File osv-scanner.changes of Package osv-scanner
-------------------------------------------------------------------
Wed Oct 02 06:30:06 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.9.0:
* chore(release): changelog for v1.9.0 (#1292)
* chore(deps): update workflows (#1281)
* chore(deps): lock file maintenance (#1282)
* fix: bump osv max concurrent requests (#1290)
* fix: apply go version override to _all_ instances of the
`stdlib` (#1278)
* fix: output invalid PURLs when scanning sboms (#1283)
* fix(offline): report all ecosystems without local databases in
one single line (#1279)
* test: update snapshot (#1284)
* chore(deps): update workflows (#1264)
* fix(deps): update osv-scanner minor (#1265)
* feat: assume `txt` files with "requirements" in their name are
`requirements.txt` files (#1271)
* chore(deps): update dependency webrick to v1.8.2 [security]
(#1270)
* test: update case to reflect recent config parsing changes
(#1267)
* feat: group DSA and its CVEs together (#1262)
* feat: error if configuration file has unknown properties
(#1249)
* fix: don't allow `LoadPath` to be set via config file (#1252)
* refactor: Follow revive rules across the repo (#1263)
* chore: make guided remediation follow revive's default lint
rules (#1259)
* refactor(guided remediation): Take `PreFetch` out of
`DependencyClient` interface and prevent repeated datasource
network calls (#1224)
* ci: pin `amannn/action-semantic-pull-request` to a commit
(#1256)
* ci: pin `actions/stale` to a commit (#1255)
* test: update snapshots with new security vulnerabilities
(#1254)
* chore: deprecate parser functions in favor of their extract
equivalents (#1253)
* refactor: simplify and reuse `tryLoadConfig` (#1248)
* test: ensure `cmp.Diff` usage is consistent (#1251)
* test: restructure internal `config` cases and fixtures (#1250)
* fix: don't assume there's always a reason for a package being
filtered out (#1241)
* feat: Copy over dark docs theming from osv.dev (#1245)
* fix: announce when a config file is invalid and exit with a
non-zero code (#1242)
* chore(deps): update workflows (#1247)
* fix(deps): update osv-scanner minor (#1246)
* feat: allow explicitly ignoring the license of a package in
config (#1243)
* feat(guided remediation): remediate unresolved dependency
management vulns (#1235)
* chore(deps): update alpine:3.20 docker digest to beefdbd
(#1230)
* chore(deps): update golang docker tag to v1.23.1 (#1231)
* chore(deps): update workflows (#1205)
* fix(deps): update osv-scanner minor (#1204)
* chore(deps): lock file maintenance (#1195)
-------------------------------------------------------------------
Sat Sep 14 10:51:29 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.8.5:
* chore(release): changelog for v1.8.5 (#1237)
* fix: make Alpine ecosystem fallback to latest release version
(#1236)
* feat(internal): marshal self-closing tags in XML (#1225)
* chore: update Go to version 1.22.7 (#1233)
* feat: support composite-based package overrides (#1214)
* chore: update test snapshots (#1232)
* fix: govulncheck calls on C code (#1228)
* refactor: use forked xml package for writing (#1223)
* chore: update test snapshots (#1222)
* feat(internal): add Maven native dependency client (#1207)
* fix(guided remediation): Add special handling for specific
Maven packages (#1219)
* fix(deps): update module github.com/charmbracelet/bubbletea to
v1 (#1217)
* fix(internal): encode XML tokens without escaping (#1216)
* chore: update test snapshots (#1218)
* chore: axe `.go-version` file (#1212)
* feat(guided remediation): Add `FIXED-VULN-IDS` to
non-interactive output (#1210)
* perf: ignored packages should be filtered out before scanning
(#1206)
* feat: support fetching snapshot versions from a Maven registry
(#1160)
* fix: stop finding more parent pom if the path is empty (#1194)
* chore: add missed test ignore vuln (#1209)
* chore: add `osv-scanner.toml` files to make Scorecard ignore
vulnerabilities in our test fixtures (#1202)
* chore(deps): update workflows (#1186)
* fix(deps): update osv-scanner minor (#1187)
* fix: correct for breaking change in glamour v0.8.0 (#1201)
* chore(deps): update dependency github-pages to v232 (#1189)
* chore(deps): update golang docker tag to v1.23.0 (#1188)
-------------------------------------------------------------------
Sat Sep 14 10:49:17 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.8.4:
* chore(release): release v1.8.4 (#1200)
* refactor: move Maven utility to a separate package (#1193)
* docs: link to the Scorecard Report (#1197)
* fix: unescape tabs before writing to pom.xml (#1190)
* feat(guided remediation): add `--upgrade-config` flag (#1191)
* chore: add PR title check to follow Git commit convention
(#1178)
* chore: add new vulnerability aliases to test snapshots (#1192)
* feat: write Maven updates to parent pom.xml if possible (#1182)
* chore: use the latest version of `golangci-lint` (#1185)
* fix(guided remediation): error on `--data-source=native` for
Maven (#1180)
* ci(workflow): address address github.com/rhysd/actionlint
findings (#1176)
* fix(workflow): correct permission name (#1175)
* chore(deps): update workflows (#1173)
* fix(deps): update osv-scanner minor (#1174)
* fix: only trim XML elements with no inner elements (#1168)
* fix(workflow): Add explicit permissions (#1171)
* docs: add conventional commits requirement (#1172)
* Package tracing PoC (#1049)
* Update go policy and use stable go version for builds (#1156)
* chore(deps): update dependency wdm to "~> 0.2.0" (#1163)
* fix(deps): update osv-scanner minor (#1162)
* chore(deps): update workflows (#1161)
* Add changelog for v1.8.3 (#1150)
-------------------------------------------------------------------
Wed Aug 07 07:04:10 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.8.3:
* chore: update dependency `github.com/docker/docker` (#1166)
* chore(deps-dev): bump rexml from 3.3.2 to 3.3.3 in /docs in the
bundler group (#1158)
* add maven changes
* feat(guided remediation): add non-interactive Maven remediation
by override (#1136)
* Label closed stale issues/PRs (#1165)
* Fix snapshots (#1164)
* Refactoring Maven manifest reading (#1159)
* Do not attempt to remediate vulnerabilities in Maven artifacts
that have defined `<classifier>` or `<type>` (#1151)
* Handle Maven parent relative path (#1149)
* fix(workflow): add read permission to
`osv-scanner-reusable.yml` (#1157)
* fix(workflow): update prerelease-check.yml to the latest
OSV-Scanner action (#1153)
* fix(osv-github-action): If all vulnerabilities are not called,
don't return an non zero exit code in osv-reporter (#1152)
* update snaps
* fix style
* Add changelog for v1.8.3
* chore(deps): lock file maintenance (#1130)
* Increase frequency of staleness runs (#1148)
* Improve Maven manifest updater (#1147)
* chore(deps): update workflows (#1145)
* fix(deps): update osv-scanner minor (#1146)
* chore(deps): update golang:1.22.5-alpine3.19 docker digest to
48aac60 (#1144)
* chore(deps): update alpine:3.20 docker digest to 0a4eaa0
(#1143)
* feat: add "vertical" output format (#889)
* chore(deps-dev): bump rexml from 3.3.1 to 3.3.2 in /docs in the
bundler group (#1132)
* Add Maven dependency management to override client (#1140)
* Add original manifest to Maven ManifestPatch (#1134)
* Exempt backlog label from stale treatment (#1135)
* fix(deps): update osv-scanner minor (#1120)
* Reflect Go 1.21.12 change more broadly (#1133)
* ci: don't mark v2 wishlished issues as stale (#1131)
* chore(deps): update workflows (#1119)
* Workflow for stale issue and PR management (#1125)
* Bump goreleaser build version to 1.22. (#1126)
* Set the original requirement in patches from suggest (#1117)
* fix: ensure that `semantic` is passed a valid
`models.Ecosystem` (#1116)
* Update docs: test dependencies not in the resolved graph
(#1114)
* Improved the runtime of DiffVulnerabilityResults (#1091)
* Start on override strategy for maven guided remediation (#1025)
* Sort dependencies before writing to pom.xml (#1113)
* Activate profiles before merging parent (#1108)
* Fix the wrong dependencies/dependency tags (#1112)
* refactor: update linter and address minor violations (#1110)
* Add a dependency to pom.xml if it is not from the base project
(#1105)
-------------------------------------------------------------------
Wed Jul 10 07:40:40 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.8.2:
* Bump go mod min version (#1109)
* Add changelog for v1.8.2 (#1106)
* Fix npm grouping (#1107)
* Add warning to the default docker container scanning method
(#1089)
* Move sbom to internal, and add standard output tests (#1104)
* fix: ensure that npm dependencies retain their "production"
grouping (#939)
* test: add output fixtures for call analysis (#1093)
* fix: restore custom styling to table format (#1094)
* chore(deps): lock file maintenance (#1103)
* chore(deps): update workflows (#1101)
* github-action.md add version into md example (#1073)
* ✨ Adding CycloneDX 1.4 and 1.5 reporter (#1014)
* chore(deps): update golang docker tag to v1.22.5 (#1100)
* fix(deps): update osv-scanner minor (#1102)
* Add go compiler to enable call analysis in the github action
(#1099)
* Update github action docs in osv-scanner (#1096)
* test: update snapshots (#1092)
* Refactoring `manifest.Read()` for Maven (#1083)
* refactor: just disable color output rather than tracking
terminal width (#1087)
* ci: upgrade `semantic` workflow to use v4 for artifact
workflows (#1088)
* chore(deps): update workflows (#1080)
* fix(deps): update module github.com/spdx/tools-golang to v0.5.5
(#1081)
* Added Testing for the SPDX SBOM Reader (#1086)
* Changed min and max to inbuilt functions (#1076)
* Update snapshots (#1084)
* fix: use errgroup to avoid hydration deadlock scenario (#1078)
* ci: setup workflow to run `semantic` tests weekly (#958)
* test: update snapshots (#1079)
* filter out unimportant vulnerabilities from vuln group (#1072)
* Fix test (#1071)
* fix: ensure that `package` exists in `affected` property
(#1055)
* Cherry-pick unmerged change from docs branch (#1069)
* chore(deps): update alpine:3.20 docker digest to b89d9c9
(#1062)
* chore(deps): update golang:1.22.4-alpine3.19 docker digest to
c46c460 (#1063)
* fix(deps): update module github.com/charmbracelet/bubbletea to
v0.26.6 (#1064)
* Combine Debian unimportant count logs (#1067)
* Update tests to support go version changes (#1065)
* fix: only care about ecosystem suffix if present in both
ecosystems when determining equality (#1007)
* refactor: enable `revive/indent-error-flow` (#997)
-------------------------------------------------------------------
Fri Jun 21 20:09:23 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.8.1:
* Make 1.8.1 release (#1056)
* feat: bump goreleaser to v2 (#1054)
* Update goreleaser.yml (#1052)
-------------------------------------------------------------------
Fri Jun 21 20:07:23 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.8.0:
* v1.8.0 Changelog (#1050)
* Add documentation for the configuration. (#1051)
* Update documentation for transitive dependency scanning (#1040)
* Invoke `MavenResolverExtrator` when scanning pom.xml (#1028)
* fix(deps): update osv-scanner minor (#1044)
* chore(deps): update workflows (#1043)
* chore(deps): update golang docker tag to v1.22.4 (#896)
* chore(deps): lock file maintenance (#1033)
* chore(deps): update goreleaser/goreleaser-action action to v6
(#1032)
* Add `experimental-download-offline-databases` flag (#1039)
* Update snapshots and exit codes (#1041)
* Upgrade deps.dev dependencies (#1035)
* Remove busybox from alpine SBOM (#1037)
* Add go binary scanning (#1011)
* Update Go patch version (#1030)
* Merge parent projects for Maven pom.xml (#1019)
* Update base docker image for golang 1.21.11 (#1029)
* implement filtering by packages through the config (#944)
* Dependency imports should always be fetched from upstream
(#1027)
* Upgrade go version (#1024)
* Fix broken TUI styling (#1023)
* Update test snapshots (#1022)
* chore(deps): lock file maintenance (#1018)
* fix(deps): update osv-scanner minor (#1017)
* chore(deps): update workflows (#1016)
* ci: don't try to upload code coverage on macOS (#1020)
* Fix some Maven manifest & resolver issues (#1008)
* Transitive dependency support for Maven pom.xml (#1002)
* Select a version that actually exists (#1012)
* Maven standard dependencies should take precedence over managed
dependencies (#1000)
* Do not record Maven `compile` scope in dependency groups (#1003)
-------------------------------------------------------------------
Thu May 30 09:34:18 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.7.4:
* Remove feature from changelog as it's still blocked on #769
(#1006)
* V1.7.4 changelog (#1001)
* Update typo in supported_languages_and_lockfiles.md (#998)
* feat: support comparing Alpine versions locally (#980)
* Now that we have updated to go1.21.10, we can remove the ignore
line from osv-scanner.toml (#996)
* chore(deps): update workflows (major) (#897)
* fix(deps): update osv-scanner minor (#994)
* chore(deps): update alpine docker tag to v3.20 (#993)
* Update test snapshots (#992)
* test: add cases for output functions (#937)
* fix(deps): update osv-scanner minor (#978)
* Add a new Maven pom.xml extractor (#982)
* feat: support parsing `gradle/verification-metadata.xml` (#943)
* chore(deps): update workflows (#977)
* chore(deps): update golang:1.21-alpine3.19 docker digest to
1c2e474 (#985)
* chore(deps-dev): Bump the bundler group across 1 directory with
2 updates (#983)
* make Maven parent path relative on current project (#987)
* Fix snapshots and alpine version (#990)
* Update deps.dev dependencies (#984)
* [docs] Add installation instructions for FreeBSD and NetBSD
(#969)
* Disable all unimportant vulnerabilities (#968)
* GR: Add test universe generation script and tests for patch
generation (#967)
-------------------------------------------------------------------
Thu May 09 07:20:31 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.7.3:
* chore(deps): update golang:1.21-alpine3.19 docker digest to
b3aea8d (#973)
* v1.7.3 changelog and version bump (#972)
* Update gomod go version (#971)
* Fix tests; add newly discovered vulns (#970)
* Update go.mod to 1.21.9 (#907)
* chore: import `sys` in Python generators (#966)
* ci: upgrade `golangci/golangci-lint-action` to v5 (#964)
* chore: only extract versions from packages in the generator
ecosystem (#957)
* refactor: encapsulate getting the working directory in a helper
function (#961)
* refactor: apply Rubocop to Ruby generator (#956)
* test: remove future snapshots (#960)
* chore(deps): update workflows (#935)
* fix(deps): update osv-scanner minor (#945)
* chore(deps): lock file maintenance (#962)
* Fix snapshot for test (#963)
* fix: ensure the sarif output has a stable order (#938)
* chore: support skipping known unsupported comparisons in
generators (#954)
* chore(deps): lock file maintenance (#936)
* chore: improve version fixture generators for local usage
(#953)
* ci: cancel in-progress runs when new changes are pushed (#959)
* Automated Updates: support parents and dependency imports
(#890)
* GR: Support filtering on alias IDs (#946)
* ci: ensure input name case matches just to be safe (#955)
* refactor: use `maps` functions instead of custom
implementations (#940)
* test: update snapshots due to external vulnerability changes
(#951)
* ci: upgrade Codecov to v4 (#941)
* feat: add support for PNPM v9 lockfiles (#934)
* Add new vuln to tests (#947)
* chore: add missing space to panic message (#942)
* test: include groups when describing package details (#933)
-------------------------------------------------------------------
Fri Apr 19 04:46:42 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.7.2:
* Changelog for v1.7.2 (#932)
* GR: Use deps.dev schema for graph definition in tests (#911)
* ci: ensure snapshots are always cleaned up (#903)
* test: clean up image snapshots (#923)
* Fix paths in test snapshots (#930)
* Fix regression for go call analysis in 1.7.0 (#926)
* fix(deps): update osv-scanner minor (#918)
* chore(deps): lock file maintenance (#919)
* Ignore stdlib vuln (#920)
* GR: Test `MatchVuln()` (#912)
* GR: resolve tests & mock client (#909)
* GR: Parse paths in npmrc auth fields correctly (#901)
* Fix rust call analysis by explicitly disabling stripping of
debug info (#908)
* fix(deps): update osv-scanner minor (#895)
* chore(deps): update golang:1.21-alpine3.19 docker digest to
ed8ce6c (#905)
* chore(deps): update workflows (#906)
* chore(deps): lock file maintenance (#898)
* test: clean and sort snapshots (#904)
* Add new vuln for failing test (#900)
* GR: Tests for npm relaxer (#894)
* GR: Add simple test for package-lock.json writing (#891)
* chore(deps): update workflows (#886)
* fix(deps): update osv-scanner minor (#885)
* update deps.dev/util/maven (#892)
* Make MockHTTPServer for tests (#888)
* GR: Add tests for npmrc & npm registry api (#879)
* Update github action docs to v1.7.1 (#881)
* Use stable deps.dev v3 API (#882)
* test: pin alpine image to exact sha (#880)
* test: change how snapshot matchers are called and update
example name for consistency (#866)
* [docs] Fix the HTTP link for downloading offline database.
(#877)
* fix(renovate): constrain go to 1.21 and do not update golang
(#874)
* ci: harden workflow permissions (#872)
* chore(deps): Bump github.com/docker/docker from
25.0.3+incompatible to 25.0.5+incompatible (#878)
-------------------------------------------------------------------
Wed Mar 20 06:19:45 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.7.1:
* v1.7.1 changelog and removing unused fixtures (#876)
* Fix/update retry logic in OSV (#860)
* perf: optimize string formatting and update linting (#828)
* test: add cli cases for `node_modules` images (#870)
* Follow up PR851 mark acceptance on image tests (#869)
* GR: Add npm lockfile read tests (#853)
* ci: downgrade codecov action to v3 (#871)
* test: use "public" package where possible (#838)
* test: regenerate snapshots (#867)
* Pin the dockerfiles to the correct base image (#865)
* chore(deps): update workflows (#863)
* fix(deps): update osv-scanner minor (#864)
* add MakeVersionRequestsWithContext() (#781)
* improve error messages in Maven registry client (#859)
* Fix location of "*" for requirements.txt (#858)
* docs: reword sentence in guided-remediation (#846)
* Put API/networking errors on another error code (#857)
* chore(deps): update golang:alpine docker digest to fc5e584
(#852)
* Find and save the distro version when extracting from debian
and alpine (#854)
* fix: allow users to override GOVERSION (#850)
* feat: support scanning `node_modules` generated by NPM in
container images (#851)
* GR: Add npm ManifestIO tests & minor fixes (#845)
* Automated Updates: set up update subcommand (#830)
-------------------------------------------------------------------
Fri Mar 15 21:49:28 UTC 2024 - opensuse_buildservice@ojkastl.de
- BuildRequire go 1.21.8 to follow upstream
- Update to version 1.7.0:
* Update changelog for v1.7.0 (#843)
* Merge docs to main (#842)
* Replace stereoscope with using go-containerregistry directly
(#836)
* Rename relaxer and suggester (#839)
* Update deps (#841)
* Downgrade go.mod (#833)
* chore(deps): update workflows (#835)
* Add more guided remediation known issues re: vulnerabilitiy
counting (#840)
* Guided Remediation Docs (#827)
* test: automatically cleanup test zip server (#834)
* chore(deps): lock file maintenance (#822)
* fix(deps): update osv-scanner minor (#807)
* ci: remove unneeded `setup-go` step and pin
`actions/download-artifact` (#786)
* Dont traverse gitignored dirs for gitignore files (#797)
* test: make `createTestDir` a general test utility (#832)
* Maximum severity rating for each Group object in JSON output
(#805)
* Automated Updates: add a simple Maven registry API client
(#837)
* Automated Updates: only append dependencies with property to
original requirements (#823)
* chore(deps): update dependency github-pages to v231 (#821)
* chore(deps): update workflows to v4 (major) (#784)
* chore(deps): update workflows (#806)
* Added a switch for using cached local db in test to improve
speed (#826)
* Remove version from the binary name. (#831)
* Automated Updates: suggest property patches to update for Maven
(#824)
* refactor: replace usage of deprecated function (#829)
* chore: don't ignore `fixtures` directory (#825)
* Align GoVulncheck Go version with go.mod (#818)
* Guided Remediation: Compute Dev dependencies in in-place
parsing (#816)
* Automated Updates: add ManifestIO for Maven (#813)
* Update suggester package name (#817)
* Automated Updates: add version suggester for Maven (#815)
* Guided remediation: Interactive mode TUI (#811)
* Proof of Concept of container scanning (#808)
* Guided Remediation: non-interactive mode (#798)
* Update main with the new docs updates. (#810)
* Add user agent to deps.dev requests (#804)
* chore(deps): update golang:alpine docker digest to 8e96e6c
(#793)
* fix(deps): update osv-scanner minor (#794)
* chore(deps): update dependency github-pages to v230 (#796)
* chore(deps): update workflows (#795)
* Start setting up guided remediation subcommand (#792)
* Guided Remediation: Compute in-place updates (#789)
* Guided Remediation: Add `package-lock.json` LockfileIO (#785)
* add new spdx identifiers (#788)
* chore(deps-dev): Bump nokogiri from 1.15.5 to 1.16.2 in /docs
(#787)
* chore(deps): update workflows (#783)
* fix(deps): update osv-scanner minor (#782)
* Guided Remediation: add npm registry clients & `.npmrc` parsing
(#778)
* Fix tests (#780)
-------------------------------------------------------------------
Wed Jan 31 14:00:36 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.6.2:
* Update changelog for 1.6.2 (#779)
* chore(deps): update golang:alpine docker digest to a6a7f1f
(#772)
* chore(deps): update alpine:3.19 docker digest to c5b1261 (#771)
* Add pdm lockfile support (#776)
* Guided Remediation: Make `VulnerabilityClient` for OSV queries
(#773)
* Do not fail if no lockfiles found in github action (#774)
* Guided Remediation: Add computation for all relaxation patches
(#766)
* Parse severities for guided remediation (#767)
* Add pictures to github action docs (#768)
* Guided Remediation: Add dependency relaxation & re-resolution
(#765)
* Update govet printf settings (#745)
* fix: improve wording of usage description (#764)
* Guided Remediation: add npm `package.json` manifest parser
(#763)
* Update github action version (#761)
* Guided Remediation: Add manifest resolution (#757)
* Add OSV-Scanner subcommands (#748)
* test: use snapshot-based testing (#717)
* chore(deps): lock file maintenance (#760)
* fix(deps): update osv-scanner minor (#758)
* chore(deps): update workflows (#759)
* add dependency groups to flattened vulnerability (#754)
* Use new GitHub action in new repository (#756)
-------------------------------------------------------------------
Thu Jan 18 08:15:11 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.6.1:
* Final goreleaser fix (#753)
* Remove unnecessary docker manifest entry in goreleaser (#752)
* Update goreleaser to fix release pipeline (#751)
-------------------------------------------------------------------
Thu Jan 18 08:13:06 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.6.0:
* Update CHANGELOG.md for 1.6.0 (#749)
* Bump version for OSV-Scanner. (#750)
* Build action image when releasing (#747)
* fix(deps): update osv-scanner minor (#743)
* chore(deps): update actions/upload-artifact action to v4.1.0
(#744)
* chore(deps): update golang:alpine docker digest to fd78f2f
(#719)
* chore(deps): update workflows (major) (#709)
* chore(deps): update alpine docker tag to v3.19 (#708)
* fix(deps): update osv-scanner minor (#700)
* chore(deps): lock file maintenance (#710)
* chore(deps): update github/codeql-action action to v2.23.0
(#707)
* Assume latest patch version if version does not exist (#740)
* Add support for verbosity levels (#727)
* Show ecosystem and version even if git is shown if the info
exists. (#736)
* chore(deps): Bump github.com/cloudflare/circl from 1.3.3 to
1.3.7 (#738)
* Add option to not fail on vuln to workflow files (#737)
* Fix vulnerabilities that OSV-Scanner found (#724)
* Add option to not fail on vulnerability being found for github
action (#732)
* fix: remove deprecated `Reporter` methods (#722)
* fix directives related to go generate in package spdx (#730)
* verify license allowlist against spdx identifiers (#729)
* Add formatting instructions to docs contribution (#723)
* Adjusting docs (#716)
* fix(deps): update module github.com/go-git/go-git/v5 to v5.11.0
[security] (#721)
* Get go stdlib version from go.mod (#704)
* feat: support `PrintTextf` and `PrintErrorf` on `Reporter`
(#706)
* Refactor: attempt to transition into using models.Ecosystems
rather than lockfile.Ecosystems (#705)
* Updating cdxgen-go version in go.mod (#718)
* Unify OSV scanner action (#711)
* refactor: setup `prettier` for formatting files (#693)
* Return an error if both license scanning and local/offline
scanning is enabled simultaneously (#703)
* chore(deps): update golang:alpine docker digest to feceecc
(#699)
* scan and report dependency groups of vulnerabilities (#655)
* Create an option to skip/disable upload to code scanning (#702)
* Add support for NuGet lock files version 2 (#694)
* remove extra backtick in license scanning documentation (#696)
* Update changelog to include minimum go version changes (#695)
-------------------------------------------------------------------
Wed Dec 06 12:05:33 UTC 2023 - kastl@b1-systems.de
- Update to version 1.5.0:
* Add changelog for verson 1.5.0 (#692)
* Fix go mod (#691)
* chore(deps): lock file maintenance (#653)
* refactor: switch golang.org/x/exp/slices usages to stdlib
(#690)
* Include available formats in `--format` help message (#685)
* chore(deps): update golang:alpine docker digest to 70afe55
(#687)
* chore(deps): update alpine:3.18 docker digest to 34871e7 (#686)
* fix(deps): update osv-scanner minor (#688)
* Add `osv-scanner` pre-commit hook (#669)
* Fix goreleaser build (#683)
* feat: CVSS v4.0 support and replace cvss implementation to
comply with the specifications (#651)
* chore(deps): update workflows (#666)
* Added license scanning info (#674)
* update docs for call analysis. (#682)
* Setup manual release pipeline (#681)
* add experimental-licenses summary flag (#678)
* Set Go call analysis to default behaviour (#665)
* Fix filter ids (#647)
* feat: add support for `renv.lock` (#668)
* Simplify return codes to return 1 if any vulnerability related
error (#677)
* fix(deps): update osv-scanner minor (#652)
* refactor: upgrade golangci-lint (#673)
* make license allowlist matching case insensitive (#672)
* ci: run tests on Windows (#646)
* feat: add support for comparing CRAN versions (#656)
* ci: update `golangci-lint` to v1.54 (#661)
* Don't include nested vendored libs in determineversions query.
(#649)
* chore: disable `goconst` linter (#662)
* fix: remove noise lockfile warnings (#660)
* ci: enforce that `cachedregexp` is always used instead of
`regexp` (#663)
* Adding C/C++ info to the docs (#648)
* cmd/osv-scanner: update sarif output in test cases (#659)
* Downgrade jekyll-feed. Update lock file (#650)
* chore(deps): update golang:alpine docker digest to 110b07a
(#640)
* fix: properly handle file/url paths on Windows (#645)
* test: don't ignore anything from coverage (#627)
* fix(deps): update osv-scanner minor (#641)
* Filter local packages from scanning, and report the filtering.
(#643)
* license checking experimental feature (#501)
* upgrade version of Go in GitHub checks (#637)
* test: check against error type rather than message (#628)
* Minor github action docs changes to clarify behaviour. (#630)
-------------------------------------------------------------------
Thu Nov 02 05:58:57 UTC 2023 - kastl@b1-systems.de
- Update to version 1.4.3:
* Prepare for v1.4.3 release (#629)
* Add support for determineversions API (#612). (#621)
* Refactor package scanning to produce packages instead of
queries (#614)
* Fix permissions in PR osv-scanner (#625)
* Fix gitignore matching for root directory (#626)
* Go binary not found should not be an error (#622)
* Scan submodules too. (#581)
* fix: handle yarn aliased packages (#615)
* fix(deps): update osv-scanner minor (#618)
* chore(deps): update github/codeql-action action to v2.22.5
(#616)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#597)
* chore(deps): update workflows (#596)
* handle npm aliased packages (#610)
* Some minor post release fixes (#613)
* Gate extended tests (#598)
* test: use `cmp.Diff` for diffing (#605)
* fix: remove some extra newlines in sarif report (#607)
-------------------------------------------------------------------
Wed Oct 25 04:43:42 UTC 2023 - kastl@b1-systems.de
- Update to version 1.4.2:
* Prepare for 1.4.2 release (#609)
* chore: don't trim trailing whitespace on fixture snapshots
(#608)
* Update release pipeline (#602)
* fix: trim leading and trailing newlines off SARIF output (#606)
* Add name field to sarif rule output (#600)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#579)
* chore(deps): update golang:alpine docker digest to 926f7f7
(#591)
* chore(deps): update workflows (#592)
* Make scheduled and PR scanning only scan the relevant files and
ignore fixtures (#594)
* Update docs to add in saving to file option (#593)
* Clarify in the docs actions will fail when vulns are found
(#587)
* chore(deps): Bump golang.org/x/net from 0.16.0 to 0.17.0 (#585)
* Change branch back in github action (#586)
* Fix permissions and attempt "Download Artifact" option to allow
custom lockfiles (#584)
* Small doc adjustments for GitHub Actions (#582)
* fix(deps): update osv-scanner minor (#578)
* Update deps and fix tests (#583)
* Improve documentation for github actions (#575)
* chore(deps): update golang:alpine docker digest to a76f153
(#577)
* chore(deps): update workflows (#580)
* fix: support versions with build metadata in `yarn.lock` files
(#576)
* Add additional tests for git scanning, and markdown format
(#569)
-------------------------------------------------------------------
Fri Oct 06 13:11:57 UTC 2023 - kastl@b1-systems.de
- Update to version 1.4.1:
* Allow release scanning to upload SARIF file. (#573)
* Fix goreleaser and update changelog (#572)
* 1.4.1 release and changelog (#571)
* SARIF with fixed version (#559)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#568)
* chore(deps): update github/codeql-action action to v2.21.9
(#567)
* chore(deps): update golang:alpine docker digest to 4bc6541
(#566)
* chore(deps): update alpine:3.18 docker digest to eece025 (#565)
* ci: don't fetch the whole repository history when its not
needed (#562)
* ci: ensure that `actions/checkout` is pinned (#563)
* Block release on vuln scan (#561)
* ci: use `.go-version` file (#564)
* ci: run tests on macos and in parallel when releasing (#560)
* test: use `cmp.Diff` for comparing output (#558)
* Add new ecosystems, and a slice containing all of them. (#557)
* test: compare expected with actual rather than the other way
around (#556)
* chore: move scripts into the `scripts` directory (#555)
* ci: combine lint and test workflows (#554)
* test: add cases for extra coverage (#524)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#544)
* chore(deps): lock file maintenance (#545)
* chore(deps): update workflows (#538)
* Add custom scan arguments (#552)
* SARIF output fixes. (#547)
* Minor readme update (#546)
* Action docs (#541)
* Update SARIF format (#534)
* Fix action naming and scheduled scan parameters (#543)
* chore(deps): update workflows (major) (#540)
* Attempt at multiline action (#542)
* fix(deps): update osv-scanner minor (#539)
* Update experimental.md (#536)
-------------------------------------------------------------------
Thu Sep 14 05:01:43 UTC 2023 - kastl@b1-systems.de
- Update to version 1.4.0:
* Fix issue in the changelog (#533)
* 1.4.0 changelog and docs (#532)
* Adding Offline info (#517)
* chore(deps): update golang:alpine docker digest to 96634e5
(#527)
* chore(deps): update workflows (#529)
* fix(deps): update osv-scanner minor (#528)
* Fix result scanning (#526)
* ci: change how coverage is collected (#525)
* chore: capture coverage and upload it to codecov (#512)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#520)
* Correctly use matchFileNames in renovate.json (#522)
* Update test results to pass new test (#523)
* Revert breaking change in `osv.go` (#514)
* Add osv output lockfile + refactor (#505)
* Update renovate.json (#504)
* fix(deps): update osv-scanner minor (#506)
* Refactor models (#510)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#508)
* chore(deps): update actions/checkout action to v3.6.0 (#507)
* Update contributing docs (#502)
* chore(deps-dev): Bump activesupport from 7.0.7 to 7.0.7.2 in
/docs (#503)
* fix(deps): update golang.org/x/exp digest to d852ddb (#496)
* Add fixtures go to renovate bot ignore (#500)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#498)
* chore(deps): update golangci/golangci-lint-action action to
v3.7.0 (#499)
* chore(deps): update actions/setup-go action to v4.1.0 (#497)
* If go version can't be found, don't add stdlib (#494)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#448)
* feat: support `io.Reader` based parsers (#451)
* fix: don't error if local db directory already exists (#493)
* fix: ensure that "introduced 0" events are sorted before any
other event (#492)
* Add go stdlib version support (#484)
* chore(deps): update golang:alpine docker digest to 445f340
(#467)
* chore(deps): update alpine docker tag to v3.18 (#468)
* chore(deps): update slsa-framework/slsa-github-generator action
to v1.8.0 (#469)
* chore(deps): update alpine:3.18 docker digest to 7144f7b (#480)
* chore(deps): update alpine:3.17 docker digest to f71a5f0 (#466)
* chore(deps): update
gaurav-nelson/github-action-markdown-link-check digest to
46e4421 (#481)
* fix(deps): update golang.org/x/exp digest to 89c5cff (#482)
* chore(deps): update github/codeql-action action to v2.21.4
(#483)
* Fix some vulns and ignore others (#490)
* Rust call analysis (#452)
* Scanner action should pass if the vulnerabilities remain the
same (#475)
* Tidy up scanner action (#474)
* Manually update dependencies to resolve vulnerability
https://osv.dev/GO-2023-1988 (#472)
* feat: add experimental offline mode (#183)
* Move github action back to the main branch (#465)
* refactor: move experimental flags into their own struct (#463)
* fix: use correct plural and singular forms based on count
(#462)
* chore(deps): update github/codeql-action action to v2.21.2
(#455)
* fix(deps): update osv-scanner minor (#456)
* Add annotations and osv-scanner table in the Github Action
output (#460)
* Fix purl mapping (#457)
* test: make `output` tests their own package (#461)
* Updated github actions to use main branch now that the PR is
merged in (#459)
* Recreated Github Action PR (#432)
* chore: minor grammar fixes (#454)
* chore(deps): update docker/setup-buildx-action digest to
4c0219f (#437)
* chore(deps): update golang:alpine docker digest to 7839c9f
(#444)
* Optimize Dockerfile and add .dockerignore (#441)
* chore(deps): update github/codeql-action action to v2.21.0
(#449)
* Enable lockfile maintaince (#450)
* fix(deps): update osv-scanner minor (#445)
-------------------------------------------------------------------
Wed Jul 19 06:29:55 UTC 2023 - kastl@b1-systems.de
- Update to version 1.3.6:
* Prepare for v1.3.6 Release (#447)
* Adjusting GitHub actions (#446)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#438)
* go.mod: upgrade to golang.org/x/vuln@v1.0.0 (#443)
* Fix PURLToPackage function and move it (#439)
* Update README.md (#440)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#422)
* chore(deps): update workflows (#429)
* fix(deps): update osv-scanner minor (#430)
* update govulncheck integration (#431)
-------------------------------------------------------------------
Wed Jun 28 06:19:46 UTC 2023 - kastl@b1-systems.de
- Update to version 1.3.5:
* Add more ignores now that debian PURLs are parsed correctly
(#428)
* Adds changelog for v1.3.5 (#427)
* chore(deps): update alpine docker tag to v3.18 (#382)
* test: ensure fixtures directory isn't already a git repository
(#426)
* chore: ignore `.idea` directory (#425)
* Add withdrawn and fix time serialization to conform to the
schema. (#424)
* test: make `models` tests their own package (#423)
* Updated to reflect cvss scores being added to output table.
(#419)
* chore(deps): update workflows (#421)
* chore(deps): update alpine:3.17 docker digest to e95676d (#413)
* Add option to include severity in table output (#409)
* Update the model to better match schema and add YAML tags.
(#417)
* chore(deps): update golang:alpine docker digest to fd9d9d7
(#405)
* chore(deps): update workflows (#406)
* fix(deps): update osv-scanner minor (#415)
* Fixing broken github page (#412)
* Link checker (#408)
* fix(deps): update osv-scanner minor (#407)
* refactor: enable `goimports` linter (#404)
* Update the model to match the latest version of the OSV schema
(#403)
-------------------------------------------------------------------
Mon Jun 12 20:13:33 UTC 2023 - kastl@b1-systems.de
- Update to version 1.3.4:
* Prepare for 1.3.4 release. (#401)
* chore(deps): update workflows (#393)
* fix(deps): update osv-scanner minor (#392)
* Fix version printer to use app stdout and stderr (#395)
* OSV user agent (#390)
-------------------------------------------------------------------
Wed May 17 05:07:22 UTC 2023 - kastl@b1-systems.de
- Update to version 1.3.3:
* Add new line and fix test to avoid having to change version
twice (#387)
* 1.3.3 Release (#385)
* Use upload draft assets option (#384)
* chore(deps): update golang:alpine docker digest to ee2f23f
(#380)
* chore(deps): update slsa-framework/slsa-github-generator action
to v1.6.0 (#383)
* fix(deps): update osv-scanner minor (#381)
* Remove --hash from version in requirements.txt (#379)
* Small formatting changes (#377)
* chore(deps): bump github.com/cloudflare/circl from 1.1.0 to
1.3.3 (#378)
* add unit tests for results.go (#368)
* Improve exit docs and add No vulns found to output (#373)
* Update exit docs (#375)
* chore(deps): update github/codeql-action action to v2.3.3
(#372)
* chore(deps): update golang:alpine docker digest to 913de96
(#305)
* fix: handle cyclical `-r`s in `requirements.txt` (#366)
* fix: don't panic on empty files (#367)
* fix(deps): update osv-scanner minor (#327)
* Update spdx to 0.5.0 (#365)
* Update pkg/osv to allow overriding the http client / transport.
(#357)
* chore(deps): update github/codeql-action action to v2.3.2
(#363)
* Enable osvVulnerabilityAlerts (#362)
-------------------------------------------------------------------
Wed Apr 26 08:43:23 UTC 2023 - kastl@b1-systems.de
- Update to version 1.3.2:
* Fix sbom scanning code (#360)
* 1.3.2 Release (#359)
* Refactor reporter to interfaces (#345)
* Update all minor dependencies without spdx (#358)
* chore(deps): update workflows (#334)
* Better SBOM documentation and error message (#349)
* Move a specific regex to static variable (#346)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#328)
* chore(deps): bump nokogiri from 1.14.1 to 1.14.3 in /docs
(#338)
* chore(deps): bump commonmarker from 0.23.8 to 0.23.9 in /docs
(#337)
* SBOM parsing improvements. (#339)
* Make the reporter public (#341)
* Set `skip-pkg-cache: true` for golangci-lint (#340)
* Support PNPM v6+ Lockfile (#325)
* chore(deps): update alpine:3.17 docker digest to 124c7d2 (#326)
* Call analysis note fixed. (#331)
* Add configs to ignore test vulnerabilities (#329)
-------------------------------------------------------------------
Thu Mar 30 08:10:56 UTC 2023 - kastl@b1-systems.de
- Update to version 1.3.1:
* Release 1.3.1 changelog (#321)
* chore(deps): update ossf/scorecard-action action to v2.1.3
(#322)
* Add nil check to CycloneDX enumeration (#320)
-------------------------------------------------------------------
Tue Mar 28 04:59:28 UTC 2023 - kastl@b1-systems.de
- Update to version 1.3.0:
* Update changelog and version for v1.3.0 (#316)
* chore(deps): update workflows (#314)
* fix(deps): update osv-scanner minor (#313)
* Update workflows to compositing, so that goreleaser workflow
can run them. (#315)
* Fix workflow (#311)
* Fix some issues with the model. (#312)
* Improve the OSV models to allow for 3rd party use of the
library. (#310)
* Adds concurrency to hydration requests (#304)
* Make `IgnoredVulns` also ignore aliases (#300)
* fix(deps): update osv-scanner minor (#306)
* chore(deps): update actions/setup-go action to v4 (#308)
* chore(deps): update workflows (#307)
* Run tests before release (#301)
* chore(deps): bump activesupport from 7.0.4.2 to 7.0.4.3 in
/docs (#302)
* Pin lint action (#299)
* fix(deps): update osv-scanner minor (#288)
* fix: support Pipenv develop packages without versions. (#297)
* Set version in source code (#295)
* Prevent `.gitignore` files from interfering with tests (#292)
* fix: trim leading zeros off when comparing numerical components
in Maven versions (better) (#285)
* fix: avoid infinite loops parsing Maven poms with syntax errors
(#294)
* Check if PURL is valid before adding it to queries (#291)
* Renovate bot ignore vulns package (#289)
* chore(deps): update workflows (#287)
* fix: trim leading zeros off when comparing numerical components
in Maven versions (#279)
* Adding call graph info back in (#284)
* Update Colors for Accessibility (#278)
* Removed call graph analysis for now. (#282)
* Remove "working doc" concept (#275)
* feat: improved error message when pom dependency version not
found (#253)
* Add tags and point people to slsa-verifier (#265)
* ci: harden permissions (#269)
* Run on merge queue (#272)
* fix: properly handle comparing zero versions in Maven (#267)
* chore: add `.editorconfig` file (#266)
* fix(deps): update osv-scanner minor (#270)
* Renovate bot use ignorePaths instead for fixtures (#264)
* test: update case with new advisory (#268)
* fix: deduplicate packages that appear multiple times in
`Pipenv.lock` files (#261)
* feat: support `-r` flag in `requirements.txt` files (#260)
* chore(deps): update workflows (#242)
* fix: avoid panic when parsing `file:` dependencies in `pnpm`
lockfiles (#259)
* More specific cyclone dx parsing (#258)
* Parse nested CycloneDX components correctly (#251)
* fix: support yarn locks with quoted properties (#250)
* Update renovate.json (#248)
* fix(deps): update golang.org/x/exp digest to c95f2b4 (#241)
* govulncheck integration (#198)
* Create draft release first in goreleaser (#236)
* Adding additional installation instructions (#235)
-------------------------------------------------------------------
Thu Feb 23 10:38:20 UTC 2023 - kastl@b1-systems.de
- Update to version 1.2.0:
* Changelog update for v1.2.0 (#233)
* Moving Working Docs to Current (#234)
* Update the output docs, make logo a lot bigger, make page slightly wider (#226)
* Upgrade to yaml v3 (#231)
* ParseAs for dpkg-status (#229)
* Update analytics for documentation. (#230)
* chore(deps): update docker/setup-buildx-action digest to f03ac48 (#223)
* fix(deps): update osv-scanner minor (#225)
* chore(deps): bump golang.org/x/net from 0.2.0 to 0.7.0 (#222)
* chore(deps): update dependency http_parser.rb to "~> 0.8.0" (#224)
* fix: ensure that vulnerability results are ordered deterministically (#220)
* test: ensure case names match function under test (#228)
* Nits - APK installed optimizations (#227)
* Support for DPKG (Debian) parser (#168)
* feat: support `dependencyManagement` in Maven poms (#221)
* Google analytics added. (#215)
* Console formatting changes
* Documentation Style Improvements (#211)
* fixed broken link (#210)
* Documentation moved to github page.
* Minor changes for gitignore parsing (#208)
* Improve gitignore parsing (#206)
* fix(deps): update osv-scanner minor (#205)
* chore(deps): update github/codeql-action action to v2.2.4 (#204)
* Move instructions to Usage (#197)
* Make scanner respect .gitignore files (#191)
* feat: support specifying what parser to use in `--lockfile` (#94)
* fix: add missing toml tags to struct (and update linter) (#190)
* fix(deps): update golang.org/x/exp digest to 98cc5a0 (#188)
* fix(osv-query): omit SourceInfo from JSON marshaling (#185)
* test: remove nonsense case and correct names (#187)
* Update readme usage section (#171)
* chore(deps): update docker/login-action action to v2 (#148)
* fix(deps): update osv-scanner minor (#147)
* Support SPDX 2.3 (#178)
* chore(deps): update workflows (#172)
* feat: Render output as a markdown table for use in github comments (#156)
* APK: fix test function (#180)
* Log number of packages scanned from SBOMs. (#179)
* Make OSV api public (#167)
* Add experimental comment (#173)
* fix: exit with generic non-zero code when there is a general error (#161)
* fix: reuse app-level writer and err writers in `VersionPrinter` (#166)
* chore(deps): update github/codeql-action action to v2.1.39 (#159)
* test: add cases for `semantic.MustParse` (#160)
* feat: create `--format` flag (#158)
* golangci checks in github action, and fixes initial linter issues (#149)
* test: add case for `--version` flag (#162)
* chore: remove duplicated generators (#157)
* - add conan.lock to the list (#59)
* Fix endpoint typo (#152)
* feat: add `semantic` package (#92)
* Adding re-try for getting a Vuln for the given ID (#141)
* chore(deps): update github/codeql-action action to v2.1.38 (#146)
* chore: adjust comment to match type name (#143)
* Mention Pipfile.lock support in changelog. (#140)
* Fix link to GitHub issues (#139)
-------------------------------------------------------------------
Thu Jan 12 06:01:09 UTC 2023 - kastl@b1-systems.de
- Update to version 1.1.0:
* Fix goreleaser permissions (#138)
* v1.1.0 release PR (#137)
* fix(deps): update osv-scanner minor (#79)
* Temporarily disable alpine package scanning (#136)
* Move tests from cloudbuild to gh actions (#135)
* Use short url in scanner output (#134)
* chore(deps): update workflows (#78)
* Update readme and add changelog (#133)
* fix: use correct ecosystem for NuGet (#132)
* Do not highlight borders of result table (#131)
* Add contributing file (#130)
* Update README.md (#127)
* docs: describe build process (#109)
* Add gomodtidy after renovate updates (#120)
* Make lint trigger same as others (#125)
* Minor documentation updates. (#121)
* Add support for Alpine Linux /lib/apk/db/installed (Resolves #72) (#107)
* feat: add docker publish method (#70)
* Add Pipenv lockfile support (Resolves #71) (#66)
* Lint readme (#100)
* Have renovate-bot label its PRs as it does with osv.dev (#116)
* [pkg] implement NuGet ecosystem parser (#98)
* Update github.com/spdx/gordf dependency to fix 32 bit support (#104)
* test: update spec case and adjust assertion message (#99)
* fix: ensure that files are closed when they're no longer needed (#106)
* Fix lockfile example syntax (#103)
* docs: add homebrew installation note (#89)
-------------------------------------------------------------------
Tue Dec 20 13:53:44 UTC 2022 - Johannes Kastl <kastl@b1-systems.de>
- add build parameters, so 'osv-scanner --version' shows proper version,
build date and the release tag as commit
-------------------------------------------------------------------
Tue Dec 20 12:39:13 UTC 2022 - kastl@b1-systems.de
- Update to version 1.0.2:
* shorten affected package to package (#90)
* Move table columns so that the important column is displayed first (#87)
* Add blog post link to README (#84)
* Minor updates to install instruction title (#80)
* Added installation instructions for Scoop (#68)
* Update README.md (#77)
* Fix readme anchor link. (#76)
* Update README.md (#58)
* Add disclaimer on Debian scanning. (#65)
* Add gradle lockfile support (#46)
-------------------------------------------------------------------
Tue Dec 20 12:38:20 UTC 2022 - Johannes Kastl <kastl@b1-systems.de>
- new package osv-scanner: Vulnerability scanner written in Go which uses the data provided by https://osv.dev
