* Wed Oct 02 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.9.0:
* chore(release): changelog for v1.9.0 (#1292)
* chore(deps): update workflows (#1281)
* chore(deps): lock file maintenance (#1282)
* fix: bump osv max concurrent requests (#1290)
* fix: apply go version override to _all_ instances of the
`stdlib` (#1278)
* fix: output invalid PURLs when scanning sboms (#1283)
* fix(offline): report all ecosystems without local databases in
one single line (#1279)
* test: update snapshot (#1284)
* chore(deps): update workflows (#1264)
* fix(deps): update osv-scanner minor (#1265)
* feat: assume `txt` files with "requirements" in their name are
`requirements.txt` files (#1271)
* chore(deps): update dependency webrick to v1.8.2 [security]
(#1270)
* test: update case to reflect recent config parsing changes
(#1267)
* feat: group DSA and its CVEs together (#1262)
* feat: error if configuration file has unknown properties
(#1249)
* fix: don't allow `LoadPath` to be set via config file (#1252)
* refactor: Follow revive rules across the repo (#1263)
* chore: make guided remediation follow revive's default lint
rules (#1259)
* refactor(guided remediation): Take `PreFetch` out of
`DependencyClient` interface and prevent repeated datasource
network calls (#1224)
* ci: pin `amannn/action-semantic-pull-request` to a commit
(#1256)
* ci: pin `actions/stale` to a commit (#1255)
* test: update snapshots with new security vulnerabilities
(#1254)
* chore: deprecate parser functions in favor of their extract
equivalents (#1253)
* refactor: simplify and reuse `tryLoadConfig` (#1248)
* test: ensure `cmp.Diff` usage is consistent (#1251)
* test: restructure internal `config` cases and fixtures (#1250)
* fix: don't assume there's always a reason for a package being
filtered out (#1241)
* feat: Copy over dark docs theming from osv.dev (#1245)
* fix: announce when a config file is invalid and exit with a
non-zero code (#1242)
* chore(deps): update workflows (#1247)
* fix(deps): update osv-scanner minor (#1246)
* feat: allow explicitly ignoring the license of a package in
config (#1243)
* feat(guided remediation): remediate unresolved dependency
management vulns (#1235)
* chore(deps): update alpine:3.20 docker digest to beefdbd
(#1230)
* chore(deps): update golang docker tag to v1.23.1 (#1231)
* chore(deps): update workflows (#1205)
* fix(deps): update osv-scanner minor (#1204)
* chore(deps): lock file maintenance (#1195)
* Sat Sep 14 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.8.5:
* chore(release): changelog for v1.8.5 (#1237)
* fix: make Alpine ecosystem fallback to latest release version
(#1236)
* feat(internal): marshal self-closing tags in XML (#1225)
* chore: update Go to version 1.22.7 (#1233)
* feat: support composite-based package overrides (#1214)
* chore: update test snapshots (#1232)
* fix: govulncheck calls on C code (#1228)
* refactor: use forked xml package for writing (#1223)
* chore: update test snapshots (#1222)
* feat(internal): add Maven native dependency client (#1207)
* fix(guided remediation): Add special handling for specific
Maven packages (#1219)
* fix(deps): update module github.com/charmbracelet/bubbletea to
v1 (#1217)
* fix(internal): encode XML tokens without escaping (#1216)
* chore: update test snapshots (#1218)
* chore: axe `.go-version` file (#1212)
* feat(guided remediation): Add `FIXED-VULN-IDS` to
non-interactive output (#1210)
* perf: ignored packages should be filtered out before scanning
(#1206)
* feat: support fetching snapshot versions from a Maven registry
(#1160)
* fix: stop finding more parent pom if the path is empty (#1194)
* chore: add missed test ignore vuln (#1209)
* chore: add `osv-scanner.toml` files to make Scorecard ignore
vulnerabilities in our test fixtures (#1202)
* chore(deps): update workflows (#1186)
* fix(deps): update osv-scanner minor (#1187)
* fix: correct for breaking change in glamour v0.8.0 (#1201)
* chore(deps): update dependency github-pages to v232 (#1189)
* chore(deps): update golang docker tag to v1.23.0 (#1188)
* Sat Sep 14 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.8.4:
* chore(release): release v1.8.4 (#1200)
* refactor: move Maven utility to a separate package (#1193)
* docs: link to the Scorecard Report (#1197)
* fix: unescape tabs before writing to pom.xml (#1190)
* feat(guided remediation): add `--upgrade-config` flag (#1191)
* chore: add PR title check to follow Git commit convention
(#1178)
* chore: add new vulnerability aliases to test snapshots (#1192)
* feat: write Maven updates to parent pom.xml if possible (#1182)
* chore: use the latest version of `golangci-lint` (#1185)
* fix(guided remediation): error on `--data-source=native` for
Maven (#1180)
* ci(workflow): address address github.com/rhysd/actionlint
findings (#1176)
* fix(workflow): correct permission name (#1175)
* chore(deps): update workflows (#1173)
* fix(deps): update osv-scanner minor (#1174)
* fix: only trim XML elements with no inner elements (#1168)
* fix(workflow): Add explicit permissions (#1171)
* docs: add conventional commits requirement (#1172)
* Package tracing PoC (#1049)
* Update go policy and use stable go version for builds (#1156)
* chore(deps): update dependency wdm to "~> 0.2.0" (#1163)
* fix(deps): update osv-scanner minor (#1162)
* chore(deps): update workflows (#1161)
* Add changelog for v1.8.3 (#1150)
* Wed Aug 07 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.8.3:
* chore: update dependency `github.com/docker/docker` (#1166)
* chore(deps-dev): bump rexml from 3.3.2 to 3.3.3 in /docs in the
bundler group (#1158)
* add maven changes
* feat(guided remediation): add non-interactive Maven remediation
by override (#1136)
* Label closed stale issues/PRs (#1165)
* Fix snapshots (#1164)
* Refactoring Maven manifest reading (#1159)
* Do not attempt to remediate vulnerabilities in Maven artifacts
that have defined `<classifier>` or `<type>` (#1151)
* Handle Maven parent relative path (#1149)
* fix(workflow): add read permission to
`osv-scanner-reusable.yml` (#1157)
* fix(workflow): update prerelease-check.yml to the latest
OSV-Scanner action (#1153)
* fix(osv-github-action): If all vulnerabilities are not called,
don't return an non zero exit code in osv-reporter (#1152)
* update snaps
* fix style
* Add changelog for v1.8.3
* chore(deps): lock file maintenance (#1130)
* Increase frequency of staleness runs (#1148)
* Improve Maven manifest updater (#1147)
* chore(deps): update workflows (#1145)
* fix(deps): update osv-scanner minor (#1146)
* chore(deps): update golang:1.22.5-alpine3.19 docker digest to
48aac60 (#1144)
* chore(deps): update alpine:3.20 docker digest to 0a4eaa0
(#1143)
* feat: add "vertical" output format (#889)
* chore(deps-dev): bump rexml from 3.3.1 to 3.3.2 in /docs in the
bundler group (#1132)
* Add Maven dependency management to override client (#1140)
* Add original manifest to Maven ManifestPatch (#1134)
* Exempt backlog label from stale treatment (#1135)
* fix(deps): update osv-scanner minor (#1120)
* Reflect Go 1.21.12 change more broadly (#1133)
* ci: don't mark v2 wishlished issues as stale (#1131)
* chore(deps): update workflows (#1119)
* Workflow for stale issue and PR management (#1125)
* Bump goreleaser build version to 1.22. (#1126)
* Set the original requirement in patches from suggest (#1117)
* fix: ensure that `semantic` is passed a valid
`models.Ecosystem` (#1116)
* Update docs: test dependencies not in the resolved graph
(#1114)
* Improved the runtime of DiffVulnerabilityResults (#1091)
* Start on override strategy for maven guided remediation (#1025)
* Sort dependencies before writing to pom.xml (#1113)
* Activate profiles before merging parent (#1108)
* Fix the wrong dependencies/dependency tags (#1112)
* refactor: update linter and address minor violations (#1110)
* Add a dependency to pom.xml if it is not from the base project
(#1105)
* Wed Jul 10 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.8.2:
* Bump go mod min version (#1109)
* Add changelog for v1.8.2 (#1106)
* Fix npm grouping (#1107)
* Add warning to the default docker container scanning method
(#1089)
* Move sbom to internal, and add standard output tests (#1104)
* fix: ensure that npm dependencies retain their "production"
grouping (#939)
* test: add output fixtures for call analysis (#1093)
* fix: restore custom styling to table format (#1094)
* chore(deps): lock file maintenance (#1103)
* chore(deps): update workflows (#1101)
* github-action.md add version into md example (#1073)
* ✨ Adding CycloneDX 1.4 and 1.5 reporter (#1014)
* chore(deps): update golang docker tag to v1.22.5 (#1100)
* fix(deps): update osv-scanner minor (#1102)
* Add go compiler to enable call analysis in the github action
(#1099)
* Update github action docs in osv-scanner (#1096)
* test: update snapshots (#1092)
* Refactoring `manifest.Read()` for Maven (#1083)
* refactor: just disable color output rather than tracking
terminal width (#1087)
* ci: upgrade `semantic` workflow to use v4 for artifact
workflows (#1088)
* chore(deps): update workflows (#1080)
* fix(deps): update module github.com/spdx/tools-golang to v0.5.5
(#1081)
* Added Testing for the SPDX SBOM Reader (#1086)
* Changed min and max to inbuilt functions (#1076)
* Update snapshots (#1084)
* fix: use errgroup to avoid hydration deadlock scenario (#1078)
* ci: setup workflow to run `semantic` tests weekly (#958)
* test: update snapshots (#1079)
* filter out unimportant vulnerabilities from vuln group (#1072)
* Fix test (#1071)
* fix: ensure that `package` exists in `affected` property
(#1055)
* Cherry-pick unmerged change from docs branch (#1069)
* chore(deps): update alpine:3.20 docker digest to b89d9c9
(#1062)
* chore(deps): update golang:1.22.4-alpine3.19 docker digest to
c46c460 (#1063)
* fix(deps): update module github.com/charmbracelet/bubbletea to
v0.26.6 (#1064)
* Combine Debian unimportant count logs (#1067)
* Update tests to support go version changes (#1065)
* fix: only care about ecosystem suffix if present in both
ecosystems when determining equality (#1007)
* refactor: enable `revive/indent-error-flow` (#997)
* Fri Jun 21 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.8.1:
* Make 1.8.1 release (#1056)
* feat: bump goreleaser to v2 (#1054)
* Update goreleaser.yml (#1052)
* Fri Jun 21 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.8.0:
* v1.8.0 Changelog (#1050)
* Add documentation for the configuration. (#1051)
* Update documentation for transitive dependency scanning (#1040)
* Invoke `MavenResolverExtrator` when scanning pom.xml (#1028)
* fix(deps): update osv-scanner minor (#1044)
* chore(deps): update workflows (#1043)
* chore(deps): update golang docker tag to v1.22.4 (#896)
* chore(deps): lock file maintenance (#1033)
* chore(deps): update goreleaser/goreleaser-action action to v6
(#1032)
* Add `experimental-download-offline-databases` flag (#1039)
* Update snapshots and exit codes (#1041)
* Upgrade deps.dev dependencies (#1035)
* Remove busybox from alpine SBOM (#1037)
* Add go binary scanning (#1011)
* Update Go patch version (#1030)
* Merge parent projects for Maven pom.xml (#1019)
* Update base docker image for golang 1.21.11 (#1029)
* implement filtering by packages through the config (#944)
* Dependency imports should always be fetched from upstream
(#1027)
* Upgrade go version (#1024)
* Fix broken TUI styling (#1023)
* Update test snapshots (#1022)
* chore(deps): lock file maintenance (#1018)
* fix(deps): update osv-scanner minor (#1017)
* chore(deps): update workflows (#1016)
* ci: don't try to upload code coverage on macOS (#1020)
* Fix some Maven manifest & resolver issues (#1008)
* Transitive dependency support for Maven pom.xml (#1002)
* Select a version that actually exists (#1012)
* Maven standard dependencies should take precedence over managed
dependencies (#1000)
* Do not record Maven `compile` scope in dependency groups (#1003)
* Thu May 30 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.7.4:
* Remove feature from changelog as it's still blocked on #769
(#1006)
* V1.7.4 changelog (#1001)
* Update typo in supported_languages_and_lockfiles.md (#998)
* feat: support comparing Alpine versions locally (#980)
* Now that we have updated to go1.21.10, we can remove the ignore
line from osv-scanner.toml (#996)
* chore(deps): update workflows (major) (#897)
* fix(deps): update osv-scanner minor (#994)
* chore(deps): update alpine docker tag to v3.20 (#993)
* Update test snapshots (#992)
* test: add cases for output functions (#937)
* fix(deps): update osv-scanner minor (#978)
* Add a new Maven pom.xml extractor (#982)
* feat: support parsing `gradle/verification-metadata.xml` (#943)
* chore(deps): update workflows (#977)
* chore(deps): update golang:1.21-alpine3.19 docker digest to
1c2e474 (#985)
* chore(deps-dev): Bump the bundler group across 1 directory with
2 updates (#983)
* make Maven parent path relative on current project (#987)
* Fix snapshots and alpine version (#990)
* Update deps.dev dependencies (#984)
* [docs] Add installation instructions for FreeBSD and NetBSD
(#969)
* Disable all unimportant vulnerabilities (#968)
* GR: Add test universe generation script and tests for patch
generation (#967)
* Thu May 09 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.7.3:
* chore(deps): update golang:1.21-alpine3.19 docker digest to
b3aea8d (#973)
* v1.7.3 changelog and version bump (#972)
* Update gomod go version (#971)
* Fix tests; add newly discovered vulns (#970)
* Update go.mod to 1.21.9 (#907)
* chore: import `sys` in Python generators (#966)
* ci: upgrade `golangci/golangci-lint-action` to v5 (#964)
* chore: only extract versions from packages in the generator
ecosystem (#957)
* refactor: encapsulate getting the working directory in a helper
function (#961)
* refactor: apply Rubocop to Ruby generator (#956)
* test: remove future snapshots (#960)
* chore(deps): update workflows (#935)
* fix(deps): update osv-scanner minor (#945)
* chore(deps): lock file maintenance (#962)
* Fix snapshot for test (#963)
* fix: ensure the sarif output has a stable order (#938)
* chore: support skipping known unsupported comparisons in
generators (#954)
* chore(deps): lock file maintenance (#936)
* chore: improve version fixture generators for local usage
(#953)
* ci: cancel in-progress runs when new changes are pushed (#959)
* Automated Updates: support parents and dependency imports
(#890)
* GR: Support filtering on alias IDs (#946)
* ci: ensure input name case matches just to be safe (#955)
* refactor: use `maps` functions instead of custom
implementations (#940)
* test: update snapshots due to external vulnerability changes
(#951)
* ci: upgrade Codecov to v4 (#941)
* feat: add support for PNPM v9 lockfiles (#934)
* Add new vuln to tests (#947)
* chore: add missing space to panic message (#942)
* test: include groups when describing package details (#933)
* Fri Apr 19 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.7.2:
* Changelog for v1.7.2 (#932)
* GR: Use deps.dev schema for graph definition in tests (#911)
* ci: ensure snapshots are always cleaned up (#903)
* test: clean up image snapshots (#923)
* Fix paths in test snapshots (#930)
* Fix regression for go call analysis in 1.7.0 (#926)
* fix(deps): update osv-scanner minor (#918)
* chore(deps): lock file maintenance (#919)
* Ignore stdlib vuln (#920)
* GR: Test `MatchVuln()` (#912)
* GR: resolve tests & mock client (#909)
* GR: Parse paths in npmrc auth fields correctly (#901)
* Fix rust call analysis by explicitly disabling stripping of
debug info (#908)
* fix(deps): update osv-scanner minor (#895)
* chore(deps): update golang:1.21-alpine3.19 docker digest to
ed8ce6c (#905)
* chore(deps): update workflows (#906)
* chore(deps): lock file maintenance (#898)
* test: clean and sort snapshots (#904)
* Add new vuln for failing test (#900)
* GR: Tests for npm relaxer (#894)
* GR: Add simple test for package-lock.json writing (#891)
* chore(deps): update workflows (#886)
* fix(deps): update osv-scanner minor (#885)
* update deps.dev/util/maven (#892)
* Make MockHTTPServer for tests (#888)
* GR: Add tests for npmrc & npm registry api (#879)
* Update github action docs to v1.7.1 (#881)
* Use stable deps.dev v3 API (#882)
* test: pin alpine image to exact sha (#880)
* test: change how snapshot matchers are called and update
example name for consistency (#866)
* [docs] Fix the HTTP link for downloading offline database.
(#877)
* fix(renovate): constrain go to 1.21 and do not update golang
(#874)
* ci: harden workflow permissions (#872)
* chore(deps): Bump github.com/docker/docker from
25.0.3+incompatible to 25.0.5+incompatible (#878)
Version: 1.4.0-bp156.1.11
* Thu Sep 14 2023 kastl@b1-systems.de
- Update to version 1.4.0:
* Fix issue in the changelog (#533)
* 1.4.0 changelog and docs (#532)
* Adding Offline info (#517)
* chore(deps): update golang:alpine docker digest to 96634e5
(#527)
* chore(deps): update workflows (#529)
* fix(deps): update osv-scanner minor (#528)
* Fix result scanning (#526)
* ci: change how coverage is collected (#525)
* chore: capture coverage and upload it to codecov (#512)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#520)
* Correctly use matchFileNames in renovate.json (#522)
* Update test results to pass new test (#523)
* Revert breaking change in `osv.go` (#514)
* Add osv output lockfile + refactor (#505)
* Update renovate.json (#504)
* fix(deps): update osv-scanner minor (#506)
* Refactor models (#510)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#508)
* chore(deps): update actions/checkout action to v3.6.0 (#507)
* Update contributing docs (#502)
* chore(deps-dev): Bump activesupport from 7.0.7 to 7.0.7.2 in
/docs (#503)
* fix(deps): update golang.org/x/exp digest to d852ddb (#496)
* Add fixtures go to renovate bot ignore (#500)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#498)
* chore(deps): update golangci/golangci-lint-action action to
v3.7.0 (#499)
* chore(deps): update actions/setup-go action to v4.1.0 (#497)
* If go version can't be found, don't add stdlib (#494)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#448)
* feat: support `io.Reader` based parsers (#451)
* fix: don't error if local db directory already exists (#493)
* fix: ensure that "introduced 0" events are sorted before any
other event (#492)
* Add go stdlib version support (#484)
* chore(deps): update golang:alpine docker digest to 445f340
(#467)
* chore(deps): update alpine docker tag to v3.18 (#468)
* chore(deps): update slsa-framework/slsa-github-generator action
to v1.8.0 (#469)
* chore(deps): update alpine:3.18 docker digest to 7144f7b (#480)
* chore(deps): update alpine:3.17 docker digest to f71a5f0 (#466)
* chore(deps): update
gaurav-nelson/github-action-markdown-link-check digest to
46e4421 (#481)
* fix(deps): update golang.org/x/exp digest to 89c5cff (#482)
* chore(deps): update github/codeql-action action to v2.21.4
(#483)
* Fix some vulns and ignore others (#490)
* Rust call analysis (#452)
* Scanner action should pass if the vulnerabilities remain the
same (#475)
* Tidy up scanner action (#474)
* Manually update dependencies to resolve vulnerability
https://osv.dev/GO-2023-1988 (#472)
* feat: add experimental offline mode (#183)
* Move github action back to the main branch (#465)
* refactor: move experimental flags into their own struct (#463)
* fix: use correct plural and singular forms based on count
(#462)
* chore(deps): update github/codeql-action action to v2.21.2
(#455)
* fix(deps): update osv-scanner minor (#456)
* Add annotations and osv-scanner table in the Github Action
output (#460)
* Fix purl mapping (#457)
* test: make `output` tests their own package (#461)
* Updated github actions to use main branch now that the PR is
merged in (#459)
* Recreated Github Action PR (#432)
* chore: minor grammar fixes (#454)
* chore(deps): update docker/setup-buildx-action digest to
4c0219f (#437)
* chore(deps): update golang:alpine docker digest to 7839c9f
(#444)
* Optimize Dockerfile and add .dockerignore (#441)
* chore(deps): update github/codeql-action action to v2.21.0
(#449)
* Enable lockfile maintaince (#450)
* fix(deps): update osv-scanner minor (#445)
* Wed Jul 19 2023 kastl@b1-systems.de
- Update to version 1.3.6:
* Prepare for v1.3.6 Release (#447)
* Adjusting GitHub actions (#446)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#438)
* go.mod: upgrade to golang.org/x/vuln@v1.0.0 (#443)
* Fix PURLToPackage function and move it (#439)
* Update README.md (#440)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#422)
* chore(deps): update workflows (#429)
* fix(deps): update osv-scanner minor (#430)
* update govulncheck integration (#431)
* Wed Jun 28 2023 kastl@b1-systems.de
- Update to version 1.3.5:
* Add more ignores now that debian PURLs are parsed correctly
(#428)
* Adds changelog for v1.3.5 (#427)
* chore(deps): update alpine docker tag to v3.18 (#382)
* test: ensure fixtures directory isn't already a git repository
(#426)
* chore: ignore `.idea` directory (#425)
* Add withdrawn and fix time serialization to conform to the
schema. (#424)
* test: make `models` tests their own package (#423)
* Updated to reflect cvss scores being added to output table.
(#419)
* chore(deps): update workflows (#421)
* chore(deps): update alpine:3.17 docker digest to e95676d (#413)
* Add option to include severity in table output (#409)
* Update the model to better match schema and add YAML tags.
(#417)
* chore(deps): update golang:alpine docker digest to fd9d9d7
(#405)
* chore(deps): update workflows (#406)
* fix(deps): update osv-scanner minor (#415)
* Fixing broken github page (#412)
* Link checker (#408)
* fix(deps): update osv-scanner minor (#407)
* refactor: enable `goimports` linter (#404)
* Update the model to match the latest version of the OSV schema
(#403)
* Mon Jun 12 2023 kastl@b1-systems.de
- Update to version 1.3.4:
* Prepare for 1.3.4 release. (#401)
* chore(deps): update workflows (#393)
* fix(deps): update osv-scanner minor (#392)
* Fix version printer to use app stdout and stderr (#395)
* OSV user agent (#390)
* Wed May 17 2023 kastl@b1-systems.de
- Update to version 1.3.3:
* Add new line and fix test to avoid having to change version
twice (#387)
* 1.3.3 Release (#385)
* Use upload draft assets option (#384)
* chore(deps): update golang:alpine docker digest to ee2f23f
(#380)
* chore(deps): update slsa-framework/slsa-github-generator action
to v1.6.0 (#383)
* fix(deps): update osv-scanner minor (#381)
* Remove --hash from version in requirements.txt (#379)
* Small formatting changes (#377)
* chore(deps): bump github.com/cloudflare/circl from 1.1.0 to
1.3.3 (#378)
* add unit tests for results.go (#368)
* Improve exit docs and add No vulns found to output (#373)
* Update exit docs (#375)
* chore(deps): update github/codeql-action action to v2.3.3
(#372)
* chore(deps): update golang:alpine docker digest to 913de96
(#305)
* fix: handle cyclical `-r`s in `requirements.txt` (#366)
* fix: don't panic on empty files (#367)
* fix(deps): update osv-scanner minor (#327)
* Update spdx to 0.5.0 (#365)
* Update pkg/osv to allow overriding the http client / transport.
(#357)
* chore(deps): update github/codeql-action action to v2.3.2
(#363)
* Enable osvVulnerabilityAlerts (#362)
* Wed Apr 26 2023 kastl@b1-systems.de
- Update to version 1.3.2:
* Fix sbom scanning code (#360)
* 1.3.2 Release (#359)
* Refactor reporter to interfaces (#345)
* Update all minor dependencies without spdx (#358)
* chore(deps): update workflows (#334)
* Better SBOM documentation and error message (#349)
* Move a specific regex to static variable (#346)
* chore(deps): update dependency jekyll-feed to v0.17.0 (#328)
* chore(deps): bump nokogiri from 1.14.1 to 1.14.3 in /docs
(#338)
* chore(deps): bump commonmarker from 0.23.8 to 0.23.9 in /docs
(#337)
* SBOM parsing improvements. (#339)
* Make the reporter public (#341)
* Set `skip-pkg-cache: true` for golangci-lint (#340)
* Support PNPM v6+ Lockfile (#325)
* chore(deps): update alpine:3.17 docker digest to 124c7d2 (#326)
* Call analysis note fixed. (#331)
* Add configs to ignore test vulnerabilities (#329)
* Thu Mar 30 2023 kastl@b1-systems.de
- Update to version 1.3.1:
* Release 1.3.1 changelog (#321)
* chore(deps): update ossf/scorecard-action action to v2.1.3
(#322)
* Add nil check to CycloneDX enumeration (#320)
* Tue Mar 28 2023 kastl@b1-systems.de
- Update to version 1.3.0:
* Update changelog and version for v1.3.0 (#316)
* chore(deps): update workflows (#314)
* fix(deps): update osv-scanner minor (#313)
* Update workflows to compositing, so that goreleaser workflow
can run them. (#315)
* Fix workflow (#311)
* Fix some issues with the model. (#312)
* Improve the OSV models to allow for 3rd party use of the
library. (#310)
* Adds concurrency to hydration requests (#304)
* Make `IgnoredVulns` also ignore aliases (#300)
* fix(deps): update osv-scanner minor (#306)
* chore(deps): update actions/setup-go action to v4 (#308)
* chore(deps): update workflows (#307)
* Run tests before release (#301)
* chore(deps): bump activesupport from 7.0.4.2 to 7.0.4.3 in
/docs (#302)
* Pin lint action (#299)
* fix(deps): update osv-scanner minor (#288)
* fix: support Pipenv develop packages without versions. (#297)
* Set version in source code (#295)
* Prevent `.gitignore` files from interfering with tests (#292)
* fix: trim leading zeros off when comparing numerical components
in Maven versions (better) (#285)
* fix: avoid infinite loops parsing Maven poms with syntax errors
(#294)
* Check if PURL is valid before adding it to queries (#291)
* Renovate bot ignore vulns package (#289)
* chore(deps): update workflows (#287)
* fix: trim leading zeros off when comparing numerical components
in Maven versions (#279)
* Adding call graph info back in (#284)
* Update Colors for Accessibility (#278)
* Removed call graph analysis for now. (#282)
* Remove "working doc" concept (#275)
* feat: improved error message when pom dependency version not
found (#253)
* Add tags and point people to slsa-verifier (#265)
* ci: harden permissions (#269)
* Run on merge queue (#272)
* fix: properly handle comparing zero versions in Maven (#267)
* chore: add `.editorconfig` file (#266)
* fix(deps): update osv-scanner minor (#270)
* Renovate bot use ignorePaths instead for fixtures (#264)
* test: update case with new advisory (#268)
* fix: deduplicate packages that appear multiple times in
`Pipenv.lock` files (#261)
* feat: support `-r` flag in `requirements.txt` files (#260)
* chore(deps): update workflows (#242)
* fix: avoid panic when parsing `file:` dependencies in `pnpm`
lockfiles (#259)
* More specific cyclone dx parsing (#258)
* Parse nested CycloneDX components correctly (#251)
* fix: support yarn locks with quoted properties (#250)
* Update renovate.json (#248)
* fix(deps): update golang.org/x/exp digest to c95f2b4 (#241)
* govulncheck integration (#198)
* Create draft release first in goreleaser (#236)
* Adding additional installation instructions (#235)
* Thu Feb 23 2023 kastl@b1-systems.de
- Update to version 1.2.0:
* Changelog update for v1.2.0 (#233)
* Moving Working Docs to Current (#234)
* Update the output docs, make logo a lot bigger, make page slightly wider (#226)
* Upgrade to yaml v3 (#231)
* ParseAs for dpkg-status (#229)
* Update analytics for documentation. (#230)
* chore(deps): update docker/setup-buildx-action digest to f03ac48 (#223)
* fix(deps): update osv-scanner minor (#225)
* chore(deps): bump golang.org/x/net from 0.2.0 to 0.7.0 (#222)
* chore(deps): update dependency http_parser.rb to "~> 0.8.0" (#224)
* fix: ensure that vulnerability results are ordered deterministically (#220)
* test: ensure case names match function under test (#228)
* Nits - APK installed optimizations (#227)
* Support for DPKG (Debian) parser (#168)
* feat: support `dependencyManagement` in Maven poms (#221)
* Google analytics added. (#215)
* Console formatting changes
* Documentation Style Improvements (#211)
* fixed broken link (#210)
* Documentation moved to github page.
* Minor changes for gitignore parsing (#208)
* Improve gitignore parsing (#206)
* fix(deps): update osv-scanner minor (#205)
* chore(deps): update github/codeql-action action to v2.2.4 (#204)
* Move instructions to Usage (#197)
* Make scanner respect .gitignore files (#191)
* feat: support specifying what parser to use in `--lockfile` (#94)
* fix: add missing toml tags to struct (and update linter) (#190)
* fix(deps): update golang.org/x/exp digest to 98cc5a0 (#188)
* fix(osv-query): omit SourceInfo from JSON marshaling (#185)
* test: remove nonsense case and correct names (#187)
* Update readme usage section (#171)
* chore(deps): update docker/login-action action to v2 (#148)
* fix(deps): update osv-scanner minor (#147)
* Support SPDX 2.3 (#178)
* chore(deps): update workflows (#172)
* feat: Render output as a markdown table for use in github comments (#156)
* APK: fix test function (#180)
* Log number of packages scanned from SBOMs. (#179)
* Make OSV api public (#167)
* Add experimental comment (#173)
* fix: exit with generic non-zero code when there is a general error (#161)
* fix: reuse app-level writer and err writers in `VersionPrinter` (#166)
* chore(deps): update github/codeql-action action to v2.1.39 (#159)
* test: add cases for `semantic.MustParse` (#160)
* feat: create `--format` flag (#158)
* golangci checks in github action, and fixes initial linter issues (#149)
* test: add case for `--version` flag (#162)
* chore: remove duplicated generators (#157)
* - add conan.lock to the list (#59)
* Fix endpoint typo (#152)
* feat: add `semantic` package (#92)
* Adding re-try for getting a Vuln for the given ID (#141)
* chore(deps): update github/codeql-action action to v2.1.38 (#146)
* chore: adjust comment to match type name (#143)
* Mention Pipfile.lock support in changelog. (#140)
* Fix link to GitHub issues (#139)
Version: 1.1.0-bp155.1.6
* Thu Jan 12 2023 kastl@b1-systems.de
- Update to version 1.1.0:
* Fix goreleaser permissions (#138)
* v1.1.0 release PR (#137)
* fix(deps): update osv-scanner minor (#79)
* Temporarily disable alpine package scanning (#136)
* Move tests from cloudbuild to gh actions (#135)
* Use short url in scanner output (#134)
* chore(deps): update workflows (#78)
* Update readme and add changelog (#133)
* fix: use correct ecosystem for NuGet (#132)
* Do not highlight borders of result table (#131)
* Add contributing file (#130)
* Update README.md (#127)
* docs: describe build process (#109)
* Add gomodtidy after renovate updates (#120)
* Make lint trigger same as others (#125)
* Minor documentation updates. (#121)
* Add support for Alpine Linux /lib/apk/db/installed (Resolves #72) (#107)
* feat: add docker publish method (#70)
* Add Pipenv lockfile support (Resolves #71) (#66)
* Lint readme (#100)
* Have renovate-bot label its PRs as it does with osv.dev (#116)
* [pkg] implement NuGet ecosystem parser (#98)
* Update github.com/spdx/gordf dependency to fix 32 bit support (#104)
* test: update spec case and adjust assertion message (#99)
* fix: ensure that files are closed when they're no longer needed (#106)
* Fix lockfile example syntax (#103)
* docs: add homebrew installation note (#89)
* Tue Dec 20 2022 Johannes Kastl <kastl@b1-systems.de>
- add build parameters, so 'osv-scanner --version' shows proper version,
build date and the release tag as commit
* Tue Dec 20 2022 kastl@b1-systems.de
- Update to version 1.0.2:
* shorten affected package to package (#90)
* Move table columns so that the important column is displayed first (#87)
* Add blog post link to README (#84)
* Minor updates to install instruction title (#80)
* Added installation instructions for Scoop (#68)
* Update README.md (#77)
* Fix readme anchor link. (#76)
* Update README.md (#58)
* Add disclaimer on Debian scanning. (#65)
* Add gradle lockfile support (#46)
* Tue Dec 20 2022 Johannes Kastl <kastl@b1-systems.de>
- new package osv-scanner: Vulnerability scanner written in Go which uses the data provided by https://osv.dev