github google/osv-scanner v2.0.0
on GitHub

one day ago

This release merges the improvements, features, and fixes from v2.0.0-rc1, v2.0.0-beta2, and v2.0.0-beta1.

Important: This release includes several breaking changes aimed at future-proofing OSV-Scanner. Please consult our comprehensive Migration Guide to ensure a smooth upgrade.

Features:

  • Layer and base image-aware container scanning:
    • Rewritten support for Debian, Ubuntu, and Alpine container images.
    • Layer level analysis and vulnerability breakdown.
    • Supports Go, Java, Node, and Python artifacts within supported distros.
    • Base image identification via deps.dev.
    • Usage: osv-scanner scan image <image-name>:<tag>
  • Interactive HTML output:
    • Severity breakdown, package/ID/importance filtering, vulnerability details.
    • Container image layer filtering, layer info, base image identification.
    • Usage: osv-scanner scan --serve ...
  • Guided Remediation for Maven pom.xml:
    • Remediate direct and transitive dependencies (non-interactive mode).
    • New override remediation strategy.
    • Support for reading/writing pom.xml and parent POM files.
    • Private registry support for Maven metadata.
    • Machine-readable output for guided remediation.
  • Enhanced Dependency Extraction with osv-scalibr:
    • Haskell: cabal.project.freeze, stack.yaml.lock
    • .NET: deps.json
    • Python: uv.lock
    • Artifacts: node_modules, Python wheels, Java uber jars, Go binaries
  • Feature #1636 osv-scanner update command for updating the local vulnerability database (formerly experimental).
  • Feature #1582 Add container scanning information to vertical output format.
  • Feature #1587 Add support for severity in SARIF report format.
  • Feature #1569 Add support for bun.lock lockfiles.
  • Feature #1547 Add experimental config support to the scan image command.
  • Feature #1557 Allow setting port number with --serve using the new --port flag.

Breaking Changes:

  • Feature #1670 Guided remediation now defaults to non-interactive mode; use the --interactive flag for interactive mode.
  • Feature #1670 Removed the --verbosity=verbose verbosity level.
  • Feature #1673 & Feature #1664 All previous experimental flags are now out of experimental, and the experimental flag mechanism has been removed.
  • Feature #1651 Multiple license flags have been merged into a single --license flag.
  • Feature #1666 API: reporter removed; logging now uses slog, which can be overridden.
  • Feature #1638 API: Deprecated packages removed, including lockfile (migrated to OSV-Scalibr).

Improvements:

  • Feature #1561 Updated HTML report for better contrast and usability (from beta2).
  • Feature #1584 Make skipping the root git repository the default behavior (from beta2).
  • Feature #1648 Updated HTML report styling to improve contrast (from rc1).

Fixes:

  • Fix #1598 Fix table output vulnerability ordering.
  • Fix #1616 Filter out Ubuntu unimportant vulnerabilities.
  • Fix #1585 Fixed issue where base images are occasionally duplicated.
  • Fix #1597 Fixed issue where SBOM parsers are not correctly parsing CycloneDX files when using the bom.xml filename.
  • Fix #1566 Fixed issue where offline scanning returns different results from online scanning.
  • Fix #1538 Reduce memory usage when using guided remediation.

We encourage everyone to upgrade to OSV-Scanner v2.0.0 and experience these powerful new capabilities! As always, your feedback is invaluable, so please don't hesitate to share your thoughts and suggestions.

Full Changelog: v1.9.2...v2.0.0

Check out latest releases or
releases around google/osv-scanner v2.0.0

Don't miss a new osv-scanner release

NewReleases is sending notifications on new releases.

Get notifications