v0.5.0

This version lands support for ignoring OVS both via a CLI flag and via config files - by default the detector will look for either an .osv-detector.yml or .osv-detector.yaml in the directory of each lockfile it's checking, which can contain an ignore array.

The detector also now supports parsing pom.xml for the Maven ecosystem.

What's Changed

• support parsing pom.xml / maven / java (#81)
• support ignoring vulnerabilities (#91)
• support config files (#95)

Full Changelog: v0.4.1...v0.5.0

v0.4.1

What's Changed

• exit with "generic error" code instead of "vuls. found" code when no valid path is provided (#86)
• validate --parse-as so that a sensible error is shown when a directory is passed and an invalid --parse-as value is provided (#85)
• use correct plural & singular forms in text output (#88)
• make flag usage text more accurate (#89)

Full Changelog: v0.4.0...v0.4.1

v0.4.0

This version focused on inputs and outputs: the detector now supports being passed multiple files and even directories, and can output results in JSON format.

What's Changed

• sort packages with the same name by their versions (#72)
• trim off leading "v" in version strings when parsing to make comparing more robust (#74)
• support json output (#77)
• support being passed multiple files in a single call (#73)
• support being passed a directory to check for supported lockfiles (#79)

Full Changelog: v0.3.0...v0.4.0

v0.3.0

This version switches the detector over from the GitHub advisory database to the databases provided by osv.dev, which aggregates a number of advisory databases (including the GitHub advisory database) into single ecosystem databases.

What's Changed

• switch to using ecosystem databases from osv.dev (#59)
• normalize names of python packages to favor false positives over false negatives (#56)
• support SEMVER ranges (#57)
• support OSV advisories with just versions array in affected (#58)
• fallback to using details field if summary is not present (#60)
• don't report vulnerabilities multiple times under different aliases (#61)
• add --cache-all-databases flag (#68)

Full Changelog: v0.2.1...v0.3.0

v0.2.1

What's Changed

• sort packages by name after parsing (#48)
• sort ecosystems by name when listing (#49)
• add missing newlines to the end of some outputs (#50 & #51)
• properly extract the name of python packages that are using "added support" syntax (#52)

Full Changelog: v0.2.0...v0.2.1

v0.2.0

What's Changed

• include advisory link in output (#35)
• support --version flag (#43)
• support parsing cargo.lock (#42)
• support parsing pnpm-lock.yaml (#40)
• support parsing go.mod (#46)

Full Changelog: v0.1.0...v0.2.0

v0.1.0

Initial release 🎉