v0.6.0
This version has a few major improvements, starting with adding support for using the osv.dev API to check for vulnerabilities - this can serve a means to checking for known vulnerabilities in dependencies that only have a git commit hash instead of a comparable version.
To supplement this, some of the lockfile parsers have been taught how to extract a commit hash if present - though not all of them support this yet, so the detector now also supports being passed package details as a CSV row (either via a file or on the commandline); this is useful for doing one-off queries and for checking dependencies that the detector currently can't infer for you (looking at you NuGet).
And finally, this version also changes the order of operations so now we:
- parse all the lockfiles (& configs),
- load the databases,
- check for known vulnerabilities in each lockfile.
This means the detector can both do more work in parallel and do less work overall by only loading each database once (instead of once-per-lockfile) - it also makes the output a bit nicer by separating the database loading info out from the lockfile check results.
We've also now got a GitHub Action you can use to easily check your dependencies for known vulnerabilities!
What's Changed
- support using the osv.dev api directly (#94)
- parse all lockfiles and load all databases before checking for vulnerabilities (#101)
- support parsing commits from the following lockfiles
- support providing arbitrary packages to check via a csv (#93 & #111)
- use
nameandversionproperties if present when parsingpnpm.yamllocks (#106)
Full Changelog: v0.5.0...v0.6.0