Releases: google/osv-scanner-action
v2.2.4
What's Changed
- chore(deps): update github/codeql-action action to v4 by @renovate-bot in #102
- Update to v2.2.4 by @another-rex in #103
Full Changelog: v2.2.3...v2.2.4
Contributors
Assets 2
v2.2.3
What's Changed
- chore(deps): update workflows by @renovate-bot in #86
- chore(deps): update workflows to v5 (major) by @renovate-bot in #87
- Update to v2.2.3 by @jess-lowe in #101
Full Changelog: v2.2.2...v2.2.3
Contributors
Assets 2
v2.2.2
This updates OSV-Scanner to v2.2.2.
What's Changed
- docs: Update Automatic install instructions by @another-rex in #94
- Update to v2.2.2 by @cuixq in #95
Full Changelog: v2.2.1...v2.2.2
Contributors
Assets 2
v2.2.1
What's Changed
OSV-Scanner now supports all OSV-Scalibr features behind experimental flags (--experimental-plugins, see details here)!
Features:
- Feature #2146 Allow manual OSV-Scalibr plugin selection.
- Feature #2144 Add OSV-Scalibr version to osv-scanner --version output.
- Feature #2021 Add experimental support for running OSV-Scalibr detectors.
- Feature #2079 Fall back to offline extractor if the transitive one fails, so at least direct dependencies are returned.
- Feature #2032 Add summary section at the top of outputs and a 'Fixed Version' column.
- Feature #2076 Support Ubuntu severity type.
Fixes:
- Bug #2141 Fix OSV-Scanner json scans not matching with correct ecosystem.
- Bug #2084 Show absolute paths when scanning containers.
- Bug #2126 Log and preserve package count before continuing on db error.
- Bug #2095 Pass through plugin capabilities correctly.
- Bug #2051 Properly flag if running on Linux or Mac OSs for plugin compatibility.
- Bug #2072 Add missing "text" property in description fields.
- Bug #2068 Change links in output to go to the specific vulnerability page instead of the list page.
- Bug #2064 Fix SARIF v3 output to include results.
- Bug #2151 Filter by ecosystem before querying.
API Changes:
- API Change #2096 Allow log handler to be overridden.
Warning
This release was originally incorrectly pointing to the bugged v2.2.0 osv-scanner release, it has now been retagged to the correct v2.2.1 release.
v2.1.0
What's Changed
- chore(deps): update github/codeql-action action to v3.29.0 by @renovate-bot in #76
- Update to v2.1.0 by @michaelkedar in #81
Full Changelog: v2.0.3...v2.1.0
Contributors
Assets 2
v2.0.3
Update to use osv-scanner v2.0.3
Notable changes:
- There's now a flag
--allow-no-lockfilesyou can pass to osv-scanner to avoid getting an error when running against a repo with no lockfiles. - We no longer ignore general errors when they occur on osv-scanner-action, and will fail the workflow (e.g. invalid flags passed in)
v2.0.2
Update osv-scanner to v2.0.2
v2.0.1
Contributors
Assets 2
v2.0.0
What's Changed
- Updated to support OSV-Scanner V2
- Workflows, add support for matrix strategies by @GeoDerp in #52
- Support checking out submodules by @faern in #57
Breaking changes
By default, osv-scanner-action no longer scans the HEAD git hash. This means if there are no other lockfiles found to scan, then osv-scanner-action will fail the workflow, as it is likely it's setup incorrectly.
To match the previous behavior, pass --include-git-root to scan-args, e.g.
osv-scan:
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.0.0"
with:
scan-args: |-
--include-git-root
--recursive
./
Full Changelog: v1.9.2...v2.0.0