Workflow

Osv

Latest version: v0.0.22

Safety actively analyzes 681775 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 1 of 5

1.8.5

Features:

- [Feature 1160](https://github.com/google/osv-scanner/pull/1160) Support fetching snapshot versions from a Maven registry.
- [Feature 1177](https://github.com/google/osv-scanner/pull/1177) Support composite-based package overrides. This allows for ignoring entire manifests when scanning.
- [Feature 1210](https://github.com/google/osv-scanner/pull/1210) Add FIXED-VULN-IDS to guided remediation non-interactive output.

Fixes:

- [Bug 1220](https://github.com/google/osv-scanner/issues/1220) Fix govulncheck calls on C code.
- [Bug 1236](https://github.com/google/osv-scanner/pull/1236) Alpine package scanning now falls back to latest release version if no release version can be found.

1.8.4

Features:

- [Feature 1177](https://github.com/google/osv-scanner/pull/1177) Adds `--upgrade-config` flag for configuring allowed upgrades on a per-package basis. Also hide & deprecate previous `--disallow-major-upgrades` and `--disallow-package-upgrades` flags.

Fixes:

- [Bug 1123](https://github.com/google/osv-scanner/issues/1123) Issue when running osv-scanner on project running with golang 1.22 #1123

Misc:

- [Feature 638](https://github.com/google/osv-scanner/issues/638) Update go policy to use stable go version for builds (updated to go 1.23)

1.8.3

Features:

- [Feature 889](https://github.com/google/osv-scanner/pull/889) OSV-Scanner now provides "vertical" output format!

Fixes:

- [Bug 1115](https://github.com/google/osv-scanner/issues/1115) Ensure that `semantic` is passed a valid `models.Ecosystem`.
- [Bug 1140](https://github.com/google/osv-scanner/pull/1140) Add Maven dependency management to override client.
- [Bug 1149](https://github.com/google/osv-scanner/pull/1149) Handle Maven parent relative path.

Misc:

- [Feature 1091](https://github.com/google/osv-scanner/pull/1091) Improved the runtime of DiffVulnerabilityResults. Thanks neilnaveen!
- [Feature 1125](https://github.com/google/osv-scanner/pull/1125) Workflow for stale issue and PR management.

1.8.2

Features:

- [Feature 1014](https://github.com/google/osv-scanner/pull/1014) Adding CycloneDX 1.4 and 1.5 output format. Thanks marcwieserdev!

Fixes:

- [Bug 769](https://github.com/google/osv-scanner/issues/769) Fixed missing vulnerabilities for debian purls for `--experimental-local-db`.
- [Bug 1055](https://github.com/google/osv-scanner/issues/1055) Ensure that `package` exists in `affected` property.
- [Bug 1072](https://github.com/google/osv-scanner/issues/1072) Filter out unimportant vulnerabilities from vuln group.
- [Bug 1077](https://github.com/google/osv-scanner/issues/1077) Fix rate osv-scanner deadlock.
- [Bug 924](https://github.com/google/osv-scanner/issues/924) Ensure that npm dependencies retain their "production" grouping.

1.8.0

Features:

- [Feature 35](https://github.com/google/osv-scanner/issues/35)
OSV-Scanner now scans transitive dependencies in Maven `pom.xml` files!
See [our documentation](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/#transitive-dependency-scanning) for more information.
- [Feature 944](https://github.com/google/osv-scanner/pull/944)
The `osv-scanner.toml` configuration file can now filter specific packages with new `[[PackageOverrides]]` sections:
toml
[[PackageOverrides]]
The package name, version, and ecosystem to match against
name = "lib"
If version is not set or empty, it will match every version
version = "1.0.0"
ecosystem = "Go"
Ignore this package entirely, including license scanning
ignore = true
Override the license of the package
This is not used if ignore = true
license.override = ["MIT", "0BSD"]
effectiveUntil = 2022-11-09 Optional exception expiry date
reason = "abc"


Minor Updates

- [Feature 1039](https://github.com/google/osv-scanner/pull/1039) The `--experimental-local-db` flag has been removed and replaced with a new flag `--experimental-download-offline-databases` which better reflects what the flag does.
To replicate the behavior of the original `--experimental-local-db` flag, replace it with both `--experimental-offline --experimental-download-offline-databases` flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning.

Fixes:

- [Bug 1000](https://github.com/google/osv-scanner/pull/1000) Standard dependencies now correctly override `dependencyManagement` dependencies when scanning `pom.xml` files in offline mode.

1.7.4

Features:

- [Feature 943](https://github.com/google/osv-scanner/pull/943) Support scanning gradle/verification-metadata.xml files.

Misc:

- [Bug 968](https://github.com/google/osv-scanner/issues/968) Hide unimportant Debian vulnerabilities to reduce noise.

Page 1 of 5

Links

Releases

Has known vulnerabilities

Next

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.