v2.0.0-beta1

Changelog

The first beta of OSV-Scanner V2 is here! This beta release introduces significant enhancements, including refactored dependency extraction capabilities, container image scanning, and guided remediation for Maven.

This beta release does not introduce any breaking CLI changes and the beta period is expected to last approximately one month. However, as this is a beta release, there may be breaking changes breaking changes in the final release compared to the first beta.

GitHub Action based on OSV-Scanner V2 is also coming soon - stay tuned!

We encourage you to try out these new features and would appreciate any feedback you might have on our discussion topics:

• General V2 feedback
• Container scanning feedback

Layer and base image-aware container scanning

A significant new feature is a rewritten, layer-aware container scanning support for Debian, Ubuntu, and Alpine container images. OSV-Scanner can now analyze container images to provide:

• Layers where a package was first introduced
• Layer history and commands
• Base images the image is based on
• OS/Distro the container is running on

This layer analysis leverages OSV-Scalibr, and supports the following OSes and languages:

Distro Support	Language Artifacts Support
Alpine OS	Go
Debian	Java
Ubuntu	Node
	Python

Base image identification also leverages a new experimental API provided by https://deps.dev.

For usage, run the new scan image command:

osv-scanner scan image <image-name>:<tag>

Check out our documentation for more details.

Interactive HTML output

A new, interactive HTML output is now available. This provides a lot more interactivity and information compared to terminal only outputs, including:

• Severity breakdown
• Package and ID filtering
• Vulnerability importance filtering
• Full vulnerability advisory entries

And additionally for container image scanning:

• Layer filtering
• Image layer information
• Base image identification

Guided Remediation for Maven pom.xml

Last year we released a feature called guided remediation for npm. We have now expanded support to Maven pom.xml.

With guided remediation support for Maven, you can remediate vulnerabilities in both direct and transitive dependencies through direct version updates or overriding versions through dependency management.

We’ve introduced a few new features for our Maven support:

• A new remediation strategy override is introduced.
• Support for reading and writing pom.xml files, including writing changes to local parent pom files.
• Private registry can be specified to fetch Maven metadata.

The guided remediation support for Maven is only available in the non-interactive mode. For basic usage, run the following command:

osv-scanner fix --non-interactive --strategy=override -M path/to/pom.xml

We also introduced machine readable output for guided remediation that makes it easier to integrate guided remediation into your workflow.

For more usage details on guided remediation, please see our documentation.

Enhanced Dependency Extraction with osv-scalibr

With the help from OSV-Scalibr, we now also have expanded support for the kinds of dependencies we can extract from projects and containers:

Source manifests and lockfiles

• Haskell: cabal.project.freeze, stack.yaml.lock
• .NET: deps.json
• Python: uv.lock

Artifacts

• node_modules
• Python wheels
• Java uber jars
• Go binaries

The full list of supported formats can be found here.

The first beta doesn’t enable every single extractor currently available in OSV-Scalibr today. We’ll continue to add more leading up to the final 2.0.0 release.

OSV-Scalibr also makes it incredibly easy to add new extractors. Please file a feature request if a format you’re interested in is missing!

New Contributors

• @ivmeta made their first contribution in #1327
• @janniclas made their first contribution in #1398
• @VishalGawade1 made their first contribution in #1390

Full Changelog: v1.9.1...v2.0.0-beta1

v1.9.2

Changelog

Fixes:

• Bug #1327 Parsing crash on malformed pnpm lockfile.
• Bug #1377 Warn if a vulnerability is ignored multiple times in the same config.
• Bug #1394 Guided remediation: handle extraneous/missing packages in package-lock.json more leniently.
• Bug #1443 Go call analysis now works with Go version up to v1.23.4.
• Bug #1436 Only fetch Maven snapshots and releases when enabled.
• Bug #1456 Remove redundant calls from PreFetch.

New Contributors

• @ivmeta made their first contribution in #1327
• @janniclas made their first contribution in #1398

Full Changelog: v1.9.1...v1.9.2

v1.9.1

OSV-Scanner v2 is coming soon! The next release will start with version v2.0.0-alpha1.

Here's a peek at some of the exciting upcoming features:

• Standalone container image scanning support.
  • Including support for Alpine and Debian images.
• Refactored internals to use osv-scalibr library for better extraction capabilities.
• HTML output format for clearer vulnerability results.
• More control over output format and logging.
• ...and more!

Importantly, the CLI interface of osv-scanner will be maintained with minimal breaking changes.
Most breaking changes will only be in the API. More details in the upcoming alpha release.

---

This is the final feature v1 release of osv-scanner, future releases for v1 will only contain bug fixes.

v1.9.1

Features:

• Feature #1295 Support offline database in fix subcommand.
• Feature #1342 Add --experimental-offline-vulnerabilities and --experimental-no-resolve flags.
• Feature #1045 Support private registries for Maven.
• Feature #1226 Support vulnerabilities.ignore in package overrides.

Fixes:

• Bug #604 Use correct path separator in SARIF output when on Windows.
• Bug #330 Warn about and ignore duplicate entries in SBOMs.
• Bug #1325 Set CharsetReader and Entity when reading pom.xml.
• Bug #1310 Update spdx license ids.
• Bug #1288 Sort sbom packages by PURL.
• Bug #1285 Improve handling if docker exits with a non-zero code when trying to scan images

API Changes:

• Deprecate auxillary public packages: As part of the V2 update described above, we have started deprecating some of the auxillary packages
  which are not commonly used to give us more room to make better API designs. These include:
  • config
  • depsdev
  • grouper
  • spdx

Misc

• Update build to go1.23.2

New Contributors

• @emmanuel-ferdman made their first contribution in #1351

Full Changelog: v1.9.0...v1.9.1

v1.9.0

What's Changed

Features:

• Feature #1243 Allow explicitly ignoring the license of a package in config with license.ignore = true.
• Feature #1249 Error if configuration file has unknown properties.
• Feature #1271 Assume .txt files with "requirements" in their name are requirements.txt files

Fixes:

• Bug #1242 Announce when a config file is invalid and exit with a non-zero code.
• Bug #1241 Display (no reason given) when there is no reason in the override config.
• Bug #1252 Don't allow LoadPath to be set via config file.
• Bug #1279 Report all ecosystems without local databases in one single line.
• Bug #1283 Output invalid PURLs when scanning SBOMs.
• Bug #1278 Apply go version override to all instances of the stdlib.

Misc:

• #1253 Deprecate ParseX() functions in pkg/lockfile in favor of their Extract equivalents.
• #1290 Bump maximum number of concurrent requests to the OSV.dev API.

Full Changelog: v1.8.5...v1.9.0

v1.8.5

What's Changed

Features:

• Feature #1160 Support fetching snapshot versions from a Maven registry.
• Feature #1177 Support composite-based package overrides. This allows for ignoring entire manifests when scanning.
• Feature #1210 Add FIXED-VULN-IDS to guided remediation non-interactive output.

Fixes:

• Bug #1220 Fix govulncheck calls on C code.
• Bug #1236 Alpine package scanning now falls back to latest release version if no release version can be found.

Full Changelog: v1.8.4...v1.8.5

v1.8.4

What's Changed

Features:

• Feature #1177 Adds --upgrade-config flag for configuring allowed upgrades on a per-package basis. Also hide & deprecate previous --disallow-major-upgrades and --disallow-package-upgrades flags.

Fixes:

• Bug #1123 Issue when running osv-scanner on project running with golang 1.22 #1123

Misc:

• Feature #638 Update go policy to use stable go version for builds (updated to go 1.23)

Full Changelog: v1.8.3...v1.8.4

v1.8.3

Features:

• Feature #889 OSV-Scanner now provides "vertical" output format!

Fixes:

• Bug #1115 Ensure that semantic is passed a valid models.Ecosystem.
• Bug #1140 Add Maven dependency management to override client.
• Bug #1149 Handle Maven parent relative path.

Misc:

• Feature #1091 Improved the runtime of DiffVulnerabilityResults. Thanks @neilnaveen!
• Feature #1125 Workflow for stale issue and PR management.

Full Changelog: v1.8.2...v1.8.3

v1.8.2

Features:

• Feature #1014 Adding CycloneDX 1.4 and 1.5 output format. Thanks @marcwieserdev!

Fixes:

• Bug #769 Fixed missing vulnerabilities for debian purls for --experimental-local-db.
• Bug #1055 Ensure that package exists in affected property.
• Bug #1072 Filter out unimportant vulnerabilities from vuln group.
• Bug #1077 Fix rate osv-scanner deadlock.
• Bug #924 Ensure that npm dependencies retain their "production" grouping.

New Contributors

• @neilnaveen made their first contribution in #1076
• @marcwieserdev made their first contribution in #1014
• @GeoDerp made their first contribution in #1073

Full Changelog: v1.8.1...v1.8.2

v1.8.1

v1.8.0/v1.8.1:

Features:

• Feature #35
  OSV-Scanner now scans transitive dependencies in Maven pom.xml files!
  See our documentation for more information.
• Feature #944
  The osv-scanner.toml configuration file can now filter specific packages with new [[PackageOverrides]] sections:

  [[PackageOverrides]]
  # The package name, version, and ecosystem to match against
  name = "lib"
  # If version is not set or empty, it will match every version
  version = "1.0.0"
  ecosystem = "Go"
  # Ignore this package entirely, including license scanning
  ignore = true
  # Override the license of the package
  # This is not used if ignore = true
  license.override = ["MIT", "0BSD"]
  # effectiveUntil = 2022-11-09 # Optional exception expiry date
  reason = "abc"

Minor Updates

• Feature #1039 The --experimental-local-db flag has been removed and replaced with a new flag --experimental-download-offline-databases which better reflects what the flag does.
  To replicate the behavior of the original --experimental-local-db flag, replace it with both --experimental-offline --experimental-download-offline-databases flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning.

Fixes:

• Bug #1000 Standard dependencies now correctly override dependencyManagement dependencies when scanning pom.xml files in offline mode.

New Contributors

• @np5 made their first contribution in #1029

Full Changelog: v1.7.4...v1.8.1

v1.7.4

v1.7.4:

Features:

• Feature #943 Support scanning gradle/verification-metadata.xml files.

Misc:

• Bug #968 Hide unimportant Debian vulnerabilities to reduce noise.

New Contributors

• @khorben made their first contribution in #969

Full Changelog: v1.7.3...v1.7.4