Osv

Features

- [Feature 501](https://github.com/google/osv-scanner/pull/501)
Add experimental license scanning support! See https://osv.dev/blog/posts/introducing-license-scanning-with-osv-scanner/ for more information!
- [Feature 642](https://github.com/google/osv-scanner/pull/642)
Support scanning `renv` files for the R language ecosystem.
- [Feature 513](https://github.com/google/osv-scanner/pull/513)
Stabilize call analysis for Go! The experimental `--experimental-call-analysis` flag has now been updated to:

--call-analysis=<language/all>
--no-call-analysis=<language/all>

with call analysis for Go enabled by default. See https://google.github.io/osv-scanner/usage/#scanning-with-call-analysis for the documentation!
- [Feature 676](https://github.com/google/osv-scanner/pull/676)
Simplify return codes:
- Return 0 if there are no findings or errors.
- Return 1 if there are any findings (license violations or vulnerabilities).
- Return 128 if no packages are found.
- [Feature 651](https://github.com/google/osv-scanner/pull/651)
CVSS v4.0 support.
- [Feature 60](https://github.com/google/osv-scanner/pull/60)
[Pre-commit hook](https://pre-commit.com/) support.

Fixes

- [Bug 639](https://github.com/google/osv-scanner/issues/639)
We now filter local packages from scans, and report the filtering of those packages.
- [Bug 645](https://github.com/google/osv-scanner/issues/645)
Properly handle file/url paths on Windows.
- [Bug 660](https://github.com/google/osv-scanner/issues/660)
Remove noise from failed lockfile parsing.
- [Bug 649](https://github.com/google/osv-scanner/issues/649)
No longer include vendored libraries in C/C++ package analysis.
- [Bug 634](https://github.com/google/osv-scanner/issues/634)
Fix filtering of aliases to also include non OSV aliases

Miscellaneous

- The minimum go version has been updated to go1.21 from go1.18.

Features

- [Feature 621](https://github.com/google/osv-scanner/pull/621)
Add support for scanning vendored C/C++ files.
- [Feature 581](https://github.com/google/osv-scanner/pull/581)
Scan submodules commit hashes.

Fixes

- [Bug 626](https://github.com/google/osv-scanner/issues/626)
Fix gitignore matching for root directory
- [Bug 622](https://github.com/google/osv-scanner/issues/622)
Go binary not found should not be an error
- [Bug 588](https://github.com/google/osv-scanner/issues/588)
handle npm/yarn aliased packages
- [Bug 607](https://github.com/google/osv-scanner/pull/607)
fix: remove some extra newlines in sarif report

Fixes

- [Bug 574](https://github.com/google/osv-scanner/issues/574)
Support versions with build metadata in `yarn.lock` files
- [Bug 599](https://github.com/google/osv-scanner/issues/599)
Add name field to sarif rule output

Features

- [Feature 534](https://github.com/google/osv-scanner/pull/534)
New SARIF format that separates out individual vulnerabilities, see https://github.com/google/osv-scanner/issue/216
- [Experimental Feature 57](https://github.com/google/osv-scanner/issues/57) Experimental Github Action!
Have a look at https://google.github.io/osv-scanner/experimental/ for how to use the new Github Action in your repo.
Experimental, so might change with only a minor update.

API Features

- [Feature 557](https://github.com/google/osv-scanner/pull/557) Add new ecosystems, and a slice containing all of them.

Features

- [Feature 183](https://github.com/google/osv-scanner/pull/183)
Add (experimental) offline mode! See [our documentation](https://google.github.io/osv-scanner/experimental/#offline-mode) for how to use it.
- [Feature 452](https://github.com/google/osv-scanner/pull/452)
Add (experimental) rust call analysis, detect whether vulnerable functions are actually called in your Rust project! See [our documentation](https://google.github.io/osv-scanner/experimental/#call-analysis-in-rust) for limitations and how to use this.
- [Feature 484](https://github.com/google/osv-scanner/pull/484) Detect the installed `go` version and checks for vulnerabilities in the standard library.
- [Feature 505](https://github.com/google/osv-scanner/pull/505) OSV-Scanner doesn't support your lockfile format? You can now use your own parser for your format, and create an intermediate `osv-scanner.json` for osv-scanner to scan. See [our documentation](https://google.github.io/osv-scanner/usage/#custom-lockfiles) for instructions.

API Features

- [Feature 451](https://github.com/google/osv-scanner/pull/451) The lockfile package now support extracting dependencies directly from any io.Reader, removing the requirement of a file path.

Fixes

- [Bug 457](https://github.com/google/osv-scanner/pull/457)
Fix PURL mapping for Alpine packages
- [Bug 462](https://github.com/google/osv-scanner/pull/462)
Use correct plural and singular forms based on count

Minor Updates

- [Feature 431](https://github.com/google/osv-scanner/pull/431)
Update GoVulnCheck integration.
- [Feature 439](https://github.com/google/osv-scanner/pull/439)
Create `models.PURLToPackage()`, and deprecate `osvscanner.PURLToPackage()`.

Fixes

- [Feature 439](https://github.com/google/osv-scanner/pull/439)
Fix `PURLToPackage` not returning the full namespace of packages in ecosystems
that use them (e.g. golang).