Changelog
The first beta of OSV-Scanner V2 is here! This beta release introduces significant enhancements, including refactored dependency extraction capabilities, container image scanning, and guided remediation for Maven.
This beta release does not introduce any breaking CLI changes and the beta period is expected to last approximately one month. However, as this is a beta release, there may be breaking changes breaking changes in the final release compared to the first beta.
GitHub Action based on OSV-Scanner V2 is also coming soon - stay tuned!
We encourage you to try out these new features and would appreciate any feedback you might have on our discussion topics:
Layer and base image-aware container scanning
A significant new feature is a rewritten, layer-aware container scanning support for Debian, Ubuntu, and Alpine container images. OSV-Scanner can now analyze container images to provide:
- Layers where a package was first introduced
- Layer history and commands
- Base images the image is based on
- OS/Distro the container is running on
This layer analysis leverages OSV-Scalibr, and supports the following OSes and languages:
| Distro Support | Language Artifacts Support |
|---|---|
| Alpine OS | Go |
| Debian | Java |
| Ubuntu | Node |
| Python |
Base image identification also leverages a new experimental API provided by https://deps.dev.
For usage, run the new scan image command:
osv-scanner scan image <image-name>:<tag>
Check out our documentation for more details.
Interactive HTML output
A new, interactive HTML output is now available. This provides a lot more interactivity and information compared to terminal only outputs, including:
- Severity breakdown
- Package and ID filtering
- Vulnerability importance filtering
- Full vulnerability advisory entries
And additionally for container image scanning:
- Layer filtering
- Image layer information
- Base image identification
Guided Remediation for Maven pom.xml
Last year we released a feature called guided remediation for npm. We have now expanded support to Maven pom.xml.
With guided remediation support for Maven, you can remediate vulnerabilities in both direct and transitive dependencies through direct version updates or overriding versions through dependency management.
We’ve introduced a few new features for our Maven support:
- A new remediation strategy
overrideis introduced. - Support for reading and writing pom.xml files, including writing changes to local parent pom files.
- Private registry can be specified to fetch Maven metadata.
The guided remediation support for Maven is only available in the non-interactive mode. For basic usage, run the following command:
osv-scanner fix --non-interactive --strategy=override -M path/to/pom.xml
We also introduced machine readable output for guided remediation that makes it easier to integrate guided remediation into your workflow.
For more usage details on guided remediation, please see our documentation.
Enhanced Dependency Extraction with osv-scalibr
With the help from OSV-Scalibr, we now also have expanded support for the kinds of dependencies we can extract from projects and containers:
Source manifests and lockfiles
- Haskell:
cabal.project.freeze,stack.yaml.lock - .NET:
deps.json - Python:
uv.lock
Artifacts
- node_modules
- Python wheels
- Java uber jars
- Go binaries
The full list of supported formats can be found here.
The first beta doesn’t enable every single extractor currently available in OSV-Scalibr today. We’ll continue to add more leading up to the final 2.0.0 release.
OSV-Scalibr also makes it incredibly easy to add new extractors. Please file a feature request if a format you’re interested in is missing!
New Contributors
- @ivmeta made their first contribution in #1327
- @janniclas made their first contribution in #1398
- @VishalGawade1 made their first contribution in #1390
Full Changelog: v1.9.1...v2.0.0-beta1