Osv

Features

- [Feature 409](https://github.com/google/osv-scanner/pull/409)
Adds an additional column to the table output which shows the severity if available.

API Features

- [Feature 424](https://github.com/google/osv-scanner/pull/424)
- [Feature 417](https://github.com/google/osv-scanner/pull/417)
- [Feature 417](https://github.com/google/osv-scanner/pull/417)
- Update the models package to better reflect the osv schema, including:
- Add the withdrawn field
- Improve timestamp serialization
- Add related field
- Add additional ecosystem constants
- Add new reference types
- Add YAML tags

Minor Updates

- [Feature 390](https://github.com/google/osv-scanner/pull/390) Add an
user agent to OSV API requests.

Fixes

- [Bug 369](https://github.com/google/osv-scanner/issues/369) Fix
requirements.txt misparsing lines that contain `--hash`.
- [Bug 237](https://github.com/google/osv-scanner/issues/237) Clarify when no
vulnerabilities are found.
- [Bug 354](https://github.com/google/osv-scanner/issues/354) Fix cycle in
requirements.txt causing infinite recursion.
- [Bug 367](https://github.com/google/osv-scanner/issues/367) Fix panic when
parsing empty lockfile.

API Features

- [Feature 357](https://github.com/google/osv-scanner/pull/357) Update
`pkg/osv` to allow overriding the http client / transport

Fixes

- [Bug 341](https://github.com/google/osv-scanner/pull/341) Make the reporter
public to allow calling DoScan with non nil reporters.
- [Bug 335](https://github.com/google/osv-scanner/issues/335) Improve SBOM
parsing and relaxing name requirements when explicitly scanning with
`--sbom`.
- [Bug 333](https://github.com/google/osv-scanner/issues/333) Improve
scanning speed for regex heavy lockfiles by caching regex compilation.
- [Bug 349](https://github.com/google/osv-scanner/pull/349) Improve SBOM
documentation and error messages.

Fixes

- [Bug 319](https://github.com/google/osv-scanner/issues/319) Fix
segmentation fault when parsing CycloneDX without dependencies.

Major Features:

- [Feature 198](https://github.com/google/osv-scanner/pull/198) GoVulnCheck
integration! Try it out when scanning go code by adding the
`--experimental-call-analysis` flag.
- [Feature 260](https://github.com/google/osv-scanner/pull/198) Support `-r`
flag in `requirements.txt` files.
- [Feature 300](https://github.com/google/osv-scanner/pull/300) Make
`IgnoredVulns` also ignore aliases.
- [Feature 304](https://github.com/google/osv-scanner/pull/304) OSV-Scanner
now runs faster when there's multiple vulnerabilities.

Fixes

- [Bug 249](https://github.com/google/osv-scanner/issues/249) Support yarn
locks with quoted properties.
- [Bug 232](https://github.com/google/osv-scanner/issues/232) Parse nested
CycloneDX components correctly.
- [Bug 257](https://github.com/google/osv-scanner/issues/257) More specific
cyclone dx parsing.
- [Bug 256](https://github.com/google/osv-scanner/issues/256) Avoid panic
when parsing `file:` dependencies in `pnpm` lockfiles.
- [Bug 261](https://github.com/google/osv-scanner/issues/261) Deduplicate
packages that appear multiple times in `Pipenv.lock` files.
- [Bug 267](https://github.com/google/osv-scanner/issues/267) Properly handle
comparing zero versions in Maven.
- [Bug 279](https://github.com/google/osv-scanner/issues/279) Trim leading
zeros off when comparing numerical components in Maven versions.
- [Bug 291](https://github.com/google/osv-scanner/issues/291) Check if PURL
is valid before adding it to queries.
- [Bug 293](https://github.com/google/osv-scanner/issues/293) Avoid infinite
loops parsing Maven poms with syntax errors
- [Bug 295](https://github.com/google/osv-scanner/issues/295) Set version in
the source code, this allows version to be displayed in most package
managers.
- [Bug 297](https://github.com/google/osv-scanner/issues/297) Support Pipenv
develop packages without versions.

API Features

- [Feature 310](https://github.com/google/osv-scanner/pull/310) Improve the
OSV models to allow for 3rd party use of the library.