Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: osv-scanner | Distribution: openSUSE Tumbleweed |
Version: 1.9.1 | Vendor: openSUSE |
Release: 1.1 | Build date: Thu Oct 31 11:47:27 2024 |
Group: Unspecified | Build host: reproducible |
Size: 35546425 | Source RPM: osv-scanner-1.9.1-1.1.src.rpm |
Packager: https://bugs.opensuse.org | |
Url: https://github.com/google/osv-scanner | |
Summary: Vulnerability scanner written in Go |
Use OSV-Scanner to find existing vulnerabilities affecting your project's dependencies. OSV-Scanner provides an officially supported frontend to the OSV database that connects a project’s list of dependencies with the vulnerabilities that affect them. Since the OSV.dev database is open source and distributed, it has several benefits in comparison with closed source advisory databases and scanners: - Each advisory comes from an open and authoritative source (e.g. the RustSec Advisory Database) - Anyone can suggest improvements to advisories, resulting in a very high quality database - The OSV format unambiguously stores information about affected versions in a machine-readable format that precisely maps onto a developer’s list of packages The above all results in fewer, more actionable vulnerability notifications, which reduces the time needed to resolve them.
Apache-2.0
* Thu Oct 31 2024 opensuse_buildservice@ojkastl.de - Update to version 1.9.1: * chore: v1.9.1 Changelog (#1358) * docs: update usage references (#1351) * chore(deps-dev): bump rexml from 3.3.8 to 3.3.9 in /docs in the bundler group (#1349) * chore: remove unused fixture file (#1353) * test: update snapshot (#1354) * chore: Also trigger workflow when merging into v2 (#1343) * feat: add `--experimental-offline-vulnerabilities` and `--experimental-no-resolve` flags (#1342) * docs: update documentation about Maven registry support (#1340) * ci: ensure that generated files have been regenerated as part of prerelease checks (#1312) * test: update snapshot (#1335) * feat: fetch Maven metadata from specified repositories (#1286) * chore(deps): lock file maintenance (#1334) * chore(deps): update workflows (#1333) * feat: deprecate axillary public packages in favor of private versions (#1309) * fix: use correct path separator in SARIF output when on Windows (#1294) * chore: Update snapshots (#1328) * fix: warn about and ignore duplicate entries in SBOMs (#1289) * feat(guided remediation): support offline database in fix subcommand (#1306) * fix: set CharsetReader and Entity when reading pom.xml (#1325) * fix(deps): update osv-scanner minor (#1323) * chore(deps): update workflows (#1322) * fix(guided remediation): update deps.dev Maven resolver (#1320) * chore: update golangci-lint to 1.61.0 (#1318) * fix: address a number of typos (#1307) * fix: update spdx license ids (#1310) * feat(output): add HTML output format (#1258) * test: update snapshots (#1314) * chore: ignore `node_modules` in git (#1308) * fix(deps): update osv-scanner minor (#1302) * chore(deps): update workflows (#1301) * chore(deps): update golang docker tag to v1.23.2 (#1300) * test: update snapshot (#1304) * refactor: Update test names (#1297) * test: update snapshots for guided remediation (#1296) * fix: sort sbom packages by PURL (#1288) * fix: improve handling if `docker` exits with a non-zero code when trying to scan images (#1285) * feat: support `vulnerabilities.ignore` in package overrides (#1268) * Wed Oct 02 2024 opensuse_buildservice@ojkastl.de - Update to version 1.9.0: * chore(release): changelog for v1.9.0 (#1292) * chore(deps): update workflows (#1281) * chore(deps): lock file maintenance (#1282) * fix: bump osv max concurrent requests (#1290) * fix: apply go version override to _all_ instances of the `stdlib` (#1278) * fix: output invalid PURLs when scanning sboms (#1283) * fix(offline): report all ecosystems without local databases in one single line (#1279) * test: update snapshot (#1284) * chore(deps): update workflows (#1264) * fix(deps): update osv-scanner minor (#1265) * feat: assume `txt` files with "requirements" in their name are `requirements.txt` files (#1271) * chore(deps): update dependency webrick to v1.8.2 [security] (#1270) * test: update case to reflect recent config parsing changes (#1267) * feat: group DSA and its CVEs together (#1262) * feat: error if configuration file has unknown properties (#1249) * fix: don't allow `LoadPath` to be set via config file (#1252) * refactor: Follow revive rules across the repo (#1263) * chore: make guided remediation follow revive's default lint rules (#1259) * refactor(guided remediation): Take `PreFetch` out of `DependencyClient` interface and prevent repeated datasource network calls (#1224) * ci: pin `amannn/action-semantic-pull-request` to a commit (#1256) * ci: pin `actions/stale` to a commit (#1255) * test: update snapshots with new security vulnerabilities (#1254) * chore: deprecate parser functions in favor of their extract equivalents (#1253) * refactor: simplify and reuse `tryLoadConfig` (#1248) * test: ensure `cmp.Diff` usage is consistent (#1251) * test: restructure internal `config` cases and fixtures (#1250) * fix: don't assume there's always a reason for a package being filtered out (#1241) * feat: Copy over dark docs theming from osv.dev (#1245) * fix: announce when a config file is invalid and exit with a non-zero code (#1242) * chore(deps): update workflows (#1247) * fix(deps): update osv-scanner minor (#1246) * feat: allow explicitly ignoring the license of a package in config (#1243) * feat(guided remediation): remediate unresolved dependency management vulns (#1235) * chore(deps): update alpine:3.20 docker digest to beefdbd (#1230) * chore(deps): update golang docker tag to v1.23.1 (#1231) * chore(deps): update workflows (#1205) * fix(deps): update osv-scanner minor (#1204) * chore(deps): lock file maintenance (#1195) * Sat Sep 14 2024 opensuse_buildservice@ojkastl.de - Update to version 1.8.5: * chore(release): changelog for v1.8.5 (#1237) * fix: make Alpine ecosystem fallback to latest release version (#1236) * feat(internal): marshal self-closing tags in XML (#1225) * chore: update Go to version 1.22.7 (#1233) * feat: support composite-based package overrides (#1214) * chore: update test snapshots (#1232) * fix: govulncheck calls on C code (#1228) * refactor: use forked xml package for writing (#1223) * chore: update test snapshots (#1222) * feat(internal): add Maven native dependency client (#1207) * fix(guided remediation): Add special handling for specific Maven packages (#1219) * fix(deps): update module github.com/charmbracelet/bubbletea to v1 (#1217) * fix(internal): encode XML tokens without escaping (#1216) * chore: update test snapshots (#1218) * chore: axe `.go-version` file (#1212) * feat(guided remediation): Add `FIXED-VULN-IDS` to non-interactive output (#1210) * perf: ignored packages should be filtered out before scanning (#1206) * feat: support fetching snapshot versions from a Maven registry (#1160) * fix: stop finding more parent pom if the path is empty (#1194) * chore: add missed test ignore vuln (#1209) * chore: add `osv-scanner.toml` files to make Scorecard ignore vulnerabilities in our test fixtures (#1202) * chore(deps): update workflows (#1186) * fix(deps): update osv-scanner minor (#1187) * fix: correct for breaking change in glamour v0.8.0 (#1201) * chore(deps): update dependency github-pages to v232 (#1189) * chore(deps): update golang docker tag to v1.23.0 (#1188) * Sat Sep 14 2024 opensuse_buildservice@ojkastl.de - Update to version 1.8.4: * chore(release): release v1.8.4 (#1200) * refactor: move Maven utility to a separate package (#1193) * docs: link to the Scorecard Report (#1197) * fix: unescape tabs before writing to pom.xml (#1190) * feat(guided remediation): add `--upgrade-config` flag (#1191) * chore: add PR title check to follow Git commit convention (#1178) * chore: add new vulnerability aliases to test snapshots (#1192) * feat: write Maven updates to parent pom.xml if possible (#1182) * chore: use the latest version of `golangci-lint` (#1185) * fix(guided remediation): error on `--data-source=native` for Maven (#1180) * ci(workflow): address address github.com/rhysd/actionlint findings (#1176) * fix(workflow): correct permission name (#1175) * chore(deps): update workflows (#1173) * fix(deps): update osv-scanner minor (#1174) * fix: only trim XML elements with no inner elements (#1168) * fix(workflow): Add explicit permissions (#1171) * docs: add conventional commits requirement (#1172) * Package tracing PoC (#1049) * Update go policy and use stable go version for builds (#1156) * chore(deps): update dependency wdm to "~> 0.2.0" (#1163) * fix(deps): update osv-scanner minor (#1162) * chore(deps): update workflows (#1161) * Add changelog for v1.8.3 (#1150) * Wed Aug 07 2024 opensuse_buildservice@ojkastl.de - Update to version 1.8.3: * chore: update dependency `github.com/docker/docker` (#1166) * chore(deps-dev): bump rexml from 3.3.2 to 3.3.3 in /docs in the bundler group (#1158) * add maven changes * feat(guided remediation): add non-interactive Maven remediation by override (#1136) * Label closed stale issues/PRs (#1165) * Fix snapshots (#1164) * Refactoring Maven manifest reading (#1159) * Do not attempt to remediate vulnerabilities in Maven artifacts that have defined `<classifier>` or `<type>` (#1151) * Handle Maven parent relative path (#1149) * fix(workflow): add read permission to `osv-scanner-reusable.yml` (#1157) * fix(workflow): update prerelease-check.yml to the latest OSV-Scanner action (#1153) * fix(osv-github-action): If all vulnerabilities are not called, don't return an non zero exit code in osv-reporter (#1152) * update snaps * fix style * Add changelog for v1.8.3 * chore(deps): lock file maintenance (#1130) * Increase frequency of staleness runs (#1148) * Improve Maven manifest updater (#1147) * chore(deps): update workflows (#1145) * fix(deps): update osv-scanner minor (#1146) * chore(deps): update golang:1.22.5-alpine3.19 docker digest to 48aac60 (#1144) * chore(deps): update alpine:3.20 docker digest to 0a4eaa0 (#1143) * feat: add "vertical" output format (#889) * chore(deps-dev): bump rexml from 3.3.1 to 3.3.2 in /docs in the bundler group (#1132) * Add Maven dependency management to override client (#1140) * Add original manifest to Maven ManifestPatch (#1134) * Exempt backlog label from stale treatment (#1135) * fix(deps): update osv-scanner minor (#1120) * Reflect Go 1.21.12 change more broadly (#1133) * ci: don't mark v2 wishlished issues as stale (#1131) * chore(deps): update workflows (#1119) * Workflow for stale issue and PR management (#1125) * Bump goreleaser build version to 1.22. (#1126) * Set the original requirement in patches from suggest (#1117) * fix: ensure that `semantic` is passed a valid `models.Ecosystem` (#1116) * Update docs: test dependencies not in the resolved graph (#1114) * Improved the runtime of DiffVulnerabilityResults (#1091) * Start on override strategy for maven guided remediation (#1025) * Sort dependencies before writing to pom.xml (#1113) * Activate profiles before merging parent (#1108) * Fix the wrong dependencies/dependency tags (#1112) * refactor: update linter and address minor violations (#1110) * Add a dependency to pom.xml if it is not from the base project (#1105) * Wed Jul 10 2024 opensuse_buildservice@ojkastl.de - Update to version 1.8.2: * Bump go mod min version (#1109) * Add changelog for v1.8.2 (#1106) * Fix npm grouping (#1107) * Add warning to the default docker container scanning method (#1089) * Move sbom to internal, and add standard output tests (#1104) * fix: ensure that npm dependencies retain their "production" grouping (#939) * test: add output fixtures for call analysis (#1093) * fix: restore custom styling to table format (#1094) * chore(deps): lock file maintenance (#1103) * chore(deps): update workflows (#1101) * github-action.md add version into md example (#1073) * ✨ Adding CycloneDX 1.4 and 1.5 reporter (#1014) * chore(deps): update golang docker tag to v1.22.5 (#1100) * fix(deps): update osv-scanner minor (#1102) * Add go compiler to enable call analysis in the github action (#1099) * Update github action docs in osv-scanner (#1096) * test: update snapshots (#1092) * Refactoring `manifest.Read()` for Maven (#1083) * refactor: just disable color output rather than tracking terminal width (#1087) * ci: upgrade `semantic` workflow to use v4 for artifact workflows (#1088) * chore(deps): update workflows (#1080) * fix(deps): update module github.com/spdx/tools-golang to v0.5.5 (#1081) * Added Testing for the SPDX SBOM Reader (#1086) * Changed min and max to inbuilt functions (#1076) * Update snapshots (#1084) * fix: use errgroup to avoid hydration deadlock scenario (#1078) * ci: setup workflow to run `semantic` tests weekly (#958) * test: update snapshots (#1079) * filter out unimportant vulnerabilities from vuln group (#1072) * Fix test (#1071) * fix: ensure that `package` exists in `affected` property (#1055) * Cherry-pick unmerged change from docs branch (#1069) * chore(deps): update alpine:3.20 docker digest to b89d9c9 (#1062) * chore(deps): update golang:1.22.4-alpine3.19 docker digest to c46c460 (#1063) * fix(deps): update module github.com/charmbracelet/bubbletea to v0.26.6 (#1064) * Combine Debian unimportant count logs (#1067) * Update tests to support go version changes (#1065) * fix: only care about ecosystem suffix if present in both ecosystems when determining equality (#1007) * refactor: enable `revive/indent-error-flow` (#997) * Fri Jun 21 2024 opensuse_buildservice@ojkastl.de - Update to version 1.8.1: * Make 1.8.1 release (#1056) * feat: bump goreleaser to v2 (#1054) * Update goreleaser.yml (#1052) * Fri Jun 21 2024 opensuse_buildservice@ojkastl.de - Update to version 1.8.0: * v1.8.0 Changelog (#1050) * Add documentation for the configuration. (#1051) * Update documentation for transitive dependency scanning (#1040) * Invoke `MavenResolverExtrator` when scanning pom.xml (#1028) * fix(deps): update osv-scanner minor (#1044) * chore(deps): update workflows (#1043) * chore(deps): update golang docker tag to v1.22.4 (#896) * chore(deps): lock file maintenance (#1033) * chore(deps): update goreleaser/goreleaser-action action to v6 (#1032) * Add `experimental-download-offline-databases` flag (#1039) * Update snapshots and exit codes (#1041) * Upgrade deps.dev dependencies (#1035) * Remove busybox from alpine SBOM (#1037) * Add go binary scanning (#1011) * Update Go patch version (#1030) * Merge parent projects for Maven pom.xml (#1019) * Update base docker image for golang 1.21.11 (#1029) * implement filtering by packages through the config (#944) * Dependency imports should always be fetched from upstream (#1027) * Upgrade go version (#1024) * Fix broken TUI styling (#1023) * Update test snapshots (#1022) * chore(deps): lock file maintenance (#1018) * fix(deps): update osv-scanner minor (#1017) * chore(deps): update workflows (#1016) * ci: don't try to upload code coverage on macOS (#1020) * Fix some Maven manifest & resolver issues (#1008) * Transitive dependency support for Maven pom.xml (#1002) * Select a version that actually exists (#1012) * Maven standard dependencies should take precedence over managed dependencies (#1000) * Do not record Maven `compile` scope in dependency groups (#1003) * Thu May 30 2024 opensuse_buildservice@ojkastl.de - Update to version 1.7.4: * Remove feature from changelog as it's still blocked on #769 (#1006) * V1.7.4 changelog (#1001) * Update typo in supported_languages_and_lockfiles.md (#998) * feat: support comparing Alpine versions locally (#980) * Now that we have updated to go1.21.10, we can remove the ignore line from osv-scanner.toml (#996) * chore(deps): update workflows (major) (#897) * fix(deps): update osv-scanner minor (#994) * chore(deps): update alpine docker tag to v3.20 (#993) * Update test snapshots (#992) * test: add cases for output functions (#937) * fix(deps): update osv-scanner minor (#978) * Add a new Maven pom.xml extractor (#982) * feat: support parsing `gradle/verification-metadata.xml` (#943) * chore(deps): update workflows (#977) * chore(deps): update golang:1.21-alpine3.19 docker digest to 1c2e474 (#985) * chore(deps-dev): Bump the bundler group across 1 directory with 2 updates (#983) * make Maven parent path relative on current project (#987) * Fix snapshots and alpine version (#990) * Update deps.dev dependencies (#984) * [docs] Add installation instructions for FreeBSD and NetBSD (#969) * Disable all unimportant vulnerabilities (#968) * GR: Add test universe generation script and tests for patch generation (#967) * Thu May 09 2024 opensuse_buildservice@ojkastl.de - Update to version 1.7.3: * chore(deps): update golang:1.21-alpine3.19 docker digest to b3aea8d (#973) * v1.7.3 changelog and version bump (#972) * Update gomod go version (#971) * Fix tests; add newly discovered vulns (#970) * Update go.mod to 1.21.9 (#907) * chore: import `sys` in Python generators (#966) * ci: upgrade `golangci/golangci-lint-action` to v5 (#964) * chore: only extract versions from packages in the generator ecosystem (#957) * refactor: encapsulate getting the working directory in a helper function (#961) * refactor: apply Rubocop to Ruby generator (#956) * test: remove future snapshots (#960) * chore(deps): update workflows (#935) * fix(deps): update osv-scanner minor (#945) * chore(deps): lock file maintenance (#962) * Fix snapshot for test (#963) * fix: ensure the sarif output has a stable order (#938) * chore: support skipping known unsupported comparisons in generators (#954) * chore(deps): lock file maintenance (#936) * chore: improve version fixture generators for local usage (#953) * ci: cancel in-progress runs when new changes are pushed (#959) * Automated Updates: support parents and dependency imports (#890) * GR: Support filtering on alias IDs (#946) * ci: ensure input name case matches just to be safe (#955) * refactor: use `maps` functions instead of custom implementations (#940) * test: update snapshots due to external vulnerability changes (#951) * ci: upgrade Codecov to v4 (#941) * feat: add support for PNPM v9 lockfiles (#934) * Add new vuln to tests (#947) * chore: add missing space to panic message (#942) * test: include groups when describing package details (#933) * Fri Apr 19 2024 opensuse_buildservice@ojkastl.de - Update to version 1.7.2: * Changelog for v1.7.2 (#932) * GR: Use deps.dev schema for graph definition in tests (#911) * ci: ensure snapshots are always cleaned up (#903) * test: clean up image snapshots (#923) * Fix paths in test snapshots (#930) * Fix regression for go call analysis in 1.7.0 (#926) * fix(deps): update osv-scanner minor (#918) * chore(deps): lock file maintenance (#919) * Ignore stdlib vuln (#920) * GR: Test `MatchVuln()` (#912) * GR: resolve tests & mock client (#909) * GR: Parse paths in npmrc auth fields correctly (#901) * Fix rust call analysis by explicitly disabling stripping of debug info (#908) * fix(deps): update osv-scanner minor (#895) * chore(deps): update golang:1.21-alpine3.19 docker digest to ed8ce6c (#905) * chore(deps): update workflows (#906) * chore(deps): lock file maintenance (#898) * test: clean and sort snapshots (#904) * Add new vuln for failing test (#900) * GR: Tests for npm relaxer (#894) * GR: Add simple test for package-lock.json writing (#891) * chore(deps): update workflows (#886) * fix(deps): update osv-scanner minor (#885) * update deps.dev/util/maven (#892) * Make MockHTTPServer for tests (#888) * GR: Add tests for npmrc & npm registry api (#879) * Update github action docs to v1.7.1 (#881) * Use stable deps.dev v3 API (#882) * test: pin alpine image to exact sha (#880) * test: change how snapshot matchers are called and update example name for consistency (#866) * [docs] Fix the HTTP link for downloading offline database. (#877) * fix(renovate): constrain go to 1.21 and do not update golang (#874) * ci: harden workflow permissions (#872) * chore(deps): Bump github.com/docker/docker from 25.0.3+incompatible to 25.0.5+incompatible (#878) * Wed Mar 20 2024 opensuse_buildservice@ojkastl.de - Update to version 1.7.1: * v1.7.1 changelog and removing unused fixtures (#876) * Fix/update retry logic in OSV (#860) * perf: optimize string formatting and update linting (#828) * test: add cli cases for `node_modules` images (#870) * Follow up PR851 mark acceptance on image tests (#869) * GR: Add npm lockfile read tests (#853) * ci: downgrade codecov action to v3 (#871) * test: use "public" package where possible (#838) * test: regenerate snapshots (#867) * Pin the dockerfiles to the correct base image (#865) * chore(deps): update workflows (#863) * fix(deps): update osv-scanner minor (#864) * add MakeVersionRequestsWithContext() (#781) * improve error messages in Maven registry client (#859) * Fix location of "*" for requirements.txt (#858) * docs: reword sentence in guided-remediation (#846) * Put API/networking errors on another error code (#857) * chore(deps): update golang:alpine docker digest to fc5e584 (#852) * Find and save the distro version when extracting from debian and alpine (#854) * fix: allow users to override GOVERSION (#850) * feat: support scanning `node_modules` generated by NPM in container images (#851) * GR: Add npm ManifestIO tests & minor fixes (#845) * Automated Updates: set up update subcommand (#830) * Fri Mar 15 2024 opensuse_buildservice@ojkastl.de - BuildRequire go 1.21.8 to follow upstream - Update to version 1.7.0: * Update changelog for v1.7.0 (#843) * Merge docs to main (#842) * Replace stereoscope with using go-containerregistry directly (#836) * Rename relaxer and suggester (#839) * Update deps (#841) * Downgrade go.mod (#833) * chore(deps): update workflows (#835) * Add more guided remediation known issues re: vulnerabilitiy counting (#840) * Guided Remediation Docs (#827) * test: automatically cleanup test zip server (#834) * chore(deps): lock file maintenance (#822) * fix(deps): update osv-scanner minor (#807) * ci: remove unneeded `setup-go` step and pin `actions/download-artifact` (#786) * Dont traverse gitignored dirs for gitignore files (#797) * test: make `createTestDir` a general test utility (#832) * Maximum severity rating for each Group object in JSON output (#805) * Automated Updates: add a simple Maven registry API client (#837) * Automated Updates: only append dependencies with property to original requirements (#823) * chore(deps): update dependency github-pages to v231 (#821) * chore(deps): update workflows to v4 (major) (#784) * chore(deps): update workflows (#806) * Added a switch for using cached local db in test to improve speed (#826) * Remove version from the binary name. (#831) * Automated Updates: suggest property patches to update for Maven (#824) * refactor: replace usage of deprecated function (#829) * chore: don't ignore `fixtures` directory (#825) * Align GoVulncheck Go version with go.mod (#818) * Guided Remediation: Compute Dev dependencies in in-place parsing (#816) * Automated Updates: add ManifestIO for Maven (#813) * Update suggester package name (#817) * Automated Updates: add version suggester for Maven (#815) * Guided remediation: Interactive mode TUI (#811) * Proof of Concept of container scanning (#808) * Guided Remediation: non-interactive mode (#798) * Update main with the new docs updates. (#810) * Add user agent to deps.dev requests (#804) * chore(deps): update golang:alpine docker digest to 8e96e6c (#793) * fix(deps): update osv-scanner minor (#794) * chore(deps): update dependency github-pages to v230 (#796) * chore(deps): update workflows (#795) * Start setting up guided remediation subcommand (#792) * Guided Remediation: Compute in-place updates (#789) * Guided Remediation: Add `package-lock.json` LockfileIO (#785) * add new spdx identifiers (#788) * chore(deps-dev): Bump nokogiri from 1.15.5 to 1.16.2 in /docs (#787) * chore(deps): update workflows (#783) * fix(deps): update osv-scanner minor (#782) * Guided Remediation: add npm registry clients & `.npmrc` parsing (#778) * Fix tests (#780) * Wed Jan 31 2024 opensuse_buildservice@ojkastl.de - Update to version 1.6.2: * Update changelog for 1.6.2 (#779) * chore(deps): update golang:alpine docker digest to a6a7f1f (#772) * chore(deps): update alpine:3.19 docker digest to c5b1261 (#771) * Add pdm lockfile support (#776) * Guided Remediation: Make `VulnerabilityClient` for OSV queries (#773) * Do not fail if no lockfiles found in github action (#774) * Guided Remediation: Add computation for all relaxation patches (#766) * Parse severities for guided remediation (#767) * Add pictures to github action docs (#768) * Guided Remediation: Add dependency relaxation & re-resolution (#765) * Update govet printf settings (#745) * fix: improve wording of usage description (#764) * Guided Remediation: add npm `package.json` manifest parser (#763) * Update github action version (#761) * Guided Remediation: Add manifest resolution (#757) * Add OSV-Scanner subcommands (#748) * test: use snapshot-based testing (#717) * chore(deps): lock file maintenance (#760) * fix(deps): update osv-scanner minor (#758) * chore(deps): update workflows (#759) * add dependency groups to flattened vulnerability (#754) * Use new GitHub action in new repository (#756) * Thu Jan 18 2024 opensuse_buildservice@ojkastl.de - Update to version 1.6.1: * Final goreleaser fix (#753) * Remove unnecessary docker manifest entry in goreleaser (#752) * Update goreleaser to fix release pipeline (#751) * Thu Jan 18 2024 opensuse_buildservice@ojkastl.de - Update to version 1.6.0: * Update CHANGELOG.md for 1.6.0 (#749) * Bump version for OSV-Scanner. (#750) * Build action image when releasing (#747) * fix(deps): update osv-scanner minor (#743) * chore(deps): update actions/upload-artifact action to v4.1.0 (#744) * chore(deps): update golang:alpine docker digest to fd78f2f (#719) * chore(deps): update workflows (major) (#709) * chore(deps): update alpine docker tag to v3.19 (#708) * fix(deps): update osv-scanner minor (#700) * chore(deps): lock file maintenance (#710) * chore(deps): update github/codeql-action action to v2.23.0 (#707) * Assume latest patch version if version does not exist (#740) * Add support for verbosity levels (#727) * Show ecosystem and version even if git is shown if the info exists. (#736) * chore(deps): Bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 (#738) * Add option to not fail on vuln to workflow files (#737) * Fix vulnerabilities that OSV-Scanner found (#724) * Add option to not fail on vulnerability being found for github action (#732) * fix: remove deprecated `Reporter` methods (#722) * fix directives related to go generate in package spdx (#730) * verify license allowlist against spdx identifiers (#729) * Add formatting instructions to docs contribution (#723) * Adjusting docs (#716) * fix(deps): update module github.com/go-git/go-git/v5 to v5.11.0 [security] (#721) * Get go stdlib version from go.mod (#704) * feat: support `PrintTextf` and `PrintErrorf` on `Reporter` (#706) * Refactor: attempt to transition into using models.Ecosystems rather than lockfile.Ecosystems (#705) * Updating cdxgen-go version in go.mod (#718) * Unify OSV scanner action (#711) * refactor: setup `prettier` for formatting files (#693) * Return an error if both license scanning and local/offline scanning is enabled simultaneously (#703) * chore(deps): update golang:alpine docker digest to feceecc (#699) * scan and report dependency groups of vulnerabilities (#655) * Create an option to skip/disable upload to code scanning (#702) * Add support for NuGet lock files version 2 (#694) * remove extra backtick in license scanning documentation (#696) * Update changelog to include minimum go version changes (#695) * Wed Dec 06 2023 kastl@b1-systems.de - Update to version 1.5.0: * Add changelog for verson 1.5.0 (#692) * Fix go mod (#691) * chore(deps): lock file maintenance (#653) * refactor: switch golang.org/x/exp/slices usages to stdlib (#690) * Include available formats in `--format` help message (#685) * chore(deps): update golang:alpine docker digest to 70afe55 (#687) * chore(deps): update alpine:3.18 docker digest to 34871e7 (#686) * fix(deps): update osv-scanner minor (#688) * Add `osv-scanner` pre-commit hook (#669) * Fix goreleaser build (#683) * feat: CVSS v4.0 support and replace cvss implementation to comply with the specifications (#651) * chore(deps): update workflows (#666) * Added license scanning info (#674) * update docs for call analysis. (#682) * Setup manual release pipeline (#681) * add experimental-licenses summary flag (#678) * Set Go call analysis to default behaviour (#665) * Fix filter ids (#647) * feat: add support for `renv.lock` (#668) * Simplify return codes to return 1 if any vulnerability related error (#677) * fix(deps): update osv-scanner minor (#652) * refactor: upgrade golangci-lint (#673) * make license allowlist matching case insensitive (#672) * ci: run tests on Windows (#646) * feat: add support for comparing CRAN versions (#656) * ci: update `golangci-lint` to v1.54 (#661) * Don't include nested vendored libs in determineversions query. (#649) * chore: disable `goconst` linter (#662) * fix: remove noise lockfile warnings (#660) * ci: enforce that `cachedregexp` is always used instead of `regexp` (#663) * Adding C/C++ info to the docs (#648) * cmd/osv-scanner: update sarif output in test cases (#659) * Downgrade jekyll-feed. Update lock file (#650) * chore(deps): update golang:alpine docker digest to 110b07a (#640) * fix: properly handle file/url paths on Windows (#645) * test: don't ignore anything from coverage (#627) * fix(deps): update osv-scanner minor (#641) * Filter local packages from scanning, and report the filtering. (#643) * license checking experimental feature (#501) * upgrade version of Go in GitHub checks (#637) * test: check against error type rather than message (#628) * Minor github action docs changes to clarify behaviour. (#630) * Thu Nov 02 2023 kastl@b1-systems.de - Update to version 1.4.3: * Prepare for v1.4.3 release (#629) * Add support for determineversions API (#612). (#621) * Refactor package scanning to produce packages instead of queries (#614) * Fix permissions in PR osv-scanner (#625) * Fix gitignore matching for root directory (#626) * Go binary not found should not be an error (#622) * Scan submodules too. (#581) * fix: handle yarn aliased packages (#615) * fix(deps): update osv-scanner minor (#618) * chore(deps): update github/codeql-action action to v2.22.5 (#616) * chore(deps): update dependency jekyll-feed to v0.17.0 (#597) * chore(deps): update workflows (#596) * handle npm aliased packages (#610) * Some minor post release fixes (#613) * Gate extended tests (#598) * test: use `cmp.Diff` for diffing (#605) * fix: remove some extra newlines in sarif report (#607) * Wed Oct 25 2023 kastl@b1-systems.de - Update to version 1.4.2: * Prepare for 1.4.2 release (#609) * chore: don't trim trailing whitespace on fixture snapshots (#608) * Update release pipeline (#602) * fix: trim leading and trailing newlines off SARIF output (#606) * Add name field to sarif rule output (#600) * chore(deps): update dependency jekyll-feed to v0.17.0 (#579) * chore(deps): update golang:alpine docker digest to 926f7f7 (#591) * chore(deps): update workflows (#592) * Make scheduled and PR scanning only scan the relevant files and ignore fixtures (#594) * Update docs to add in saving to file option (#593) * Clarify in the docs actions will fail when vulns are found (#587) * chore(deps): Bump golang.org/x/net from 0.16.0 to 0.17.0 (#585) * Change branch back in github action (#586) * Fix permissions and attempt "Download Artifact" option to allow custom lockfiles (#584) * Small doc adjustments for GitHub Actions (#582) * fix(deps): update osv-scanner minor (#578) * Update deps and fix tests (#583) * Improve documentation for github actions (#575) * chore(deps): update golang:alpine docker digest to a76f153 (#577) * chore(deps): update workflows (#580) * fix: support versions with build metadata in `yarn.lock` files (#576) * Add additional tests for git scanning, and markdown format (#569) * Fri Oct 06 2023 kastl@b1-systems.de - Update to version 1.4.1: * Allow release scanning to upload SARIF file. (#573) * Fix goreleaser and update changelog (#572) * 1.4.1 release and changelog (#571) * SARIF with fixed version (#559) * chore(deps): update dependency jekyll-feed to v0.17.0 (#568) * chore(deps): update github/codeql-action action to v2.21.9 (#567) * chore(deps): update golang:alpine docker digest to 4bc6541 (#566) * chore(deps): update alpine:3.18 docker digest to eece025 (#565) * ci: don't fetch the whole repository history when its not needed (#562) * ci: ensure that `actions/checkout` is pinned (#563) * Block release on vuln scan (#561) * ci: use `.go-version` file (#564) * ci: run tests on macos and in parallel when releasing (#560) * test: use `cmp.Diff` for comparing output (#558) * Add new ecosystems, and a slice containing all of them. (#557) * test: compare expected with actual rather than the other way around (#556) * chore: move scripts into the `scripts` directory (#555) * ci: combine lint and test workflows (#554) * test: add cases for extra coverage (#524) * chore(deps): update dependency jekyll-feed to v0.17.0 (#544) * chore(deps): lock file maintenance (#545) * chore(deps): update workflows (#538) * Add custom scan arguments (#552) * SARIF output fixes. (#547) * Minor readme update (#546) * Action docs (#541) * Update SARIF format (#534) * Fix action naming and scheduled scan parameters (#543) * chore(deps): update workflows (major) (#540) * Attempt at multiline action (#542) * fix(deps): update osv-scanner minor (#539) * Update experimental.md (#536) * Thu Sep 14 2023 kastl@b1-systems.de - Update to version 1.4.0: * Fix issue in the changelog (#533) * 1.4.0 changelog and docs (#532) * Adding Offline info (#517) * chore(deps): update golang:alpine docker digest to 96634e5 (#527) * chore(deps): update workflows (#529) * fix(deps): update osv-scanner minor (#528) * Fix result scanning (#526) * ci: change how coverage is collected (#525) * chore: capture coverage and upload it to codecov (#512) * chore(deps): update dependency jekyll-feed to v0.17.0 (#520) * Correctly use matchFileNames in renovate.json (#522) * Update test results to pass new test (#523) * Revert breaking change in `osv.go` (#514) * Add osv output lockfile + refactor (#505) * Update renovate.json (#504) * fix(deps): update osv-scanner minor (#506) * Refactor models (#510) * chore(deps): update dependency jekyll-feed to v0.17.0 (#508) * chore(deps): update actions/checkout action to v3.6.0 (#507) * Update contributing docs (#502) * chore(deps-dev): Bump activesupport from 7.0.7 to 7.0.7.2 in /docs (#503) * fix(deps): update golang.org/x/exp digest to d852ddb (#496) * Add fixtures go to renovate bot ignore (#500) * chore(deps): update dependency jekyll-feed to v0.17.0 (#498) * chore(deps): update golangci/golangci-lint-action action to v3.7.0 (#499) * chore(deps): update actions/setup-go action to v4.1.0 (#497) * If go version can't be found, don't add stdlib (#494) * chore(deps): update dependency jekyll-feed to v0.17.0 (#448) * feat: support `io.Reader` based parsers (#451) * fix: don't error if local db directory already exists (#493) * fix: ensure that "introduced 0" events are sorted before any other event (#492) * Add go stdlib version support (#484) * chore(deps): update golang:alpine docker digest to 445f340 (#467) * chore(deps): update alpine docker tag to v3.18 (#468) * chore(deps): update slsa-framework/slsa-github-generator action to v1.8.0 (#469) * chore(deps): update alpine:3.18 docker digest to 7144f7b (#480) * chore(deps): update alpine:3.17 docker digest to f71a5f0 (#466) * chore(deps): update gaurav-nelson/github-action-markdown-link-check digest to 46e4421 (#481) * fix(deps): update golang.org/x/exp digest to 89c5cff (#482) * chore(deps): update github/codeql-action action to v2.21.4 (#483) * Fix some vulns and ignore others (#490) * Rust call analysis (#452) * Scanner action should pass if the vulnerabilities remain the same (#475) * Tidy up scanner action (#474) * Manually update dependencies to resolve vulnerability https://osv.dev/GO-2023-1988 (#472) * feat: add experimental offline mode (#183) * Move github action back to the main branch (#465) * refactor: move experimental flags into their own struct (#463) * fix: use correct plural and singular forms based on count (#462) * chore(deps): update github/codeql-action action to v2.21.2 (#455) * fix(deps): update osv-scanner minor (#456) * Add annotations and osv-scanner table in the Github Action output (#460) * Fix purl mapping (#457) * test: make `output` tests their own package (#461) * Updated github actions to use main branch now that the PR is merged in (#459) * Recreated Github Action PR (#432) * chore: minor grammar fixes (#454) * chore(deps): update docker/setup-buildx-action digest to 4c0219f (#437) * chore(deps): update golang:alpine docker digest to 7839c9f (#444) * Optimize Dockerfile and add .dockerignore (#441) * chore(deps): update github/codeql-action action to v2.21.0 (#449) * Enable lockfile maintaince (#450) * fix(deps): update osv-scanner minor (#445) * Wed Jul 19 2023 kastl@b1-systems.de - Update to version 1.3.6: * Prepare for v1.3.6 Release (#447) * Adjusting GitHub actions (#446) * chore(deps): update dependency jekyll-feed to v0.17.0 (#438) * go.mod: upgrade to golang.org/x/vuln@v1.0.0 (#443) * Fix PURLToPackage function and move it (#439) * Update README.md (#440) * chore(deps): update dependency jekyll-feed to v0.17.0 (#422) * chore(deps): update workflows (#429) * fix(deps): update osv-scanner minor (#430) * update govulncheck integration (#431) * Wed Jun 28 2023 kastl@b1-systems.de - Update to version 1.3.5: * Add more ignores now that debian PURLs are parsed correctly (#428) * Adds changelog for v1.3.5 (#427) * chore(deps): update alpine docker tag to v3.18 (#382) * test: ensure fixtures directory isn't already a git repository (#426) * chore: ignore `.idea` directory (#425) * Add withdrawn and fix time serialization to conform to the schema. (#424) * test: make `models` tests their own package (#423) * Updated to reflect cvss scores being added to output table. (#419) * chore(deps): update workflows (#421) * chore(deps): update alpine:3.17 docker digest to e95676d (#413) * Add option to include severity in table output (#409) * Update the model to better match schema and add YAML tags. (#417) * chore(deps): update golang:alpine docker digest to fd9d9d7 (#405) * chore(deps): update workflows (#406) * fix(deps): update osv-scanner minor (#415) * Fixing broken github page (#412) * Link checker (#408) * fix(deps): update osv-scanner minor (#407) * refactor: enable `goimports` linter (#404) * Update the model to match the latest version of the OSV schema (#403) * Mon Jun 12 2023 kastl@b1-systems.de - Update to version 1.3.4: * Prepare for 1.3.4 release. (#401) * chore(deps): update workflows (#393) * fix(deps): update osv-scanner minor (#392) * Fix version printer to use app stdout and stderr (#395) * OSV user agent (#390) * Wed May 17 2023 kastl@b1-systems.de - Update to version 1.3.3: * Add new line and fix test to avoid having to change version twice (#387) * 1.3.3 Release (#385) * Use upload draft assets option (#384) * chore(deps): update golang:alpine docker digest to ee2f23f (#380) * chore(deps): update slsa-framework/slsa-github-generator action to v1.6.0 (#383) * fix(deps): update osv-scanner minor (#381) * Remove --hash from version in requirements.txt (#379) * Small formatting changes (#377) * chore(deps): bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#378) * add unit tests for results.go (#368) * Improve exit docs and add No vulns found to output (#373) * Update exit docs (#375) * chore(deps): update github/codeql-action action to v2.3.3 (#372) * chore(deps): update golang:alpine docker digest to 913de96 (#305) * fix: handle cyclical `-r`s in `requirements.txt` (#366) * fix: don't panic on empty files (#367) * fix(deps): update osv-scanner minor (#327) * Update spdx to 0.5.0 (#365) * Update pkg/osv to allow overriding the http client / transport. (#357) * chore(deps): update github/codeql-action action to v2.3.2 (#363) * Enable osvVulnerabilityAlerts (#362) * Wed Apr 26 2023 kastl@b1-systems.de - Update to version 1.3.2: * Fix sbom scanning code (#360) * 1.3.2 Release (#359) * Refactor reporter to interfaces (#345) * Update all minor dependencies without spdx (#358) * chore(deps): update workflows (#334) * Better SBOM documentation and error message (#349) * Move a specific regex to static variable (#346) * chore(deps): update dependency jekyll-feed to v0.17.0 (#328) * chore(deps): bump nokogiri from 1.14.1 to 1.14.3 in /docs (#338) * chore(deps): bump commonmarker from 0.23.8 to 0.23.9 in /docs (#337) * SBOM parsing improvements. (#339) * Make the reporter public (#341) * Set `skip-pkg-cache: true` for golangci-lint (#340) * Support PNPM v6+ Lockfile (#325) * chore(deps): update alpine:3.17 docker digest to 124c7d2 (#326) * Call analysis note fixed. (#331) * Add configs to ignore test vulnerabilities (#329) * Thu Mar 30 2023 kastl@b1-systems.de - Update to version 1.3.1: * Release 1.3.1 changelog (#321) * chore(deps): update ossf/scorecard-action action to v2.1.3 (#322) * Add nil check to CycloneDX enumeration (#320) * Tue Mar 28 2023 kastl@b1-systems.de - Update to version 1.3.0: * Update changelog and version for v1.3.0 (#316) * chore(deps): update workflows (#314) * fix(deps): update osv-scanner minor (#313) * Update workflows to compositing, so that goreleaser workflow can run them. (#315) * Fix workflow (#311) * Fix some issues with the model. (#312) * Improve the OSV models to allow for 3rd party use of the library. (#310) * Adds concurrency to hydration requests (#304) * Make `IgnoredVulns` also ignore aliases (#300) * fix(deps): update osv-scanner minor (#306) * chore(deps): update actions/setup-go action to v4 (#308) * chore(deps): update workflows (#307) * Run tests before release (#301) * chore(deps): bump activesupport from 7.0.4.2 to 7.0.4.3 in /docs (#302) * Pin lint action (#299) * fix(deps): update osv-scanner minor (#288) * fix: support Pipenv develop packages without versions. (#297) * Set version in source code (#295) * Prevent `.gitignore` files from interfering with tests (#292) * fix: trim leading zeros off when comparing numerical components in Maven versions (better) (#285) * fix: avoid infinite loops parsing Maven poms with syntax errors (#294) * Check if PURL is valid before adding it to queries (#291) * Renovate bot ignore vulns package (#289) * chore(deps): update workflows (#287) * fix: trim leading zeros off when comparing numerical components in Maven versions (#279) * Adding call graph info back in (#284) * Update Colors for Accessibility (#278) * Removed call graph analysis for now. (#282) * Remove "working doc" concept (#275) * feat: improved error message when pom dependency version not found (#253) * Add tags and point people to slsa-verifier (#265) * ci: harden permissions (#269) * Run on merge queue (#272) * fix: properly handle comparing zero versions in Maven (#267) * chore: add `.editorconfig` file (#266) * fix(deps): update osv-scanner minor (#270) * Renovate bot use ignorePaths instead for fixtures (#264) * test: update case with new advisory (#268) * fix: deduplicate packages that appear multiple times in `Pipenv.lock` files (#261) * feat: support `-r` flag in `requirements.txt` files (#260) * chore(deps): update workflows (#242) * fix: avoid panic when parsing `file:` dependencies in `pnpm` lockfiles (#259) * More specific cyclone dx parsing (#258) * Parse nested CycloneDX components correctly (#251) * fix: support yarn locks with quoted properties (#250) * Update renovate.json (#248) * fix(deps): update golang.org/x/exp digest to c95f2b4 (#241) * govulncheck integration (#198) * Create draft release first in goreleaser (#236) * Adding additional installation instructions (#235) * Thu Feb 23 2023 kastl@b1-systems.de - Update to version 1.2.0: * Changelog update for v1.2.0 (#233) * Moving Working Docs to Current (#234) * Update the output docs, make logo a lot bigger, make page slightly wider (#226) * Upgrade to yaml v3 (#231) * ParseAs for dpkg-status (#229) * Update analytics for documentation. (#230) * chore(deps): update docker/setup-buildx-action digest to f03ac48 (#223) * fix(deps): update osv-scanner minor (#225) * chore(deps): bump golang.org/x/net from 0.2.0 to 0.7.0 (#222) * chore(deps): update dependency http_parser.rb to "~> 0.8.0" (#224) * fix: ensure that vulnerability results are ordered deterministically (#220) * test: ensure case names match function under test (#228) * Nits - APK installed optimizations (#227) * Support for DPKG (Debian) parser (#168) * feat: support `dependencyManagement` in Maven poms (#221) * Google analytics added. (#215) * Console formatting changes * Documentation Style Improvements (#211) * fixed broken link (#210) * Documentation moved to github page. * Minor changes for gitignore parsing (#208) * Improve gitignore parsing (#206) * fix(deps): update osv-scanner minor (#205) * chore(deps): update github/codeql-action action to v2.2.4 (#204) * Move instructions to Usage (#197) * Make scanner respect .gitignore files (#191) * feat: support specifying what parser to use in `--lockfile` (#94) * fix: add missing toml tags to struct (and update linter) (#190) * fix(deps): update golang.org/x/exp digest to 98cc5a0 (#188) * fix(osv-query): omit SourceInfo from JSON marshaling (#185) * test: remove nonsense case and correct names (#187) * Update readme usage section (#171) * chore(deps): update docker/login-action action to v2 (#148) * fix(deps): update osv-scanner minor (#147) * Support SPDX 2.3 (#178) * chore(deps): update workflows (#172) * feat: Render output as a markdown table for use in github comments (#156) * APK: fix test function (#180) * Log number of packages scanned from SBOMs. (#179) * Make OSV api public (#167) * Add experimental comment (#173) * fix: exit with generic non-zero code when there is a general error (#161) * fix: reuse app-level writer and err writers in `VersionPrinter` (#166) * chore(deps): update github/codeql-action action to v2.1.39 (#159) * test: add cases for `semantic.MustParse` (#160) * feat: create `--format` flag (#158) * golangci checks in github action, and fixes initial linter issues (#149) * test: add case for `--version` flag (#162) * chore: remove duplicated generators (#157) * - add conan.lock to the list (#59) * Fix endpoint typo (#152) * feat: add `semantic` package (#92) * Adding re-try for getting a Vuln for the given ID (#141) * chore(deps): update github/codeql-action action to v2.1.38 (#146) * chore: adjust comment to match type name (#143) * Mention Pipfile.lock support in changelog. (#140) * Fix link to GitHub issues (#139) * Thu Jan 12 2023 kastl@b1-systems.de - Update to version 1.1.0: * Fix goreleaser permissions (#138) * v1.1.0 release PR (#137) * fix(deps): update osv-scanner minor (#79) * Temporarily disable alpine package scanning (#136) * Move tests from cloudbuild to gh actions (#135) * Use short url in scanner output (#134) * chore(deps): update workflows (#78) * Update readme and add changelog (#133) * fix: use correct ecosystem for NuGet (#132) * Do not highlight borders of result table (#131) * Add contributing file (#130) * Update README.md (#127) * docs: describe build process (#109) * Add gomodtidy after renovate updates (#120) * Make lint trigger same as others (#125) * Minor documentation updates. (#121) * Add support for Alpine Linux /lib/apk/db/installed (Resolves #72) (#107) * feat: add docker publish method (#70) * Add Pipenv lockfile support (Resolves #71) (#66) * Lint readme (#100) * Have renovate-bot label its PRs as it does with osv.dev (#116) * [pkg] implement NuGet ecosystem parser (#98) * Update github.com/spdx/gordf dependency to fix 32 bit support (#104) * test: update spec case and adjust assertion message (#99) * fix: ensure that files are closed when they're no longer needed (#106) * Fix lockfile example syntax (#103) * docs: add homebrew installation note (#89) * Tue Dec 20 2022 Johannes Kastl <kastl@b1-systems.de> - add build parameters, so 'osv-scanner --version' shows proper version, build date and the release tag as commit * Tue Dec 20 2022 kastl@b1-systems.de - Update to version 1.0.2: * shorten affected package to package (#90) * Move table columns so that the important column is displayed first (#87) * Add blog post link to README (#84) * Minor updates to install instruction title (#80) * Added installation instructions for Scoop (#68) * Update README.md (#77) * Fix readme anchor link. (#76) * Update README.md (#58) * Add disclaimer on Debian scanning. (#65) * Add gradle lockfile support (#46) * Tue Dec 20 2022 Johannes Kastl <kastl@b1-systems.de> - new package osv-scanner: Vulnerability scanner written in Go which uses the data provided by https://osv.dev
/usr/bin/osv-scanner /usr/share/doc/packages/osv-scanner /usr/share/doc/packages/osv-scanner/README.md /usr/share/licenses/osv-scanner /usr/share/licenses/osv-scanner/LICENSE
Generated by rpm2html 1.8.1
Fabrice Bellet, Sat Nov 16 00:58:04 2024