chore(deps): update ghcr.io/google/osv-scanner docker tag to v1.8.4 #24
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.3.1
->v1.8.4
Release Notes
google/osv-scanner (ghcr.io/google/osv-scanner)
v1.8.4
Compare Source
Features:
--upgrade-config
flag for configuring allowed upgrades on a per-package basis. Also hide & deprecate previous--disallow-major-upgrades
and--disallow-package-upgrades
flags.Fixes:
Misc:
v1.8.3
Compare Source
Features:
Fixes:
semantic
is passed a validmodels.Ecosystem
.Misc:
v1.8.2
Compare Source
Features:
Fixes:
--experimental-local-db
.package
exists inaffected
property.v1.8.1
Compare Source
Features:
OSV-Scanner now scans transitive dependencies in Maven
pom.xml
files!See our documentation for more information.
The
osv-scanner.toml
configuration file can now filter specific packages with new[[PackageOverrides]]
sections:[[PackageOverrides]]
v1.7.4
Compare Source
Features:
Misc:
v1.7.3
Compare Source
Features:
Fixes:
v1.7.2
Compare Source
Fixes:
v1.7.1
Compare Source
(There is no Github release for this version)
Fixes
Add retry logic to make calls to OSV.dev API more resilient. This combined with changes in OSV.dev's API should result in much less timeout errors.
API Features
add
MakeVersionRequestsWithContext()
API and networking related errors now has their own error and exit code (Exit Code 129)
v1.7.0
Compare Source
Features
Feature #352 Guided Remediation
Introducing our new experimental guided remediation feature on
osv-scanner fix
subcommand.See our docs for detailed usage instructions.
Feature #805
Include CVSS MaxSeverity in JSON output.
Fixes
Bug #818
Align GoVulncheck Go version with go.mod.
Bug #797
Don't traverse gitignored dirs for gitignore files.
Miscellaneous
Remove version number from the release binary name.
v1.6.2
Compare Source
Features
Feature #694
Add subcommands! OSV-Scanner now has subcommands! The base command has been moved to
scan
(currently the only commands isscan
).By default if you do not pass in a command,
scan
will be used, so CLI remains backwards compatible.This is a building block to adding the guided remediation feature. See issue #352
for more details!
Feature #776
Add pdm lockfile support.
API Features
Add dependency groups to flattened vulnerabilities output.
v1.6.1
Compare Source
v1.6.0/v1.6.1:
Features
Feature #694 Add support for NuGet lock files version 2.
Feature #655 Scan and report dependency groups (e.g. "dev dependencies") for vulnerabilities.
Feature #702 Created an option to skip/disable upload to code scanning.
Feature #732 Add option to not fail on vulnerability being found for GitHub Actions.
Feature #729 Verify the spdx licenses passed in to the license allowlist.
Fixes
Bug #736 Show ecosystem and version even if git is shown if the info exists.
Bug #703 Return an error if both license scanning and local/offline scanning is enabled simultaneously.
Bug #718 Fixed parsing of SBOMs generated by the latest CycloneDX.
Bug #704 Get go stdlib version from go.mod.
API Features
Reporter
methods to add verbosity levels and to deprecate functions.New Contributors
Full Changelog: google/osv-scanner@v1.5.0...v1.6.0-alpha3
v1.5.0
Compare Source
Features
Add experimental license scanning support! See https://osv.dev/blog/posts/introducing-license-scanning-with-osv-scanner/ for more information!
Support scanning
renv
files for the R language ecosystem.Stabilize call analysis for Go! The experimental
--experimental-call-analysis
flag has now been updated to:--call-analysis=<language/all>
--no-call-analysis=<language/all>
with call analysis for Go enabled by default. See https://google.github.io/osv-scanner/usage/#scanning-with-call-analysis for the documentation!
Simplify return codes:
CVSS v4.0 support.
Pre-commit hook support.
Fixes
We now filter local packages from scans, and report the filtering of those packages.
Properly handle file/url paths on Windows.
Remove noise from failed lockfile parsing.
No longer include vendored libraries in C/C++ package analysis.
Fix filtering of aliases to also include non OSV aliases
Miscellaneous
v1.4.3
Compare Source
Features
Add support for scanning vendored C/C++ files.
Scan submodules commit hashes.
Fixes
Fix gitignore matching for root directory
Go binary not found should not be an error
handle npm/yarn aliased packages
fix: remove some extra newlines in sarif report
v1.4.2
Compare Source
Fixes
Support versions with build metadata in
yarn.lock
filesAdd name field to sarif rule output
v1.4.1
Compare Source
Features
New SARIF format that separates out individual vulnerabilities, see https://github.com/google/osv-scanner/issue/216
Have a look at https://google.github.io/osv-scanner/experimental/ for how to use the new Github Action in your repo.
Experimental, so might change with only a minor update.
API Features
v1.4.0
Compare Source
Features
Add (experimental) offline mode! See our documentation for how to use it.
Add (experimental) rust call analysis, detect whether vulnerable functions are actually called in your Rust project! See our documentation for limitations and how to use this.
go
version and checks for vulnerabilities in the standard library.osv-scanner.json
for osv-scanner to scan. See our documentation for instructions.API Features
Fixes
Fix PURL mapping for Alpine packages
Use correct plural and singular forms based on count
v1.3.6
Compare Source
Minor Updates
Update GoVulnCheck integration.
Create
models.PURLToPackage()
, and deprecateosvscanner.PURLToPackage()
.Fixes
Fix
PURLToPackage
not returning the full namespace of packages in ecosystemsthat use them (e.g. golang).
v1.3.5
Compare Source
Features
Adds an additional column to the table output which shows the severity if available.
API Features
v1.3.4
Compare Source
Minor Updates
user agent to OSV API requests.
v1.3.3
Compare Source
Fixes
requirements.txt misparsing lines that contain
--hash
.vulnerabilities are found.
requirements.txt causing infinite recursion.
parsing empty lockfile.
API Features
pkg/osv
to allow overriding the http client / transportv1.3.2
Compare Source
Fixes
public to allow calling DoScan with non nil reporters.
parsing and relaxing name requirements when explicitly scanning with
--sbom
.scanning speed for regex heavy lockfiles by caching regex compilation.
documentation and error messages.
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.