v2.0.3

v2.0.3

Features:

• Feature #1943 Added a flag to suppress "no package sources found" error.
• Feature #1844 Allow flags to be passed after scan targets, e.g. osv-scanner ./scan-this-dir --format=vertical, by updating to cli/v3
• Feature #1882 Added a stable tag to container images for releases that follow semantic versioning.
• Feature #1846 Experimental: Add --experimental-extractors and --experimental-disable-extractors flags to allow for more granular control over which OSV-Scalibr dependency extractors are used.

Fixes:

• Bug #1856 Improve XML output by guessing and matching the indentation of existing <dependency> elements.
• Bug #1850 Prevent escaping of single quotes in XML attributes for better readability and correctness.
• Bug #1922 Prevent a potential panic in MatchVulnerabilities when the API response is nil, particularly on timeout.
• Bug #1916 Add the "ubuntu" namespace to the debian purl type to correctly parse dpkg BOMs generated on Ubuntu.
• Bug #1871 Ensure inventories are sorted by PURL in addition to name and version to prevent incorrect deduplication of packages.
• Bug #1919 Improve error reporting by including the underlying error when the response body from a Maven registry cannot be read.
• Bug #1857 Fix an issue where SPDX output is not correctly outputted because it was getting overwritten.
• Bug #1873 Fix the GitHub Action to not ignore general errors during execution.
• Bug #1955 Fix issue causing error messages to be spammed when not running in a git repository.
• Bug #1930 Fix issue where Maven client loses auth data during extraction.

Misc:

• Update dependencies and updated golang to 1.24.4

New Contributors

• @jacj9 made their first contribution in #1860
• @ikkebr made their first contribution in #1830
• @LeonLow97 made their first contribution in #1882
• @osv-robot made their first contribution in #1912
• @laojianzi made their first contribution in #1922
• @Avgor46 made their first contribution in #1916

Full Changelog: v2.0.2...v2.0.3

v2.0.2

Fixes:

• Bug #1842 Fix an issue in the GitHub Action where call analysis for Go projects using the tool directive (Go 1.24+) in go.mod files would fail. The scanner image has been updated to use a newer Go version.
• Bug #1806 Fix an issue where license overrides were not correctly reflected in the final scan results and license summary.
• Fix #1825, #1809, #1805, #1803, #1787 Enhance XML output stability and consistency by preserving original spacing and minimizing unnecessary escaping. This helps reduce differences when XML files are processed.

New Contributors

• @s-index made their first contribution in #1812
• @shahar-h made their first contribution in #1842

Full Changelog: v2.0.1...v2.0.2

v2.0.1

Changelog

Features:

• Feature #1730 Add support for extracting dependencies from .NET packages.config and packages.lock.json files.
• Feature #1770 Add support for extracting dependencies from rust binaries compiled with cargo-auditable.
• Feature #1761 Improve output when scanning for OS packages, we now show binary packages associated with a source package in the table output.

Fixes:

• Bug #1752 Fix paging depth issue when querying the osv.dev API.
• Bug #1747 Ensure osv-reporter prints warnings instead of errors for certain messages to return correct exit code (related to osv-scanner-action#65).
• Bug #1717 Fix issue where nested CycloneDX components were not being parsed.
• Bug #1744 Fix issue where empty CycloneDX SBOMs was causing a panic.
• Bug #1726 De-duplicate references in CycloneDX report output for improved validity.
• Bug #1727 Remove automatic opening of HTML reports in the browser (fixes #1721).
• Bug #1735 Require a tag when scanning container images to prevent potential errors.

API Changes:

• API Change #1763 Made the SourceType enum public.

New Contributors

• @AlexLaroche made their first contribution in #1730
• @kuscar made their first contribution in #1726

Full Changelog: v2.0.0...v2.0.1

v2.0.0

This release merges the improvements, features, and fixes from v2.0.0-rc1, v2.0.0-beta2, and v2.0.0-beta1.

Important: This release includes several breaking changes aimed at future-proofing OSV-Scanner. Please consult our comprehensive Migration Guide to ensure a smooth upgrade.

Features:

• Layer and base image-aware container scanning:
  • Rewritten support for Debian, Ubuntu, and Alpine container images.
  • Layer level analysis and vulnerability breakdown.
  • Supports Go, Java, Node, and Python artifacts within supported distros.
  • Base image identification via deps.dev.
  • Usage: osv-scanner scan image <image-name>:<tag>
• Interactive HTML output:
  • Severity breakdown, package/ID/importance filtering, vulnerability details.
  • Container image layer filtering, layer info, base image identification.
  • Usage: osv-scanner scan --serve ...
• Guided Remediation for Maven pom.xml:
  • Remediate direct and transitive dependencies (non-interactive mode).
  • New override remediation strategy.
  • Support for reading/writing pom.xml and parent POM files.
  • Private registry support for Maven metadata.
  • Machine-readable output for guided remediation.
• Enhanced Dependency Extraction with osv-scalibr:
  • Haskell: cabal.project.freeze, stack.yaml.lock
  • .NET: deps.json
  • Python: uv.lock
  • Artifacts: node_modules, Python wheels, Java uber jars, Go binaries
• Feature #1636 osv-scanner update command for updating the local vulnerability database (formerly experimental).
• Feature #1582 Add container scanning information to vertical output format.
• Feature #1587 Add support for severity in SARIF report format.
• Feature #1569 Add support for bun.lock lockfiles.
• Feature #1547 Add experimental config support to the scan image command.
• Feature #1557 Allow setting port number with --serve using the new --port flag.

Breaking Changes:

• Feature #1670 Guided remediation now defaults to non-interactive mode; use the --interactive flag for interactive mode.
• Feature #1670 Removed the --verbosity=verbose verbosity level.
• Feature #1673 & Feature #1664 All previous experimental flags are now out of experimental, and the experimental flag mechanism has been removed.
• Feature #1651 Multiple license flags have been merged into a single --license flag.
• Feature #1666 API: reporter removed; logging now uses slog, which can be overridden.
• Feature #1638 API: Deprecated packages removed, including lockfile (migrated to OSV-Scalibr).

Improvements:

• Feature #1561 Updated HTML report for better contrast and usability (from beta2).
• Feature #1584 Make skipping the root git repository the default behavior (from beta2).
• Feature #1648 Updated HTML report styling to improve contrast (from rc1).

Fixes:

• Fix #1598 Fix table output vulnerability ordering.
• Fix #1616 Filter out Ubuntu unimportant vulnerabilities.
• Fix #1585 Fixed issue where base images are occasionally duplicated.
• Fix #1597 Fixed issue where SBOM parsers are not correctly parsing CycloneDX files when using the bom.xml filename.
• Fix #1566 Fixed issue where offline scanning returns different results from online scanning.
• Fix #1538 Reduce memory usage when using guided remediation.

We encourage everyone to upgrade to OSV-Scanner v2.0.0 and experience these powerful new capabilities! As always, your feedback is invaluable, so please don't hesitate to share your thoughts and suggestions.

• General V2 feedback
• Container scanning feedback

Full Changelog: v1.9.2...v2.0.0

v2.0.0-rc1

Our first release candidate for OSV-Scanner V2, which includes various breaking changes osv-scanner to help future proof osv-scanner in V2! See the changelog for beta1 and beta2 for the full list of changes.

We've also added a migration guide here: https://google.github.io/osv-scanner/migration-guide.html

As always, please feel free to give us your feedback!

• General V2 feedback
• Container scanning feedback

Changes:

• Feature #1670 Guided remediation now makes non-interactive the default mode, and adds the --interactive flag.
• Feature #1670 Removes the --verbosity=verbose verbosity level.
• Feature #1673 & Feature #1664 Moves all our experimental flags out of experimental, and removes the experimental flags.
• Feature #1651 License flags have been merged into a single license flag. See --help or migration guide for more details.

Features:

• Feature #1636 osv-scanner update command has been released as an experimental feature.
• Feature #1582 Add container scanning related information to vertical output format.
• Feature #1587 Add support for severity in SARIF report format.

Fixes

• Fix #1677 Fix OS filter for HTML report.
• Fix #1598 Fix table output vulnerability ordering.
• Fix #1661 Add spinner to iframs in the HTML report.
• Fix #1648 Updated HTML report styling to improve contrast.
• Fix #1616 Display git scanning results in HTML report.
• Fix #1616 Filter out Ubuntu unimportant vulnerabilities.

API changes

• Feature #1666 Removes reporter, all logging now goes through slog, which you can override to change the output.
• Feature #1638 All deprecated packages have been removed from the osv-scanner module, this includes the lockfile package, which has been migrated to the OSV-Scalibr library.

New Contributors

• @mickem made their first contribution in #1587
• @WeizhouRen made their first contribution in #1661
• @vitorRibeiro7 made their first contribution in #1648

Full Changelog: v2.0.0-beta2...v2.0.0-rc1

v2.0.0-beta2

This second beta release brings a series of fixes and improvements to the previous release.

Please post your feedback in the following threads:

• General V2 feedback
• Container scanning feedback

Improvements:

• Feature #1561 Updated HTML report for better contrast and usability
• Feature #1569 Add support for bun.lock lockfiles.
• Feature #1584 Make skip root git repository the default behavior.
• Feature #1547 Add experimental config support to the image command.
• Feature #1557 Allow setting port number when using the --serve flag with the new --port flag.

Fixes

• Fix #1585 Fixed issue where base images are occasionally duplicated.
• Fix #1597 Fixed issue where SBOM parsers are not correctly parsing CycloneDX files when using the bom.xml filename.
• Fix #1566 Fixed issue where offline scanning returns different results from online scanning.
• Fix #1538 Reduce memory usage when using guided remediation.

New Contributors

• @Riddhimaan-Senapati made their first contribution in #1557
• @pranjalagg made their first contribution in #1580

Full Changelog: v2.0.0-beta1...v2.0.0-beta2

v2.0.0-beta1

Changelog

The first beta of OSV-Scanner V2 is here! This beta release introduces significant enhancements, including refactored dependency extraction capabilities, container image scanning, and guided remediation for Maven.

This beta release does not introduce any breaking CLI changes and the beta period is expected to last approximately one month. However, as this is a beta release, there may be breaking changes breaking changes in the final release compared to the first beta.

GitHub Action based on OSV-Scanner V2 is also coming soon - stay tuned!

We encourage you to try out these new features and would appreciate any feedback you might have on our discussion topics:

• General V2 feedback
• Container scanning feedback

Layer and base image-aware container scanning

A significant new feature is a rewritten, layer-aware container scanning support for Debian, Ubuntu, and Alpine container images. OSV-Scanner can now analyze container images to provide:

• Layers where a package was first introduced
• Layer history and commands
• Base images the image is based on
• OS/Distro the container is running on

This layer analysis leverages OSV-Scalibr, and supports the following OSes and languages:

Distro Support	Language Artifacts Support
Alpine OS	Go
Debian	Java
Ubuntu	Node
	Python

Base image identification also leverages a new experimental API provided by https://deps.dev.

For usage, run the new scan image command:

osv-scanner scan image <image-name>:<tag>

Check out our documentation for more details.

Interactive HTML output

A new, interactive HTML output is now available. This provides a lot more interactivity and information compared to terminal only outputs, including:

• Severity breakdown
• Package and ID filtering
• Vulnerability importance filtering
• Full vulnerability advisory entries

And additionally for container image scanning:

• Layer filtering
• Image layer information
• Base image identification

Guided Remediation for Maven pom.xml

Last year we released a feature called guided remediation for npm. We have now expanded support to Maven pom.xml.

With guided remediation support for Maven, you can remediate vulnerabilities in both direct and transitive dependencies through direct version updates or overriding versions through dependency management.

We’ve introduced a few new features for our Maven support:

• A new remediation strategy override is introduced.
• Support for reading and writing pom.xml files, including writing changes to local parent pom files.
• Private registry can be specified to fetch Maven metadata.

The guided remediation support for Maven is only available in the non-interactive mode. For basic usage, run the following command:

osv-scanner fix --non-interactive --strategy=override -M path/to/pom.xml

We also introduced machine readable output for guided remediation that makes it easier to integrate guided remediation into your workflow.

For more usage details on guided remediation, please see our documentation.

Enhanced Dependency Extraction with osv-scalibr

With the help from OSV-Scalibr, we now also have expanded support for the kinds of dependencies we can extract from projects and containers:

Source manifests and lockfiles

• Haskell: cabal.project.freeze, stack.yaml.lock
• .NET: deps.json
• Python: uv.lock

Artifacts

• node_modules
• Python wheels
• Java uber jars
• Go binaries

The full list of supported formats can be found here.

The first beta doesn’t enable every single extractor currently available in OSV-Scalibr today. We’ll continue to add more leading up to the final 2.0.0 release.

OSV-Scalibr also makes it incredibly easy to add new extractors. Please file a feature request if a format you’re interested in is missing!

New Contributors

• @ivmeta made their first contribution in #1327
• @janniclas made their first contribution in #1398
• @VishalGawade1 made their first contribution in #1390

Full Changelog: v1.9.1...v2.0.0-beta1

v1.9.2

Changelog

Fixes:

• Bug #1327 Parsing crash on malformed pnpm lockfile.
• Bug #1377 Warn if a vulnerability is ignored multiple times in the same config.
• Bug #1394 Guided remediation: handle extraneous/missing packages in package-lock.json more leniently.
• Bug #1443 Go call analysis now works with Go version up to v1.23.4.
• Bug #1436 Only fetch Maven snapshots and releases when enabled.
• Bug #1456 Remove redundant calls from PreFetch.

New Contributors

• @ivmeta made their first contribution in #1327
• @janniclas made their first contribution in #1398

Full Changelog: v1.9.1...v1.9.2

v1.9.1

OSV-Scanner v2 is coming soon! The next release will start with version v2.0.0-alpha1.

Here's a peek at some of the exciting upcoming features:

• Standalone container image scanning support.
  • Including support for Alpine and Debian images.
• Refactored internals to use osv-scalibr library for better extraction capabilities.
• HTML output format for clearer vulnerability results.
• More control over output format and logging.
• ...and more!

Importantly, the CLI interface of osv-scanner will be maintained with minimal breaking changes.
Most breaking changes will only be in the API. More details in the upcoming alpha release.

---

This is the final feature v1 release of osv-scanner, future releases for v1 will only contain bug fixes.

v1.9.1

Features:

• Feature #1295 Support offline database in fix subcommand.
• Feature #1342 Add --experimental-offline-vulnerabilities and --experimental-no-resolve flags.
• Feature #1045 Support private registries for Maven.
• Feature #1226 Support vulnerabilities.ignore in package overrides.

Fixes:

• Bug #604 Use correct path separator in SARIF output when on Windows.
• Bug #330 Warn about and ignore duplicate entries in SBOMs.
• Bug #1325 Set CharsetReader and Entity when reading pom.xml.
• Bug #1310 Update spdx license ids.
• Bug #1288 Sort sbom packages by PURL.
• Bug #1285 Improve handling if docker exits with a non-zero code when trying to scan images

API Changes:

• Deprecate auxillary public packages: As part of the V2 update described above, we have started deprecating some of the auxillary packages
  which are not commonly used to give us more room to make better API designs. These include:
  • config
  • depsdev
  • grouper
  • spdx

Misc

• Update build to go1.23.2

New Contributors

• @emmanuel-ferdman made their first contribution in #1351

Full Changelog: v1.9.0...v1.9.1

v1.9.0

What's Changed

Features:

• Feature #1243 Allow explicitly ignoring the license of a package in config with license.ignore = true.
• Feature #1249 Error if configuration file has unknown properties.
• Feature #1271 Assume .txt files with "requirements" in their name are requirements.txt files

Fixes:

• Bug #1242 Announce when a config file is invalid and exit with a non-zero code.
• Bug #1241 Display (no reason given) when there is no reason in the override config.
• Bug #1252 Don't allow LoadPath to be set via config file.
• Bug #1279 Report all ecosystems without local databases in one single line.
• Bug #1283 Output invalid PURLs when scanning SBOMs.
• Bug #1278 Apply go version override to all instances of the stdlib.

Misc:

• #1253 Deprecate ParseX() functions in pkg/lockfile in favor of their Extract equivalents.
• #1290 Bump maximum number of concurrent requests to the OSV.dev API.

Full Changelog: v1.8.5...v1.9.0