pkgsrc.se | The NetBSD package collection

Subject: CVS commit: pkgsrc/security/osv-scanner
From: Leonardo Taccari
Date: 2024-12-12 11:51:49
Message id: 20241212105149.E98FCFC1C@cvs.NetBSD.org

Log Message:
osv-scanner: Update to 1.9.1

pkgsrc changes:
- Only install osv-scanner. osv-reporter is intended only for GitHub Actions and
  generate_mock_resolution_universe is only intended for internal
  use/osv-scanner development
- Remove not needed / nop USE_LANGUAGES (it is already defined to c by default)

Changes:
v1.9.1
- Support offline database in fix subcommand.
- Add `--experimental-offline-vulnerabilities` and `--experimental-no-resolve`
  flags.
- Support private registries for Maven.
- Support `vulnerabilities.ignore` in package overrides.
- Bug fixes

v1.9.0
- Allow explicitly ignoring the license of a package in config with
 `license.ignore = true`.
- Error if configuration file has unknown properties.
- Assume `.txt` files with "requirements" in their name are
  `requirements.txt` files
- Bug fixes

v1.8.5
- Support fetching snapshot versions from a Maven registry.
- Support composite-based package overrides. This allows for ignoring entire
  manifests when scanning.
- Add FIXED-VULN-IDS to guided remediation non-interactive output.
- Bug fixes

v1.8.4
- Adds `--upgrade-config` flag for configuring allowed upgrades on a per-package \ 
basis.
  Also hide & deprecate previous `--disallow-major-upgrades` and
  `--disallow-package-upgrades` flags.
- Bug fixes

v1.8.3
- OSV-Scanner now provides "vertical" output format!
- Bug fixes

v1.8.2
- Adding CycloneDX 1.4 and 1.5 output format. Thanks marcwieserdev!
- Bug fixes

v1.8.0/v1.8.1
- OSV-Scanner now scans transitive dependencies in Maven `pom.xml` files!
- The `osv-scanner.toml` configuration file can now filter specific packages
  with new `[[PackageOverrides]]` sections.
- The `--experimental-local-db` flag has been removed and replaced with
  a new flag `--experimental-download-offline-databases` which better
   reflects what the flag does.
  To replicate the behavior of the original `--experimental-local-db`
  flag, replace it with both `--experimental-offline
  --experimental-download-offline-databases` flags. This will run
  osv-scanner in offline mode, but download the latest version of the
  vulnerability databases before scanning.
- Bug fixes

Files:

Revision	Action	file
1.26	modify	pkgsrc/security/osv-scanner/Makefile
1.4	modify	pkgsrc/security/osv-scanner/PLIST
1.4	modify	pkgsrc/security/osv-scanner/distinfo
1.4	modify	pkgsrc/security/osv-scanner/go-modules.mk