Osv

Features:

- [Feature 934](https://github.com/google/osv-scanner/pull/934) add support for PNPM v9 lockfiles.

Fixes:

- [Bug 938](https://github.com/google/osv-scanner/issues/938) Ensure the sarif output has a stable order.
- [Bug 922](https://github.com/google/osv-scanner/issues/922) Support filtering on alias IDs in Guided Remediation.

Fixes:

- [Bug 899](https://github.com/google/osv-scanner/issues/899) Guided Remediation: Parse paths in npmrc auth fields correctly.
- [Bug 908](https://github.com/google/osv-scanner/issues/908) Fix rust call analysis by explicitly disabling stripping of debug info.
- [Bug 914](https://github.com/google/osv-scanner/issues/914) Fix regression for go call analysis introduced in 1.7.0.

(There is no Github release for this version)

Fixes

- [Bug 856](https://github.com/google/osv-scanner/issues/856)
Add retry logic to make calls to OSV.dev API more resilient. This combined with changes in OSV.dev's API should result in much less timeout errors.

API Features

- [Feature 781](https://github.com/google/osv-scanner/pull/781)
add `MakeVersionRequestsWithContext()`
- [Feature 857](https://github.com/google/osv-scanner/pull/857)
API and networking related errors now has their own error and exit code (Exit Code 129)

Features

- [Feature 352](https://github.com/google/osv-scanner/issues/352) Guided Remediation
Introducing our new experimental guided remediation feature on `osv-scanner fix` subcommand.
See our [docs](https://google.github.io/osv-scanner/experimental/guided-remediation/) for detailed usage instructions.

- [Feature 805](https://github.com/google/osv-scanner/pull/805)
Include CVSS MaxSeverity in JSON output.

Fixes

- [Bug 818](https://github.com/google/osv-scanner/pull/818)
Align GoVulncheck Go version with go.mod.

- [Bug 797](https://github.com/google/osv-scanner/pull/797)
Don't traverse gitignored dirs for gitignore files.

Miscellaneous

- [831](https://github.com/google/osv-scanner/pull/831)
Remove version number from the release binary name.

Features

- [Feature 694](https://github.com/google/osv-scanner/pull/694)
Add subcommands! OSV-Scanner now has subcommands! The base command has been moved to `scan` (currently the only commands is `scan`).
By default if you do not pass in a command, `scan` will be used, so CLI remains backwards compatible.

This is a building block to adding the guided remediation feature. See [issue 352](https://github.com/google/osv-scanner/issues/352)
for more details!

- [Feature 776](https://github.com/google/osv-scanner/pull/776)
Add pdm lockfile support.

API Features

- [Feature 754](https://github.com/google/osv-scanner/pull/754)
Add dependency groups to flattened vulnerabilities output.

Features

- [Feature 694](https://github.com/google/osv-scanner/pull/694)
Add support for NuGet lock files version 2.

- [Feature 655](https://github.com/google/osv-scanner/pull/655)
Scan and report dependency groups (e.g. "dev dependencies") for vulnerabilities.

- [Feature 702](https://github.com/google/osv-scanner/pull/702)
Created an option to skip/disable upload to code scanning.

- [Feature 732](https://github.com/google/osv-scanner/pull/732)
Add option to not fail on vulnerability being found for GitHub Actions.

- [Feature 729](https://github.com/google/osv-scanner/pull/729)
Verify the spdx licenses passed in to the license allowlist.

Fixes

- [Bug 736](https://github.com/google/osv-scanner/pull/736)
Show ecosystem and version even if git is shown if the info exists.

- [Bug 703](https://github.com/google/osv-scanner/pull/703)
Return an error if both license scanning and local/offline scanning is enabled simultaneously.

- [Bug 718](https://github.com/google/osv-scanner/pull/718)
Fixed parsing of SBOMs generated by the latest CycloneDX.

- [Bug 704](https://github.com/google/osv-scanner/pull/704)
Get go stdlib version from go.mod.

API Features

- [Feature 727](https://github.com/google/osv-scanner/pull/727)
Changes to `Reporter` methods to add verbosity levels and to deprecate functions.