Releases: google/osv-scalibr
Releases · google/osv-scalibr
v0.3.1
- Annotation for language packages already found by OS package for RPM, COS, APK
- npm-shrinkwrap.json extraction
- Secret scanning, supporting detection of GCP Service Account keys
- Reachability analysis for Java
- VEX annotation to mark false positive vulnerabilities
- Unknown binary identification
- CLI changes:
--plugins=as a unified plugin enablement method - New Finding Format
v0.3.0
- New CLI flags: --version, --cdx-component-type
- New Plugins: Annotation for language packages already found by OS package for DPKG, transitive requirements.txt extraction
- Potentially breaking API changes: Moved ToPURL, Ecosystem from Extractor to Package, changed Package.Extractor to Package.Plugins
- Switched to cgo-less SQLite driver to avoid dependency on C code
- Support for Extractors that run on whole directories instead of individual files
v0.2.1
- New extractors: gems.locked, python whl, Docker and Podman containers + ports
- New plugin types: Annotator and Enricher
- Support for annotating packages from cache directories
- Support for fetching container base image fetcher
- Transitive extraction for Python requirements.txt
v0.2.0
- Migrate to new result format type: {Inventories|Findings} moved into Inventory.{Packages|Findings}
- Due to this change users may need to rename some imports when upgrading beyond this version of OSV-SCALIBR.
- go.sum extraction
- Update sqlite import to one not affected by CVE-2025-29088
- Fixes in .gitignore handling logic
- Migrate OSV-Scanner's NPM support for Guided Remediation
- Container tarball scanning support
v0.1.8
- New extractors: .NET portable executables, Chrome extensions
- Migrated OSV-Scanner's Guided Remediation support for Maven
- Support for skipping .gitignore patterns
- Docs: Fixed code snippets, added style guide
- Fixed path traversal vulnerability in container layer unpacking code
v0.1.7
- New extractors: setup.py, cargo.toml, Wordpress plugins, VS Code extensions, open ports (experimental)
- Unification of networked and network-less pom.xml extractors
--offlinemode for the CLI- Various linter fixes
- Slight change to plugin setup interfaces to support lazy initialisation
- Better transitional package annotation
v0.1.6
- Many new extractors: Rust binaries, Pacman, OPKG, Nix, .NET packages.config + deps.json, Conda, Linux kernel modules + vmlinuz files, Portage, Elixir, Haskell Cabal + Stack, Swift Podfilelock + package.resolved
- Container layer extraction support through the new
ScanContainermethod - Transitive Maven pom.xml extraction
- Weak credentials detector for Windows local accounts
- Small improvements to poetry.lock and various javascript extractors
v0.1.5
- API changes: Removed error from extractor.ToCPEs, introduced FileAPI for extractor.FileRequired
- New extraction features: RPM extraction support on virtual filesystems, MacOS Application extraction
- --skip-dirs-glob flag
- Github Actions for linting and tests for MacOS
- Improved performance due to lazy Stat calling
v0.1.4
- Weak credentials detector for File Browser
- Small fixes in the APK and DPKG extractors
- Remove error from ToPURL and ToCPE function signatures
- Support specifying the image platform of remote containers to scan
- Move the rest of OSV-Scanner's extractors to SCALIBR
- cargo.lock
- renv
- gradle
- go.mod
- package-lock.json
- Gemfile.lock
- mix.lock
- pubspec.lock
- yarn.lock
- Conan packages
- various python lockfile extractors
v0.1.3
- Support -r options and more version ranges in the requirements.txt parser
- Accuracy improvements in NPM extraction
- Support scanning remote images natively in SCALIBR
- Detect transitional dpkg packages to filter out false positive vuln sources
- Add dedicated detectors for various CVEs
- CycloneDX SBOM extraction support
- Import various extractors from OSV: javascript/pnpm, php/composerlock, python/pipfilelock, python/pdmlock, python/poetrylock