v0.4.2

• New secret extractor for Bitbucket and Amazon CodeCommit git basic auth URLs
• Rust reachability annotation migrated from OSV-Scanner
• New extractor for Chocolatey packages (Windows)
• Deps.dev API usage for pomxml dependency resolution

v0.4.1

• New secret detectors: AWS access token, Recaptcha secret key, pyx v1/v2 user key, Amazon CodeCatalyst, generic JWT
• Go source reachability enrichment using Govulncheck
• Support for more assignment patterns in the .gemspec extractor
• Support for BellSoft/Alpaquita OS packages
• Fixes: Correct the COS os-duplicate annotator behavior, avoid duplicate inventories when traversing multiple ScanRoots
• Include PackageVulns in output proto

v0.4.0

• Global plugin config: Plugins can now be configured through a unified flag from the CLI and proto field from the library
  • Using e.g. --plugin-config=max_file_size_bytes:10000000 --plugin-config=go_binary:{version_from_content:true}
  • Migration for all plugins to use this setup is still in progress
  • This adds a new plugin config param to the list.go plugin initializers (list.FromNames()) and is thus a breaking change for current list.go API users
• New secret scanners: MariaDB creds, MySQL mylogin.cnf creds, VAPID keys
• Guided Remediation support for Python projects managed with Pipenv
• Enricher that adds package deprecation information: -plugins=packagedeprecation/depsdev
• Annotator for DPKG package sources: -plugins=misc/dpkg-source

v0.3.6

• New extractors: K8s images, .node-version, pylock.toml, VirtualBox disk images, openEuler support in RPM extractor
• New secret detectors: 1password, Postgres pgpassfile, crates.io API token
• Package licenses now surfaced in the SPDX output
• Per-file error reporting in scan results

v0.3.5

• New extractors: docker-compose images, nvm packages,
• New secret detectors: Stripe API keys, GCP OAuth2 access tokens, GitHub tokens, Slack tokens, Azure storage account access keys
• Guided remediation: Support for pyproject.toml to relax strategy
• --extractor-override flag which forces specific extractors to run on specific file patterns

v0.3.4

• New secret detectors: DigitalOcean API keys, OpenAI project keys, Tink plaintext keysets, GitLab PAT, HashiCorp Vault+App tokens, GitHub app refresh tokens
  • See the docs for an overview of all currently supported secret types.
• Luarocks software extractor
• Secret detection+validation can now be enabled individually with e.g. --plugins=secrets/gcpsak,secrets/gcpsakvalidate
• Support fetching Maven dependencies from Artifact Registry
• Improvements to semantic version comparison

v0.3.3

• Vulnerability matching on Extracted packages with OSV.dev: Enable in the CLI with --plugins=vulnmatch/osvdev
• Secret extractors with validation: Anthropic API keys, Perplexity API keys, Grok xAI API keys, Docker Hub PAT, private keys,
• Inventory extractors: MacPorts, Winget, asdf package manager, Nimble
• Vuln detectors: Docker Socket Exposure

Thanks to all Patch Reward Program participants for the new plugins!

If you're interested in contributing through the PRP yourself and earning rewards, check out https://bughunters.google.com/about/rules/open-source/6436351477940224/osv-scalibr-patch-rewards-program-rules

v0.3.2

• New plugins: Dockerfile base images, network ports for MacOS, EoL linux distros, transitive requirements.txt dependencies, VEXing for DPKG packages without any binaries, software licenses
• Additional binary types supported by the unknown binary extractor
• CLI flag for scanning a local docker image
• Annotation for NPM packages that are actually installed from NPM repositories
• Support more ecosystems for version comparison

v0.3.1

• Annotation for language packages already found by OS package for RPM, COS, APK
• npm-shrinkwrap.json extraction
• Secret scanning, supporting detection of GCP Service Account keys
• Reachability analysis for Java
• VEX annotation to mark false positive vulnerabilities
• Unknown binary identification
• CLI changes: --plugins= as a unified plugin enablement method
• New Finding Format

v0.3.0

• New CLI flags: --version, --cdx-component-type
• New Plugins: Annotation for language packages already found by OS package for DPKG, transitive requirements.txt extraction
• Potentially breaking API changes: Moved ToPURL, Ecosystem from Extractor to Package, changed Package.Extractor to Package.Plugins
• Switched to cgo-less SQLite driver to avoid dependency on C code
• Support for Extractors that run on whole directories instead of individual files