pkgsrc.se | The NetBSD package collection

./security/osv-scanner, Vulnerability scanner written using the OSV project

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.9.1nb1, Package name: osv-scanner-1.9.1nb1, Maintainer: pkgsrc-users

Use OSV-Scanner to find existing vulnerabilities affecting your
project's dependencies.

OSV-Scanner provides an officially supported frontend to the OSV
database that connects a project's list of dependencies with the
vulnerabilities that affect them. Since the OSV.dev database is
open source and distributed, it has several benefits in comparison
with closed source advisory databases and scanners:

- Each advisory comes from an open and authoritative source
- Anyone can suggest improvements to advisories, resulting in a
very high quality database
- The OSV format unambiguously stores information about affected
versions in a machine-readable format that precisely maps onto a
developer's list of packages

The above all results in fewer, more actionable vulnerability
notifications, which reduces the time needed to resolve them.

Master sites:

https://github.com/google/ (Download)

Filesize: 6770.423 KB

Version history: (Expand)

(2025-03-07) Updated to version: osv-scanner-1.9.1nb1
(2024-12-12) Updated to version: osv-scanner-1.9.1
(2024-09-06) Updated to version: osv-scanner-1.7.4nb5
(2024-08-11) Updated to version: osv-scanner-1.7.4nb4
(2024-07-03) Updated to version: osv-scanner-1.7.4nb3
(2024-06-13) Updated to version: osv-scanner-1.7.4nb2

CVS history: (Expand)

2025-03-07 21:54:34 by Benny Siegert | Files touched by this commit (190) | Package updated

Log message:
Revbump all Go packages after go124 update

I realize I forgot to do the revbump after updating the default Go
version to 1.24, so let's do that now.

2024-12-12 11:51:49 by Leonardo Taccari | Files touched by this commit (4)

Log message:
osv-scanner: Update to 1.9.1

pkgsrc changes:
- Only install osv-scanner. osv-reporter is intended only for GitHub Actions and
  generate_mock_resolution_universe is only intended for internal
  use/osv-scanner development
- Remove not needed / nop USE_LANGUAGES (it is already defined to c by default)

Changes:
v1.9.1
- Support offline database in fix subcommand.
- Add `--experimental-offline-vulnerabilities` and `--experimental-no-resolve`
  flags.
- Support private registries for Maven.
- Support `vulnerabilities.ignore` in package overrides.
- Bug fixes

v1.9.0
- Allow explicitly ignoring the license of a package in config with
 `license.ignore = true`.
- Error if configuration file has unknown properties.
- Assume `.txt` files with "requirements" in their name are
  `requirements.txt` files
- Bug fixes

v1.8.5
- Support fetching snapshot versions from a Maven registry.
- Support composite-based package overrides. This allows for ignoring entire
  manifests when scanning.
- Add FIXED-VULN-IDS to guided remediation non-interactive output.
- Bug fixes

v1.8.4
- Adds `--upgrade-config` flag for configuring allowed upgrades on a per-package \ 
basis.
  Also hide & deprecate previous `--disallow-major-upgrades` and
  `--disallow-package-upgrades` flags.
- Bug fixes

v1.8.3
- OSV-Scanner now provides "vertical" output format!
- Bug fixes

v1.8.2
- Adding CycloneDX 1.4 and 1.5 output format. Thanks marcwieserdev!
- Bug fixes

v1.8.0/v1.8.1
- OSV-Scanner now scans transitive dependencies in Maven `pom.xml` files!
- The `osv-scanner.toml` configuration file can now filter specific packages
  with new `[[PackageOverrides]]` sections.
- The `--experimental-local-db` flag has been removed and replaced with
  a new flag `--experimental-download-offline-databases` which better
   reflects what the flag does.
  To replicate the behavior of the original `--experimental-local-db`
  flag, replace it with both `--experimental-offline
  --experimental-download-offline-databases` flags. This will run
  osv-scanner in offline mode, but download the latest version of the
  vulnerability databases before scanning.
- Bug fixes

2024-09-06 20:49:02 by Benny Siegert | Files touched by this commit (180) | Package updated

Log message:
Revbump all Go packages after go122 update

2024-08-11 17:57:15 by Benny Siegert | Files touched by this commit (176) | Package updated

Log message:
Revbump all Go packages after update

2024-07-03 08:59:36 by Benny Siegert | Files touched by this commit (169) | Package updated

Log message:
Revbump all Go packages after go122 security update

2024-06-13 15:47:13 by Benny Siegert | Files touched by this commit (169) | Package updated

Log message:
Revbump all Go packages after go122 update

2024-06-01 16:03:06 by Benny Siegert | Files touched by this commit (168)

Log message:
Revbump all Go packages, default Go version is now 1.22.

2024-05-30 17:07:56 by Pierre Pronchery | Files touched by this commit (4) | Package updated

Log message:
osv-scanner: update to 1.7.4

Changes in 1.7.4:

* Feature #943 Support scanning gradle/verification-metadata.xml files.
* Bug #968 Hide unimportant Debian vulnerabilities to reduce noise.

Changes in 1.7.3:

* Feature #934 add support for PNPM v9 lockfiles.
* Bug #938 Ensure the sarif output has a stable order.
* Bug #922 Support filtering on alias IDs in Guided Remediation.

Tested on NetBSD/amd64.