(deps): bump golang.org/x/net from 0.36.0 to 0.38.0 in
/experimental/javareach in the go_modules group across 1
directory (#1811)
- chore(deps): update golangci/golangci-lint-action action to
v8 (#1766)
- fix(deps): update osv-scanner minor (#1863)
- chore(deps): update workflows (#1837)
- chore(deps): lock file maintenance (#1838)
- chore(deps): update golang docker tag to v1.24.3 (#1864)
- fix(deps): update osv-scanner minor (#1836)
-------------------------------------------------------------------
Wed Apr 30 07:32:48 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 2.0.2:
* Fixes:
- Bug #1842 Fix an issue in the GitHub Action where call
analysis for Go projects using the tool directive (Go 1.24+)
in go.mod files would fail. The scanner image has been
updated to use a newer Go version.
- Bug #1806 Fix an issue where license overrides were not
correctly reflected in the final scan results and license
summary.
- Fix #1825, #1809, #1805, #1803, #1787 Enhance XML output
stability and consistency by preserving original spacing and
minimizing unnecessary escaping. This helps reduce
differences when XML files are processed.
* What's changed
- chore(deps-dev): bump nokogiri from 1.18.4 to 1.18.8 in /docs
in the bundler group across 1 directory (#1815)
- chore: Changelog for v2.0.2 (#1847)
- fix(gh-action): call analysis doesn't work for go 1.24
(#1842)
- test(osv-scanner/fix): actually import command from package
(#1845)
- test(fix): use public package (#1832)
- test: add case for when "false" is explicitly passed as the
value for `--offline` (#1841)
- refactor(cmd): rename and cleanup `licenseGenericFlag`
implementation (#1834)
- test: only include specific command under test in `cmd`
package tests (#1831)
- test: update snapshots (#1833)
- feat(xml): store the original text in CharData (#1825)
- chore: Update snaps again (#1824)
- chore(deps): update workflows (#1799)
- fix(deps): update osv-scanner minor (#1800)
- chore(deps): lock file maintenance (#1801)
- test: move `source` cases into subpackage (#1759)
- chore: Remove renovatebot constraint (#1820)
- refactor: use constants for extractor names (#1819)
- test: ensure that all tests are run in parallel (#1817)
- refactor: ensure all extractors have a single interface check
at the bottom of the file (#1818)
- refactor: avoid repeated call to get scan global flags
(#1816)
- docs: Update Maven Central and private registries support
(#1812)
- chore: Update snapshots (#1813)
- feat(xml): do not escape texts in char data (#1809)
- feat: Parallel tests with global logger (#1798)
- fix: override licenses in scan results (#1806)
- chore: Update snapshot again again (#1807)
- feat(xml): keep the white space between attributes (#1805)
- refactor: Switch to use public osvdev client (#1804)
- feat(xml): do not escape double quotes (#1803)
- chore: Update scalibr to use the new inventory format.
(#1797)
- chore: Update snapshot again (#1802)
- chore: Update snapshots (#1796)
- feat(xml): keep the extra space in self-closing tags (#1787)
- chore(deps): update
gaurav-nelson/github-action-markdown-link-check digest to
3c3b66f (#1784)
- chore(deps): update golang docker tag to v1.24.2 (#1785)
- test: update snapshots (#1786)
- feat: support outputting results in `spdx` format (#1776)
- test: update snapshots (#1782)
- build: move off deprecated archives.format and
archives.builds properties again (#1779)
-------------------------------------------------------------------
Thu Apr 03 05:15:30 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 2.0.1:
* Features:
- Feature #1730 Add support for extracting dependencies from
.NET packages.config and packages.lock.json files.
- Feature #1770 Add support for extracting dependencies from
rust binaries compiled with cargo-auditable.
- Feature #1761 Improve output when scanning for OS packages,
we now show binary packages associated with a source package
in the table output.
* Fixes:
- Bug #1752 Fix paging depth issue when querying the osv.dev
API.
- Bug #1747 Ensure osv-reporter prints warnings instead of
errors for certain messages to return correct exit code
(related to osv-scanner-action#65).
- Bug #1717 Fix issue where nested CycloneDX components were
not being parsed.
- Bug #1744 Fix issue where empty CycloneDX SBOMs was causing a
panic.
- Bug #1726 De-duplicate references in CycloneDX report output
for improved validity.
- Bug #1727 Remove automatic opening of HTML reports in the
browser (fixes #1721).
- Bug #1735 Require a tag when scanning container images to
prevent potential errors.
* API Changes:
- API Change #1763 Made the SourceType enum public.
* Dependencies:
- chore(deps): bump github.com/containerd/containerd from
1.7.18 to 1.7.27 in the go_modules group across 1 directory
(#1719)
- chore(deps): update goreleaser/goreleaser-action action to
v6.3.0 (#1765)
- chore(deps): update workflows (#1713)
- chore(deps): update workflows (#1731)
-------------------------------------------------------------------
Mon Mar 17 06:01:21 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 2.0.0:
Important: This release includes several breaking changes aimed
at future-proofing OSV-Scanner. Please consult our comprehensive
Migration Guide to ensure a smooth upgrade.
https://google.github.io/osv-scanner/migration-guide.html
* Features:
- Layer and base image-aware container scanning:
- Rewritten support for Debian, Ubuntu, and Alpine container
images.
- Layer level analysis and vulnerability breakdown.
- Supports Go, Java, Node, and Python artifacts within
supported distros.
- Base image identification via deps.dev.
- Usage: osv-scanner scan image <image-name>:<tag>
- Interactive HTML output:
- Severity breakdown, package/ID/importance filtering,
vulnerability details.
- Container image layer filtering, layer info, base image
identification.
- Usage: osv-scanner scan --serve ...
- Guided Remediation for Maven pom.xml:
- Remediate direct and transitive dependencies
(non-interactive mode).
- New override remediation strategy.
- Support for reading/writing pom.xml and parent POM files.
- Private registry support for Maven metadata.
- Machine-readable output for guided remediation.
- Enhanced Dependency Extraction with osv-scalibr:
- Haskell: cabal.project.freeze, stack.yaml.lock
- .NET: deps.json
- Python: uv.lock
- Artifacts: node_modules, Python wheels, Java uber jars, Go
binaries
- Feature #1636 osv-scanner update command for updating the
local vulnerability database (formerly experimental).
- Feature #1582 Add container scanning information to vertical
output format.
- Feature #1587 Add support for severity in SARIF report
format.
- Feature #1569 Add support for bun.lock lockfiles.
- Feature #1547 Add experimental config support to the scan
image command.
- Feature #1557 Allow setting port number with --serve using
the new --port flag.
* Breaking Changes:
- Feature #1670 Guided remediation now defaults to
non-interactive mode; use the --interactive flag for
interactive mode.
- Feature #1670 Removed the --verbosity=verbose verbosity
level.
- Feature #1673 & Feature #1664 All previous experimental flags
are now out of experimental, and the experimental flag
mechanism has been removed.
- Feature #1651 Multiple license flags have been merged into a
single --license flag.
- Feature #1666 API: reporter removed; logging now uses slog,
which can be overridden.
- Feature #1638 API: Deprecated packages removed, including
lockfile (migrated to OSV-Scalibr).
* Improvements:
- Feature #1561 Updated HTML report for better contrast and
usability (from beta2).
- Feature #1584 Make skipping the root git repository the
default behavior (from beta2).
- Feature #1648 Updated HTML report styling to improve contrast
(from rc1).
* Fixes:
- Fix #1598 Fix table output vulnerability ordering.
- Fix #1616 Filter out Ubuntu unimportant vulnerabilities.
- Fix #1585 Fixed issue where base images are occasionally
duplicated.
- Fix #1597 Fixed issue where SBOM parsers are not correctly
parsing CycloneDX files when using the bom.xml filename.
- Fix #1566 Fixed issue where offline scanning returns
different results from online scanning.
- Fix #1538 Reduce memory usage when using guided remediation.
We encourage everyone to upgrade to OSV-Scanner v2.0.0 and
experience these powerful new capabilities! As always, your
feedback is invaluable, so please don't hesitate to share your
thoughts and suggestions.
- General V2 feedback
https://github.com/google/osv-scanner/discussions/1529
- Container scanning feedback
https://github.com/google/osv-scanner/discussions/1521
-------------------------------------------------------------------
Thu Dec 19 07:27:29 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.9.2:
* chore: v1.9.2 Changelog (#1455)
* chore: cherry-pick fixes to v1 (#1459)
* chore: Update test dockerfile node hash
* chore(deps): update alpine docker tag to v3.21 (#1431)
* test(maven): remove the test of transitive scanning on native
data source (#1425)
* chore: update golangci-lint to version 1.62.2 (#1426)
* test: update snapshots (#1421)
* ci: add versions fixture generator for Red Hat (#1356)
* docs: clarify commit message requirements in `contribution.md`
(#1416)
* chore(deps): lock file maintenance (#1415)
* feat(output): show package view for container scanning table
result (#1407)
* feat: warn if a vulnerability is ignored multiple times in the
same config (#1377)
* fix(guided remediation): handle extraneous/missing packages in
package-lock.json more leniently (#1394)
* feat(output): add a unified output result (#1397)
* chore(deps): update codecov/codecov-action action to v5 (#1403)
* chore(deps): lock file maintenance (#1404)
* fix(deps): update osv-scanner minor (#1402)
* chore(deps): update alpine:3.20 docker digest to 1e42bbe
(#1401)
* chore(deps): update workflows (#1393)
* chore(deps): update golang docker tag to v1.23.3 (#1392)
* test: use internal utility for creating tmp directory (#1371)
* test: rewrite `models` to use snapshots and tables (#1382)
* docs: corrected field names in osv scanner results in the JSON
doc (#1398)
* chore: update snapshots (#1399)
* feat(output): update HTML output to a new design (#1383)
* fix: add "slices" import back in (#1395)
* feat: support evaluating spdx license expressions (#1329)
* feat(container-scanning): set unimportant vulns as uncalled
(#1385)
* feat: add support for comparing Red Hat versions locally
(#1355)
* fix(deps): update osv-scanner minor (#1348)
* chore(deps): lock file maintenance (#1384)
* fix(deps): update module github.com/charmbracelet/lipgloss to
v1 (#1373)
* chore(deps): update workflows (#1347)
* chore(deps): update dependency webrick to v1.9.0 (#1372)
* test: use traditional `tt` variable name and remove unneeded
loop-copy-var (#1381)
* chore: update snapshots (#1375)
* test(semantic): include ecosystems not supported by `lockfile`
(#1364)
* refactor: rename internal struct to avoid stuttering (#1370)
* chore: remove deprecated internal functions (#1369)
* test: update snapshots (#1368)
* refactor(semantic): simplify comparing of "pre" letters in PyPI
versions (#1366)
* refactor(semantic): remove unneeded condition in PyPI version
comparator (#1362)
* refactor(semantic): simplify comparing of RubyGem version
components (#1361)
* refactor(semantic): remove unneeded logic in parsing
semver-like versions (#1360)
* fix(semantic): support parsing versions without a numeric
component (#1365)
* refactor(semantic): sort ecosystems by name (#1363)
* fix: parsing crash on malformed pnpm lockfile (#1327)
-------------------------------------------------------------------
Thu Oct 31 10:47:27 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.9.1:
* chore: v1.9.1 Changelog (#1358)
* docs: update usage references (#1351)
* chore(deps-dev): bump rexml from 3.3.8 to 3.3.9 in /docs in the
bundler group (#1349)
* chore: remove unused fixture file (#1353)
* test: update snapshot (#1354)
* chore: Also trigger workflow when merging into v2 (#1343)
* feat: add `--experimental-offline-vulnerabilities` and
`--experimental-no-resolve` flags (#1342)
* docs: update documentation about Maven registry support (#1340)
* ci: ensure that generated files have been regenerated as part
of prerelease checks (#1312)
* test: update snapshot (#1335)
* feat: fetch Maven metadata from specified repositories (#1286)
* chore(deps): lock file maintenance (#1334)
* chore(deps): update workflows (#1333)
* feat: deprecate axillary public packages in favor of private
versions (#1309)
* fix: use correct path separator in SARIF output when on Windows
(#1294)
* chore: Update snapshots (#1328)
* fix: warn about and ignore duplicate entries in SBOMs (#1289)
* feat(guided remediation): support offline database in fix
subcommand (#1306)
* fix: set CharsetReader and Entity when reading pom.xml (#1325)
* fix(deps): update osv-scanner minor (#1323)
* chore(deps): update workflows (#1322)
* fix(guided remediation): update deps.dev Maven resolver (#1320)
* chore: update golangci-lint to 1.61.0 (#1318)
* fix: address a number of typos (#1307)
* fix: update spdx license ids (#1310)
* feat(output): add HTML output format (#1258)
* test: update snapshots (#1314)
* chore: ignore `node_modules` in git (#1308)
* fix(deps): update osv-scanner minor (#1302)
* chore(deps): update workflows (#1301)
* chore(deps): update golang docker tag to v1.23.2 (#1300)
* test: update snapshot (#1304)
* refactor: Update test names (#1297)
* test: update snapshots for guided remediation (#1296)
* fix: sort sbom packages by PURL (#1288)
* fix: improve handling if `docker` exits with a non-zero code
when trying to scan images (#1285)
* feat: support `vulnerabilities.ignore` in package overrides
(#1268)
-------------------------------------------------------------------
Wed Oct 02 06:30:06 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.9.0:
* chore(release): changelog for v1.9.0 (#1292)
* chore(deps): update workflows (#1281)
* chore(deps): lock file maintenance (#1282)
* fix: bump osv max concurrent requests (#1290)
* fix: apply go version override to _all_ instances of the
`stdlib` (#1278)
* fix: output invalid PURLs when scanning sboms (#1283)
* fix(offline): report all ecosystems without local databases in
one single line (#1279)
* test: update snapshot (#1284)
* chore(deps): update workflows (#1264)
* fix(deps): update osv-scanner minor (#1265)
* feat: assume `txt` files with "requirements" in their name are
`requirements.txt` files (#1271)
* chore(deps): update dependency webrick to v1.8.2 [security]
(#1270)
* test: update case to reflect recent config parsing changes
(#1267)
* feat: group DSA and its CVEs together (#1262)
* feat: error if configuration file has unknown properties
(#1249)
* fix: don't allow `LoadPath` to be set via config file (#1252)
* refactor: Follow revive rules across the repo (#1263)
* chore: make guided remediation follow revive's default lint
rules (#1259)
* refactor(guided remediation): Take `PreFetch` out of
`DependencyClient` interface and prevent repeated datasource
network calls (#1224)
* ci: pin `amannn/action-semantic-pull-request` to a commit
(#1256)
* ci: pin `actions/stale` to a commit (#1255)
* test: update snapshots with new security vulnerabilities
(#1254)
* chore: deprecate parser functions in favor of their extract
equivalents (#1253)
* refactor: simplify and reuse `tryLoadConfig` (#1248)
* test: ensure `cmp.Diff` usage is consistent (#1251)
* test: restructure internal `config` cases and fixtures (#1250)
* fix: don't assume there's always a reason for a package being
filtered out (#1241)
* feat: Copy over dark docs theming from osv.dev (#1245)
* fix: announce when a config file is invalid and exit with a
non-zero code (#1242)
* chore(deps): update workflows (#1247)
* fix(deps): update osv-scanner minor (#1246)
* feat: allow explicitly ignoring the license of a package in
config (#1243)
* feat(guided remediation): remediate unresolved dependency
management vulns (#1235)
* chore(deps): update alpine:3.20 docker digest to beefdbd
(#1230)
* chore(deps): update golang docker tag to v1.23.1 (#1231)
* chore(deps): update workflows (#1205)
* fix(deps): update osv-scanner minor (#1204)
* chore(deps): lock file maintenance (#1195)
-------------------------------------------------------------------
Sat Sep 14 10:51:29 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.8.5:
* chore(release): changelog for v1.8.5 (#1237)
* fix: make Alpine ecosystem fallback to latest release version
(#1236)
* feat(internal): marshal self-closing tags in XML (#1225)
* chore: update Go to version 1.22.7 (#1233)
* feat: support composite-based package overrides (#1214)
* chore: update test snapshots (#1232)
* fix: govulncheck calls on C code (#1228)
* refactor: use forked xml package for writing (#1223)
* chore: update test snapshots (#1222)
* feat(internal): add Maven native dependency client (#1207)
* fix(guided remediation): Add special handling for specific
Maven packages (#1219)
* fix(deps): update module github.com/charmbracelet/bubbletea to
v1 (#1217)
* fix(internal): encode XML tokens without escaping (#1216)
* chore: update test snapshots (#1218)
* chore: axe `.go-version` file (#1212)
* feat(guided remediation): Add `FIXED-VULN-IDS` to
non-interactive output (#1210)
* perf: ignored packages should be filtered out before scanning
(#1206)
* feat: support fetching snapshot versions from a Maven registry
(#1160)
* fix: stop finding more parent pom if the path is empty (#1194)
* chore: add missed test ignore vuln (#1209)
* chore: add `osv-scanner.toml` files to make Scorecard ignore
vulnerabilities in our test fixtures (#1202)
* chore(deps): update workflows (#1186)
* fix(deps): update osv-scanner minor (#1187)
* fix: correct for breaking change in glamour v0.8.0 (#1201)
* chore(deps): update dependency github-pages to v232 (#1189)
* chore(deps): update golang docker tag to v1.23.0 (#1188)
-------------------------------------------------------------------
Sat Sep 14 10:49:17 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.8.4:
* chore(release): release v1.8.4 (#1200)
* refactor: move Maven utility to a separate package (#1193)
* docs: link to the Scorecard Report (#1197)
* fix: unescape tabs before writing to pom.xml (#1190)
* feat(guided remediation): add `--upgrade-config` flag (#1191)
* chore: add PR title check to follow Git commit convention
(#1178)
* chore: add new vulnerability aliases to test snapshots (#1192)
* feat: write Maven updates to parent pom.xml if possible (#1182)
* chore: use the latest version of `golangci-lint` (#1185)
* fix(guided remediation): error on `--data-source=native` for
Maven (#1180)
* ci(workflow): address address github.com/rhysd/actionlint
findings (#1176)
* fix(workflow): correct permission name (#1175)
* chore(deps): update workflows (#1173)
* fix(deps): update osv-scanner minor (#1174)
* fix: only trim XML elements with no inner elements (#1168)
* fix(workflow): Add explicit permissions (#1171)
* docs: add conventional commits requirement (#1172)
* Package tracing PoC (#1049)
* Update go policy and use stable go version for builds (#1156)
* chore(deps): update dependency wdm to "~> 0.2.0" (#1163)
* fix(deps): update osv-scanner minor (#1162)
* chore(deps): update workflows (#1161)
* Add changelog for v1.8.3 (#1150)
-------------------------------------------------------------------
Wed Aug 07 07:04:10 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.8.3:
* chore: update dependency `github.com/docker/docker` (#1166)
* chore(deps-dev): bump rexml from 3.3.2 to 3.3.3 in /docs in the
bundler group (#1158)
* add maven changes
* feat(guided remediation): add non-interactive Maven remediation
by override (#1136)
* Label closed stale issues/PRs (#1165)
* Fix snapshots (#1164)
* Refactoring Maven manifest reading (#1159)
* Do not attempt to remediate vulnerabilities in Maven artifacts
that have defined `<classifier>` or `<type>` (#1151)
* Handle Maven parent relative path (#1149)
* fix(workflow): add read permission to
`osv-scanner-reusable.yml` (#1157)
* fix(workflow): update prerelease-check.yml to the latest
OSV-Scanner action (#1153)
* fix(osv-github-action): If all vulnerabilities are not called,
don't return an non zero exit code in osv-reporter (#1152)
* update snaps
* fix style
* Add changelog for v1.8.3
* chore(deps): lock file maintenance (#1130)
* Increase frequency of staleness runs (#1148)
* Improve Maven manifest updater (#1147)
* chore(deps): update workflows (#1145)
* fix(deps): update osv-scanner minor (#1146)
* chore(deps): update golang:1.22.5-alpine3.19 docker digest to
48aac60 (#1144)
* chore(deps): update alpine:3.20 docker digest to 0a4eaa0
(#1143)
* feat: add "vertical" output format (#889)
* chore(deps-dev): bump rexml from 3.3.1 to 3.3.2 in /docs in the
bundler group (#1132)
* Add Maven dependency management to override client (#1140)
* Add original manifest to Maven ManifestPatch (#1134)
* Exempt backlog label from stale treatment (#1135)
* fix(deps): update osv-scanner minor (#1120)
* Reflect Go 1.21.12 change more broadly (#1133)
* ci: don't mark v2 wishlished issues as stale (#1131)
* chore(deps): update workflows (#1119)
* Workflow for stale issue and PR management (#1125)
* Bump goreleaser build version to 1.22. (#1126)
* Set the original requirement in patches from suggest (#1117)
* fix: ensure that `semantic` is passed a valid
`models.Ecosystem` (#1116)
* Update docs: test dependencies not in the resolved graph
(#1114)
* Improved the runtime of DiffVulnerabilityResults (#1091)
* Start on override strategy for maven guided remediation (#1025)
* Sort dependencies before writing to pom.xml (#1113)
* Activate profiles before merging parent (#1108)
* Fix the wrong dependencies/dependency tags (#1112)
* refactor: update linter and address minor violations (#1110)
* Add a dependency to pom.xml if it is not from the base project
(#1105)
-------------------------------------------------------------------
Wed Jul 10 07:40:40 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.8.2:
* Bump go mod min version (#1109)
* Add changelog for v1.8.2 (#1106)
* Fix npm grouping (#1107)
* Add warning to the default docker container scanning method
(#1089)
* Move sbom to internal, and add standard output tests (#1104)
* fix: ensure that npm dependencies retain their "production"
grouping (#939)
* test: add output fixtures for call analysis (#1093)
* fix: restore custom styling to table format (#1094)
* chore(deps): lock file maintenance (#1103)
* chore(deps): update workflows (#1101)
* github-action.md add version into md example (#1073)
* ✨ Adding CycloneDX 1.4 and 1.5 reporter (#1014)
* chore(deps): update golang docker tag to v1.22.5 (#1100)
* fix(deps): update osv-scanner minor (#1102)
* Add go compiler to enable call analysis in the github action
(#1099)
* Update github action docs in osv-scanner (#1096)
* test: update snapshots (#1092)
* Refactoring `manifest.Read()` for Maven (#1083)
* refactor: just disable color output rather than tracking
terminal width (#1087)
* ci: upgrade `semantic` workflow to use v4 for artifact
workflows (#1088)
* chore(deps): update workflows (#1080)
* fix(deps): update module github.com/spdx/tools-golang to v0.5.5
(#1081)
* Added Testing for the SPDX SBOM Reader (#1086)
* Changed min and max to inbuilt functions (#1076)
* Update snapshots (#1084)
* fix: use errgroup to avoid hydration deadlock scenario (#1078)
* ci: setup workflow to run `semantic` tests weekly (#958)
* test: update snapshots (#1079)
* filter out unimportant vulnerabilities from vuln group (#1072)
* Fix test (#1071)
* fix: ensure that `package` exists in `affected` property
(#1055)
* Cherry-pick unmerged change from docs branch (#1069)
* chore(deps): update alpine:3.20 docker digest to b89d9c9
(#1062)
* chore(deps): update golang:1.22.4-alpine3.19 docker digest to
c46c460 (#1063)
* fix(deps): update module github.com/charmbracelet/bubbletea to
v0.26.6 (#1064)
* Combine Debian unimportant count logs (#1067)
* Update tests to support go version changes (#1065)
* fix: only care about ecosystem suffix if present in both
ecosystems when determining equality (#1007)
* refactor: enable `revive/indent-error-flow` (#997)
-------------------------------------------------------------------
Fri Jun 21 20:09:23 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.8.1:
* Make 1.8.1 release (#1056)
* feat: bump goreleaser to v2 (#1054)
* Update goreleaser.yml (#1052)
-------------------------------------------------------------------
Fri Jun 21 20:07:23 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.8.0:
* v1.8.0 Changelog (#1050)
* Add documentation for the configuration. (#1051)
* Update documentation for transitive dependency scanning (#1040)
* Invoke `MavenResolverExtrator` when scanning pom.xml (#1028)
* fix(deps): update osv-scanner minor (#1044)
* chore(deps): update workflows (#1043)
* chore(deps): update golang docker tag to v1.22.4 (#896)
* chore(deps): lock file maintenance (#1033)
* chore(deps): update goreleaser/goreleaser-action action to v6
(#1032)
* Add `experimental-download-offline-databases` flag (#1039)
* Update snapshots and exit codes (#1041)
* Upgrade deps.dev dependencies (#1035)
* Remove busybox from alpine SBOM (#1037)
* Add go binary scanning (#1011)
* Update Go patch version (#1030)
* Merge parent projects for Maven pom.xml (#1019)
* Update base docker image for golang 1.21.11 (#1029)
* implement filtering by packages through the config (#944)
* Dependency imports should always be fetched from upstream
(#1027)
* Upgrade go version (#1024)
* Fix broken TUI styling (#1023)
* Update test snapshots (#1022)
* chore(deps): lock file maintenance (#1018)
* fix(deps): update osv-scanner minor (#1017)
* chore(deps): update workflows (#1016)
* ci: don't try to upload code coverage on macOS (#1020)
* Fix some Maven manifest & resolver issues (#1008)
* Transitive dependency support for Maven pom.xml (#1002)
* Select a version that actually exists (#1012)
* Maven standard dependencies should take precedence over managed
dependencies (#1000)
* Do not record Maven `compile` scope in dependency groups (#1003)
-------------------------------------------------------------------
Thu May 30 09:34:18 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.7.4:
* Remove feature from changelog as it's still blocked on #769
(#1006)
* V1.7.4 changelog (#1001)
* Update typo in supported_languages_and_lockfiles.md (#998)
* feat: support comparing Alpine versions locally (#980)
* Now that we have updated to go1.21.10, we can remove the ignore
line from osv-scanner.toml (#996)
* chore(deps): update workflows (major) (#897)
* fix(deps): update osv-scanner minor (#994)
* chore(deps): update alpine docker tag to v3.20 (#993)
* Update test snapshots (#992)
* test: add cases for output functions (#937)
* fix(deps): update osv-scanner minor (#978)
* Add a new Maven pom.xml extractor (#982)
* feat: support parsing `gradle/verification-metadata.xml` (#943)
* chore(deps): update workflows (#977)
* chore(deps): update golang:1.21-alpine3.19 docker digest to
1c2e474 (#985)
* chore(deps-dev): Bump the bundler group across 1 directory with
2 updates (#983)
* make Maven parent path relative on current project (#987)
* Fix snapshots and alpine version (#990)
* Update deps.dev dependencies (#984)
* [docs] Add installation instructions for FreeBSD and NetBSD
(#969)
* Disable all unimportant vulnerabilities (#968)
* GR: Add test universe generation script and tests for patch
generation (#967)
-------------------------------------------------------------------
Thu May 09 07:20:31 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.7.3:
* chore(deps): update golang:1.21-alpine3.19 docker digest to
b3aea8d (#973)
* v1.7.3 changelog and version bump (#972)
* Update gomod go version (#971)
* Fix tests; add newly discovered vulns (#970)
* Update go.mod to 1.21.9 (#907)
* chore: import `sys` in Python generators (#966)
* ci: upgrade `golangci/golangci-lint-action` to v5 (#964)
* chore: only extract versions from packages in the generator
ecosystem (#957)
* refactor: encapsulate getting the working directory in a helper
function (#961)
* refactor: apply Rubocop to Ruby generator (#956)
* test: remove future snapshots (#960)
* chore(deps): update workflows (#935)
* fix(deps): update osv-scanner minor (#945)
* chore(deps): lock file maintenance (#962)
* Fix snapshot for test (#963)
* fix: ensure the sarif output has a stable order (#938)
* chore: support skipping known unsupported comparisons in
generators (#954)
* chore(deps): lock file maintenance (#936)
* chore: improve version fixture generators for local usage
(#953)
* ci: cancel in-progress runs when new changes are pushed (#959)
* Automated Updates: support parents and dependency imports
(#890)
* GR: Support filtering on alias IDs (#946)
* ci: ensure input name case matches just to be safe (#955)
* refactor: use `maps` functions instead of custom
implementations (#940)
* test: update snapshots due to external vulnerability changes
(#951)
* ci: upgrade Codecov to v4 (#941)
* feat: add support for PNPM v9 lockfiles (#934)
* Add new vuln to tests (#947)
* chore: add missing space to panic message (#942)
* test: include groups when describing package details (#933)
-------------------------------------------------------------------
Fri Apr 19 04:46:42 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.7.2:
* Changelog for v1.7.2 (#932)
* GR: Use deps.dev schema for graph definition in tests (#911)
* ci: ensure snapshots are always cleaned up (#903)
* test: clean up image snapshots (#923)
* Fix paths in test snapshots (#930)
* Fix regression for go call analysis in 1.7.0 (#926)
* fix(deps): update osv-scanner minor (#918)
* chore(deps): lock file maintenance (#919)
* Ignore stdlib vuln (#920)
* GR: Test `MatchVuln()` (#912)
* GR: resolve tests & mock client (#909)
* GR: Parse paths in npmrc auth fields correctly (#901)
* Fix rust call analysis by explicitly disabling stripping of
debug info (#908)
* fix(deps): update osv-scanner minor (#895)
* chore(deps): update golang:1.21-alpine3.19 docker digest to
ed8ce6c (#905)
* chore(deps): update workflows (#906)
* chore(deps): lock file maintenance (#898)
* test: clean and sort snapshots (#904)
* Add new vuln for failing test (#900)
* GR: Tests for npm relaxer (#894)
* GR: Add simple test for package-lock.json writing (#891)
* chore(deps): update workflows (#886)
* fix(deps): update osv-scanner minor (#885)
* update deps.dev/util/maven (#892)
* Make MockHTTPServer for tests (#888)
* GR: Add tests for npmrc & npm registry api (#879)
* Update github action docs to v1.7.1 (#881)
* Use stable deps.dev v3 API (#882)
* test: pin alpine image to exact sha (#880)
* test: change how snapshot matchers are called and update
example name for consistency (#866)
* [docs] Fix the HTTP link for downloading offline database.
(#877)
* fix(renovate): constrain go to 1.21 and do not update golang
(#874)
* ci: harden workflow permissions (#872)
* chore(deps): Bump github.com/docker/docker from
25.0.3+incompatible to 25.0.5+incompatible (#878)
-------------------------------------------------------------------
Wed Mar 20 06:19:45 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.7.1:
* v1.7.1 changelog and removing unused fixtures (#876)
* Fix/update retry logic in OSV (#860)
* perf: optimize string formatting and update linting (#828)
* test: add cli cases for `node_modules` images (#870)
* Follow up PR851 mark acceptance on image tests (#869)
* GR: Add npm lockfile read tests (#853)
* ci: downgrade codecov action to v3 (#871)
* test: use "public" package where possible (#838)
* test: regenerate snapshots (#867)
* Pin the dockerfiles to the correct base image (#865)
* chore(deps): update workflows (#863)
* fix(deps): update osv-scanner minor (#864)
* add MakeVersionRequestsWithContext() (#781)
* improve error messages in Maven registry client (#859)
* Fix location of "*" for requirements.txt (#858)
* docs: reword sentence in guided-remediation (#846)
* Put API/networking errors on another error code (#857)
* chore(deps): update golang:alpine docker digest to fc5e584
(#852)
* Find and save the distro version when extracting from debian
and alpine (#854)
* fix: allow users to override GOVERSION (#850)
* feat: support scanning `node_modules` generated by NPM in
container images (#851)
* GR: Add npm ManifestIO tests & minor fixes (#845)
* Automated Updates: set up update subcommand (#830)
-------------------------------------------------------------------
Fri Mar 15 21:49:28 UTC 2024 - opensuse_buildservice@ojkastl.de
- BuildRequire go 1.21.8 to follow upstream
- Update to version 1.7.0:
* Update changelog for v1.7.0 (#843)
* Merge docs to main (#842)
* Replace stereoscope with using go-containerregistry directly
(#836)
* Rename relaxer and suggester (#839)
* Update deps (#841)
* Downgrade go.mod (#833)
* chore(deps): update workflows (#835)
* Add more guided remediation known issues re: vulnerabilitiy
counting (#840)
* Guided Remediation Docs (#827)
* test: automatically cleanup test zip server (#834)
* chore(deps): lock file maintenance (#822)
* fix(deps): update osv-scanner minor (#807)
* ci: remove unneeded `setup-go` step and pin
`actions/download-artifact` (#786)
* Dont traverse gitignored dirs for gitignore files (#797)
* test: make `createTestDir` a general test utility (#832)
* Maximum severity rating for each Group object in JSON output
(#805)
* Automated Updates: add a simple Maven registry API client
(#837)
* Automated Updates: only append dependencies with property to
original requirements (#823)
* chore(deps): update dependency github-pages to v231 (#821)
* chore(deps): update workflows to v4 (major) (#784)
* chore(deps): update workflows (#806)
* Added a switch for using cached local db in test to improve
speed (#826)
* Remove version from the binary name. (#831)
* Automated Updates: suggest property patches to update for Maven
(#824)
* refactor: replace usage of deprecated function (#829)
* chore: don't ignore `fixtures` directory (#825)
* Align GoVulncheck Go version with go.mod (#818)
* Guided Remediation: Compute Dev dependencies in in-place
parsing (#816)
* Automated Updates: add ManifestIO for Maven (#813)
* Update suggester package name (#817)
* Automated Updates: add version suggester for Maven (#815)
* Guided remediation: Interactive mode TUI (#811)
* Proof of Concept of container scanning (#808)
* Guided Remediation: non-interactive mode (#798)
* Update main with the new docs updates. (#810)
* Add user agent to deps.dev requests (#804)
* chore(deps): update golang:alpine docker digest to 8e96e6c
(#793)
* fix(deps): update osv-scanner minor (#794)
* chore(deps): update dependency github-pages to v230 (#796)
* chore(deps): update workflows (#795)
* Start setting up guided remediation subcommand (#792)
* Guided Remediation: Compute in-place updates (#789)
* Guided Remediation: Add `package-lock.json` LockfileIO (#785)
* add new spdx identifiers (#788)
* chore(deps-dev): Bump nokogiri from 1.15.5 to 1.16.2 in /docs
(#787)
* chore(deps): update workflows (#783)
* fix(deps): update osv-scanner minor (#782)
* Guided Remediation: add npm registry clients & `.npmrc` parsing
(#778)
* Fix tests (#780)
-------------------------------------------------------------------
Wed Jan 31 14:00:36 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.6.2:
* Update changelog for 1.6.2 (#779)
* chore(deps): update golang:alpine docker digest to a6a7f1f
(#772)
* chore(deps): update alpine:3.19 docker digest to c5b1261 (#771)
* Add pdm lockfile support (#776)
* Guided Remediation: Make `VulnerabilityClient` for OSV queries
(#773)
* Do not fail if no lockfiles found in github action (#774)
* Guided Remediation: Add computation for all relaxation patches
(#766)
* Parse severities for guided remediation (#767)
* Add pictures to github action docs (#768)
* Guided Remediation: Add dependency relaxation & re-resolution
(#765)
* Update govet printf settings (#745)
* fix: improve wording of usage description (#764)
* Guided Remediation: add npm `package.json` manifest parser
(#763)
* Update github action version (#761)
* Guided Remediation: Add manifest resolution (#757)
* Add OSV-Scanner subcommands (#748)
* test: use snapshot-based testing (#717)
* chore(deps): lock file maintenance (#760)
* fix(deps): update osv-scanner minor (#758)
* chore(deps): update workflows (#759)
* add dependency groups to flattened vulnerability (#754)
* Use new GitHub action in new repository (#756)
-------------------------------------------------------------------
Thu Jan 18 08:15:11 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.6.1:
* Final goreleaser fix (#753)
* Remove unnecessary docker manifest entry in goreleaser (#752)
* Update goreleaser to fix release pipeline (#751)
-------------------------------------------------------------------
Thu Jan 18 08:13:06 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.6.0:
* Update CHANGELOG.md for 1.6.0 (#749)
* Bump version for OSV-Scanner. (#750)
* Build action image when releasing (#747)
* fix(deps): update osv-scanner minor (#743)
* chore(deps): update actions/upload-artifact action to v4.1.0
(#744)
* chore(deps): update golang:alpine docker digest to fd78f2f
(#719)
* chore(deps): update workflows (major) (#709)
* chore(deps): update alpine docker tag to v3.19 (#708)
* fix(deps): update osv-scanner minor (#700)
* chore(deps): lock file maintenance (#710)
* chore(deps): update github/codeql-action action to v2.23.0
(#707)
* Assume latest patch version if version does not exist (#740)
* Add support for verbosity levels (#727)
* Show ecosystem and version even if git is shown if the info
exists. (#736)
* chore(deps): Bump github.com/cloudflare/circl from 1.3.3 to
1.3.7 (#738)
* Add option to not fail on vuln to workflow files (#737)
* Fix vulnerabilities that OSV-Scanner found (#724)
* Add option to not fail on vulnerability being found for github
action (#732)
* fix: remove deprecated `Reporter` methods (#722)
* fix directives related to go generate in package spdx (#730)
* verify license allowlist against spdx identifiers (#729)
* Add formatting instructions to docs contribution (#723)
* Adjusting docs (#716)
* fix(deps): update module github.com/go-git/go-git/v5 to v5.11.0
[security] (#721)
* Get go stdlib version from go.mod (#704)
* feat: support `PrintTextf` and `PrintErrorf` on `Reporter`
(#706)
* Refactor: attempt to transition into using models.Ecosystems
rather than lockfile.Ecosystems (#705)
* Updating cdxgen-go version in go.mod (#718)
* Unify OSV scanner action (#711)
* refactor: setup `prettier` for formatting files (#693)
* Return an error if both license scanning and local/offline
scanning is enabled simultaneously (#703)
* chore(deps): update golang:alpine docker digest to feceecc
(#699)
* scan and report dependency groups of vulnerabilities (#655)
* Create an option to skip/disable upload to code scanning (#702)
* Add support for NuGet lock files version 2 (#694)
* remove extra backtick in license scanning documentation (#696)
* Update changelog to include minimum go version changes (#695)
-------------------------------------------------------------------
Wed Dec 06 12:05:33 UTC 2023 - kastl@b1-systems.de
- Update to version 1.5.0:
* Add changelog for verson 1.5.0 (#692)
* Fix go mod (#691)
* chore(deps): lock file maintenance (#653)
* refactor: switch golang.org/x/exp/slices usages to stdlib
(#690)
* Include available formats in `--format` help message (#685)
* chore(deps): update golang:alpine docker digest to 70afe55
(#687)
* chore(deps): update alpine:3.18 docker digest to 34871e7 (#686)
* fix(deps): update osv-scanner minor (#688)
* Add `osv-scanner` pre-commit hook (#669)
* Fix goreleaser build (#683)
* feat: CVSS v4.0 support and replace cvss implementation to
comply with the specifications (#651)
* chore(deps): update workflows (#666)
* Added license scanning info (#674)
* update docs for call analysis. (#682)
* Setup manual release pipeline (#681)
* add experimental-licenses summary flag (#678)
* Set Go call analysis to default behaviour (#665)
* Fix filter ids (#647)
* feat: add support for `renv.lock` (#668)
* Simplify return codes to return 1 if any vulnerability related
error (#677)
* fix(deps): update osv-scanner minor (#652)
* refactor: upgrade golangci-lint (#673)
* make license allowlist matching case insensitive (#672)
* ci: run tests on Windows (#646)
* feat: add support for comparing CRAN versions (#656)
* ci: update `golangci-lint` to v1.54 (#661)
* Don't include nested vendored libs in determineversions query.
(#649)
* chore: disable `goconst` linter (#662)
* fix: remove noise lockfile warnings (#660)
* ci: enforce that `cachedregexp` is always used instead of
`regexp` (#663)
* Adding C/C++ info to the docs (#648)
* cmd/osv-scanner: update sarif output in test cases (#659)
* Downgrade jekyll-feed. Update lock file (#650)
* chore(deps): update golang:alpine docker digest to 110b07a
(#640)
* fix: properly handle file/url paths on Windows (#645)
* test: don't ignore anything from coverage (#627)
* fix(deps): update osv-scanner minor (#641)
* Filter local packages from scanning, and report the filtering.
(#643)
* license checking experimental feature (#501)
* upgrade version of Go in GitHub checks (#637)
* test: check against error type rather than message (#628)
* Minor github action docs changes to clarify behaviour. (#630)
-------------------------------------------------------------------
Thu Nov 02 05:58:57 UTC 2023 - kastl@b1-systems.de
- Update to version 1.4.3:
* Prepare for v1.4.3 release (#629)
* Add support for determineversions API (#612). (#621)
* Refactor package scanning to produce packages instead of
queries (#614)
* Fix permissions in PR osv-scanner (#625)
* Fix gitignore matching for root directory (#626)
* Go binary not found should not be an error (#622)
* Scan submodules too. (#581)
* fix: handle yarn aliased packages (#615)
* fix(deps): update osv-scanner minor (#618)
* chore(deps): update github/codeql-action action to v2.22.5
(#616)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#597)
* chore(deps): update workflows (#596)
* handle npm aliased packages (#610)
* Some minor post release fixes (#613)
* Gate extended tests (#598)
* test: use `cmp.Diff` for diffing (#605)
* fix: remove some extra newlines in sarif report (#607)
-------------------------------------------------------------------
Wed Oct 25 04:43:42 UTC 2023 - kastl@b1-systems.de
- Update to version 1.4.2:
* Prepare for 1.4.2 release (#609)
* chore: don't trim trailing whitespace on fixture snapshots
(#608)
* Update release pipeline (#602)
* fix: trim leading and trailing newlines off SARIF output (#606)
* Add name field to sarif rule output (#600)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#579)
* chore(deps): update golang:alpine docker digest to 926f7f7
(#591)
* chore(deps): update workflows (#592)
* Make scheduled and PR scanning only scan the relevant files and
ignore fixtures (#594)
* Update docs to add in saving to file option (#593)
* Clarify in the docs actions will fail when vulns are found
(#587)
* chore(deps): Bump golang.org/x/net from 0.16.0 to 0.17.0 (#585)
* Change branch back in github action (#586)
* Fix permissions and attempt "Download Artifact" option to allow
custom lockfiles (#584)
* Small doc adjustments for GitHub Actions (#582)
* fix(deps): update osv-scanner minor (#578)
* Update deps and fix tests (#583)
* Improve documentation for github actions (#575)
* chore(deps): update golang:alpine docker digest to a76f153
(#577)
* chore(deps): update workflows (#580)
* fix: support versions with build metadata in `yarn.lock` files
(#576)
* Add additional tests for git scanning, and markdown format
(#569)
-------------------------------------------------------------------
Fri Oct 06 13:11:57 UTC 2023 - kastl@b1-systems.de
- Update to version 1.4.1:
* Allow release scanning to upload SARIF file. (#573)
* Fix goreleaser and update changelog (#572)
* 1.4.1 release and changelog (#571)
* SARIF with fixed version (#559)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#568)
* chore(deps): update github/codeql-action action to v2.21.9
(#567)
* chore(deps): update golang:alpine docker digest to 4bc6541
(#566)
* chore(deps): update alpine:3.18 docker digest to eece025 (#565)
* ci: don't fetch the whole repository history when its not
needed (#562)
* ci: ensure that `actions/checkout` is pinned (#563)
* Block release on vuln scan (#561)
* ci: use `.go-version` file (#564)
* ci: run tests on macos and in parallel when releasing (#560)
* test: use `cmp.Diff` for comparing output (#558)
* Add new ecosystems, and a slice containing all of them. (#557)
* test: compare expected with actual rather than the other way
around (#556)
* chore: move scripts into the `scripts` directory (#555)
* ci: combine lint and test workflows (#554)
* test: add cases for extra coverage (#524)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#544)
* chore(deps): lock file maintenance (#545)
* chore(deps): update workflows (#538)
* Add custom scan arguments (#552)
* SARIF output fixes. (#547)
* Minor readme update (#546)
* Action docs (#541)
* Update SARIF format (#534)
* Fix action naming and scheduled scan parameters (#543)
* chore(deps): update workflows (major) (#540)
* Attempt at multiline action (#542)
* fix(deps): update osv-scanner minor (#539)
* Update experimental.md (#536)
-------------------------------------------------------------------
Thu Sep 14 05:01:43 UTC 2023 - kastl@b1-systems.de
- Update to version 1.4.0:
* Fix issue in the changelog (#533)
* 1.4.0 changelog and docs (#532)
* Adding Offline info (#517)
* chore(deps): update golang:alpine docker digest to 96634e5
(#527)
* chore(deps): update workflows (#529)
* fix(deps): update osv-scanner minor (#528)
* Fix result scanning (#526)
* ci: change how coverage is collected (#525)
* chore: capture coverage and upload it to codecov (#512)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#520)
* Correctly use matchFileNames in renovate.json (#522)
* Update test results to pass new test (#523)
* Revert breaking change in `osv.go` (#514)
* Add osv output lockfile + refactor (#505)
* Update renovate.json (#504)
* fix(deps): update osv-scanner minor (#506)
* Refactor models (#510)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#508)
* chore(deps): update actions/checkout action to v3.6.0 (#507)
* Update contributing docs (#502)
* chore(deps-dev): Bump activesupport from 7.0.7 to 7.0.7.2 in
/docs (#503)
* fix(deps): update golang.org/x/exp digest to d852ddb (#496)
* Add fixtures go to renovate bot ignore (#500)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#498)
* chore(deps): update golangci/golangci-lint-action action to
v3.7.0 (#499)
* chore(deps): update actions/setup-go action to v4.1.0 (#497)
* If go version can't be found, don't add stdlib (#494)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#448)
* feat: support `io.Reader` based parsers (#451)
* fix: don't error if local db directory already exists (#493)
* fix: ensure that "introduced 0" events are sorted before any
other event (#492)
* Add go stdlib version support (#484)
* chore(deps): update golang:alpine docker digest to 445f340
(#467)
* chore(deps): update alpine docker tag to v3.18 (#468)
* chore(deps): update slsa-framework/slsa-github-generator action
to v1.8.0 (#469)
* chore(deps): update alpine:3.18 docker digest to 7144f7b (#480)
* chore(deps): update alpine:3.17 docker digest to f71a5f0 (#466)
* chore(deps): update
gaurav-nelson/github-action-markdown-link-check digest to
46e4421 (#481)
* fix(deps): update golang.org/x/exp digest to 89c5cff (#482)
* chore(deps): update github/codeql-action action to v2.21.4
(#483)
* Fix some vulns and ignore others (#490)
* Rust call analysis (#452)
* Scanner action should pass if the vulnerabilities remain the
same (#475)
* Tidy up scanner action (#474)
* Manually update dependencies to resolve vulnerability
https://osv.dev/GO-2023-1988 (#472)
* feat: add experimental offline mode (#183)
* Move github action back to the main branch (#465)
* refactor: move experimental flags into their own struct (#463)
* fix: use correct plural and singular forms based on count
(#462)
* chore(deps): update github/codeql-action action to v2.21.2
(#455)
* fix(deps): update osv-scanner minor (#456)
* Add annotations and osv-scanner table in the Github Action
output (#460)
* Fix purl mapping (#457)
* test: make `output` tests their own package (#461)
* Updated github actions to use main branch now that the PR is
merged in (#459)
* Recreated Github Action PR (#432)
* chore: minor grammar fixes (#454)
* chore(deps): update docker/setup-buildx-action digest to
4c0219f (#437)
* chore(deps): update golang:alpine docker digest to 7839c9f
(#444)
* Optimize Dockerfile and add .dockerignore (#441)
* chore(deps): update github/codeql-action action to v2.21.0
(#449)
* Enable lockfile maintaince (#450)
* fix(deps): update osv-scanner minor (#445)
-------------------------------------------------------------------
Wed Jul 19 06:29:55 UTC 2023 - kastl@b1-systems.de
- Update to version 1.3.6:
* Prepare for v1.3.6 Release (#447)
* Adjusting GitHub actions (#446)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#438)
* go.mod: upgrade to golang.org/x/vuln@v1.0.0 (#443)
* Fix PURLToPackage function and move it (#439)
* Update README.md (#440)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#422)
* chore(deps): update workflows (#429)
* fix(deps): update osv-scanner minor (#430)
* update govulncheck integration (#431)
-------------------------------------------------------------------
Wed Jun 28 06:19:46 UTC 2023 - kastl@b1-systems.de
- Update to version 1.3.5:
* Add more ignores now that debian PURLs are parsed correctly
(#428)
* Adds changelog for v1.3.5 (#427)
* chore(deps): update alpine docker tag to v3.18 (#382)
* test: ensure fixtures directory isn't already a git repository
(#426)
* chore: ignore `.idea` directory (#425)
* Add withdrawn and fix time serialization to conform to the
schema. (#424)
* test: make `models` tests their own package (#423)
* Updated to reflect cvss scores being added to output table.
(#419)
* chore(deps): update workflows (#421)
* chore(deps): update alpine:3.17 docker digest to e95676d (#413)
* Add option to include severity in table output (#409)
* Update the model to better match schema and add YAML tags.
(#417)
* chore(deps): update golang:alpine docker digest to fd9d9d7
(#405)
* chore(deps): update workflows (#406)
* fix(deps): update osv-scanner minor (#415)
* Fixing broken github page (#412)
* Link checker (#408)
* fix(deps): update osv-scanner minor (#407)
* refactor: enable `goimports` linter (#404)
* Update the model to match the latest version of the OSV schema
(#403)
-------------------------------------------------------------------
Mon Jun 12 20:13:33 UTC 2023 - kastl@b1-systems.de
- Update to version 1.3.4:
* Prepare for 1.3.4 release. (#401)
* chore(deps): update workflows (#393)
* fix(deps): update osv-scanner minor (#392)
* Fix version printer to use app stdout and stderr (#395)
* OSV user agent (#390)
-------------------------------------------------------------------
Wed May 17 05:07:22 UTC 2023 - kastl@b1-systems.de
- Update to version 1.3.3:
* Add new line and fix test to avoid having to change version
twice (#387)
* 1.3.3 Release (#385)
* Use upload draft assets option (#384)
* chore(deps): update golang:alpine docker digest to ee2f23f
(#380)
* chore(deps): update slsa-framework/slsa-github-generator action
to v1.6.0 (#383)
* fix(deps): update osv-scanner minor (#381)
* Remove --hash from version in requirements.txt (#379)
* Small formatting changes (#377)
* chore(deps): bump github.com/cloudflare/circl from 1.1.0 to
1.3.3 (#378)
* add unit tests for results.go (#368)
* Improve exit docs and add No vulns found to output (#373)
* Update exit docs (#375)
* chore(deps): update github/codeql-action action to v2.3.3
(#372)
* chore(deps): update golang:alpine docker digest to 913de96
(#305)
* fix: handle cyclical `-r`s in `requirements.txt` (#366)
* fix: don't panic on empty files (#367)
* fix(deps): update osv-scanner minor (#327)
* Update spdx to 0.5.0 (#365)
* Update pkg/osv to allow overriding the http client / transport.
(#357)
* chore(deps): update github/codeql-action action to v2.3.2
(#363)
* Enable osvVulnerabilityAlerts (#362)
-------------------------------------------------------------------
Wed Apr 26 08:43:23 UTC 2023 - kastl@b1-systems.de
- Update to version 1.3.2:
* Fix sbom scanning code (#360)
* 1.3.2 Release (#359)
* Refactor reporter to interfaces (#345)
* Update all minor dependencies without spdx (#358)
* chore(deps): update workflows (#334)
* Better SBOM documentation and error message (#349)
* Move a specific regex to static variable (#346)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#328)
* chore(deps): bump nokogiri from 1.14.1 to 1.14.3 in /docs
(#338)
* chore(deps): bump commonmarker from 0.23.8 to 0.23.9 in /docs
(#337)
* SBOM parsing improvements. (#339)
* Make the reporter public (#341)
* Set `skip-pkg-cache: true` for golangci-lint (#340)
* Support PNPM v6+ Lockfile (#325)
* chore(deps): update alpine:3.17 docker digest to 124c7d2 (#326)
* Call analysis note fixed. (#331)
* Add configs to ignore test vulnerabilities (#329)
-------------------------------------------------------------------
Thu Mar 30 08:10:56 UTC 2023 - kastl@b1-systems.de
- Update to version 1.3.1:
* Release 1.3.1 changelog (#321)
* chore(deps): update ossf/scorecard-action action to v2.1.3
(#322)
* Add nil check to CycloneDX enumeration (#320)
-------------------------------------------------------------------
Tue Mar 28 04:59:28 UTC 2023 - kastl@b1-systems.de
- Update to version 1.3.0:
* Update changelog and version for v1.3.0 (#316)
* chore(deps): update workflows (#314)
* fix(deps): update osv-scanner minor (#313)
* Update workflows to compositing, so that goreleaser workflow
can run them. (#315)
* Fix workflow (#311)
* Fix some issues with the model. (#312)
* Improve the OSV models to allow for 3rd party use of the
library. (#310)
* Adds concurrency to hydration requests (#304)
* Make `IgnoredVulns` also ignore aliases (#300)
* fix(deps): update osv-scanner minor (#306)
* chore(deps): update actions/setup-go action to v4 (#308)
* chore(deps): update workflows (#307)
* Run tests before release (#301)
* chore(deps): bump activesupport from 7.0.4.2 to 7.0.4.3 in
/docs (#302)
* Pin lint action (#299)
* fix(deps): update osv-scanner minor (#288)
* fix: support Pipenv develop packages without versions. (#297)
* Set version in source code (#295)
* Prevent `.gitignore` files from interfering with tests (#292)
* fix: trim leading zeros off when comparing numerical components
in Maven versions (better) (#285)
* fix: avoid infinite loops parsing Maven poms with syntax errors
(#294)
* Check if PURL is valid before adding it to queries (#291)
* Renovate bot ignore vulns package (#289)
* chore(deps): update workflows (#287)
* fix: trim leading zeros off when comparing numerical components
in Maven versions (#279)
* Adding call graph info back in (#284)
* Update Colors for Accessibility (#278)
* Removed call graph analysis for now. (#282)
* Remove "working doc" concept (#275)
* feat: improved error message when pom dependency version not
found (#253)
* Add tags and point people to slsa-verifier (#265)
* ci: harden permissions (#269)
* Run on merge queue (#272)
* fix: properly handle comparing zero versions in Maven (#267)
* chore: add `.editorconfig` file (#266)
* fix(deps): update osv-scanner minor (#270)
* Renovate bot use ignorePaths instead for fixtures (#264)
* test: update case with new advisory (#268)
* fix: deduplicate packages that appear multiple times in
`Pipenv.lock` files (#261)
* feat: support `-r` flag in `requirements.txt` files (#260)
* chore(deps): update workflows (#242)
* fix: avoid panic when parsing `file:` dependencies in `pnpm`
lockfiles (#259)
* More specific cyclone dx parsing (#258)
* Parse nested CycloneDX components correctly (#251)
* fix: support yarn locks with quoted properties (#250)
* Update renovate.json (#248)
* fix(deps): update golang.org/x/exp digest to c95f2b4 (#241)
* govulncheck integration (#198)
* Create draft release first in goreleaser (#236)
* Adding additional installation instructions (#235)
-------------------------------------------------------------------
Thu Feb 23 10:38:20 UTC 2023 - kastl@b1-systems.de
- Update to version 1.2.0:
* Changelog update for v1.2.0 (#233)
* Moving Working Docs to Current (#234)
* Update the output docs, make logo a lot bigger, make page slightly wider (#226)
* Upgrade to yaml v3 (#231)
* ParseAs for dpkg-status (#229)
* Update analytics for documentation. (#230)
* chore(deps): update docker/setup-buildx-action digest to f03ac48 (#223)
* fix(deps): update osv-scanner minor (#225)
* chore(deps): bump golang.org/x/net from 0.2.0 to 0.7.0 (#222)
* chore(deps): update dependency http_parser.rb to "~> 0.8.0" (#224)
* fix: ensure that vulnerability results are ordered deterministically (#220)
* test: ensure case names match function under test (#228)
* Nits - APK installed optimizations (#227)
* Support for DPKG (Debian) parser (#168)
* feat: support `dependencyManagement` in Maven poms (#221)
* Google analytics added. (#215)
* Console formatting changes
* Documentation Style Improvements (#211)
* fixed broken link (#210)
* Documentation moved to github page.
* Minor changes for gitignore parsing (#208)
* Improve gitignore parsing (#206)
* fix(deps): update osv-scanner minor (#205)
* chore(deps): update github/codeql-action action to v2.2.4 (#204)
* Move instructions to Usage (#197)
* Make scanner respect .gitignore files (#191)
* feat: support specifying what parser to use in `--lockfile` (#94)
* fix: add missing toml tags to struct (and update linter) (#190)
* fix(deps): update golang.org/x/exp digest to 98cc5a0 (#188)
* fix(osv-query): omit SourceInfo from JSON marshaling (#185)
* test: remove nonsense case and correct names (#187)
* Update readme usage section (#171)
* chore(deps): update docker/login-action action to v2 (#148)
* fix(deps): update osv-scanner minor (#147)
* Support SPDX 2.3 (#178)
* chore(deps): update workflows (#172)
* feat: Render output as a markdown table for use in github comments (#156)
* APK: fix test function (#180)
* Log number of packages scanned from SBOMs. (#179)
* Make OSV api public (#167)
* Add experimental comment (#173)
* fix: exit with generic non-zero code when there is a general error (#161)
* fix: reuse app-level writer and err writers in `VersionPrinter` (#166)
* chore(deps): update github/codeql-action action to v2.1.39 (#159)
* test: add cases for `semantic.MustParse` (#160)
* feat: create `--format` flag (#158)
* golangci checks in github action, and fixes initial linter issues (#149)
* test: add case for `--version` flag (#162)
* chore: remove duplicated generators (#157)
* - add conan.lock to the list (#59)
* Fix endpoint typo (#152)
* feat: add `semantic` package (#92)
* Adding re-try for getting a Vuln for the given ID (#141)
* chore(deps): update github/codeql-action action to v2.1.38 (#146)
* chore: adjust comment to match type name (#143)
* Mention Pipfile.lock support in changelog. (#140)
* Fix link to GitHub issues (#139)
-------------------------------------------------------------------
Thu Jan 12 06:01:09 UTC 2023 - kastl@b1-systems.de
- Update to version 1.1.0:
* Fix goreleaser permissions (#138)
* v1.1.0 release PR (#137)
* fix(deps): update osv-scanner minor (#79)
* Temporarily disable alpine package scanning (#136)
* Move tests from cloudbuild to gh actions (#135)
* Use short url in scanner output (#134)
* chore(deps): update workflows (#78)
* Update readme and add changelog (#133)
* fix: use correct ecosystem for NuGet (#132)
* Do not highlight borders of result table (#131)
* Add contributing file (#130)
* Update README.md (#127)
* docs: describe build process (#109)
* Add gomodtidy after renovate updates (#120)
* Make lint trigger same as others (#125)
* Minor documentation updates. (#121)
* Add support for Alpine Linux /lib/apk/db/installed (Resolves #72) (#107)
* feat: add docker publish method (#70)
* Add Pipenv lockfile support (Resolves #71) (#66)
* Lint readme (#100)
* Have renovate-bot label its PRs as it does with osv.dev (#116)
* [pkg] implement NuGet ecosystem parser (#98)
* Update github.com/spdx/gordf dependency to fix 32 bit support (#104)
* test: update spec case and adjust assertion message (#99)
* fix: ensure that files are closed when they're no longer needed (#106)
* Fix lockfile example syntax (#103)
* docs: add homebrew installation note (#89)
-------------------------------------------------------------------
Tue Dec 20 13:53:44 UTC 2022 - Johannes Kastl <kastl@b1-systems.de>
- add build parameters, so 'osv-scanner --version' shows proper version,
build date and the release tag as commit
-------------------------------------------------------------------
Tue Dec 20 12:39:13 UTC 2022 - kastl@b1-systems.de
- Update to version 1.0.2:
* shorten affected package to package (#90)
* Move table columns so that the important column is displayed first (#87)
* Add blog post link to README (#84)
* Minor updates to install instruction title (#80)
* Added installation instructions for Scoop (#68)
* Update README.md (#77)
* Fix readme anchor link. (#76)
* Update README.md (#58)
* Add disclaimer on Debian scanning. (#65)
* Add gradle lockfile support (#46)
-------------------------------------------------------------------
Tue Dec 20 12:38:20 UTC 2022 - Johannes Kastl <kastl@b1-systems.de>
- new package osv-scanner: Vulnerability scanner written in Go which uses the data provided by https://osv.dev
