v0.9.1

What's Changed

• ensure that file paths are handled properly on Windows by (#161)
• handle replace directives in go.mod files (#162)

Full Changelog: v0.9.0...v0.9.1

v0.9.0

This version changes how the detector does version comparison to be based on the semantics for the ecosystem the version belongs to, which fixes a number of subtle (and for some ecosystems, not so subtle) differences when comparing packages.

This does mean the CSV parser format has a new column that specifies the ecosystem version, in case you're using a custom ecosystem.

What's Changed

• compare versions using ecosystem-specific semantics (#157)

Full Changelog: v0.8.0...v0.9.0

v0.8.0

What's Changed

• support parsing poetry.lock, for Python (#156)
• support parsing pubspec.lock, for Dart (#159)

Full Changelog: v0.7.2...v0.8.0

v0.7.2

What's Changed

• parse & compare versions as big integers to support really large numbers (#155)

Full Changelog: v0.7.1...v0.7.2

v0.7.1

What's Changed

• Cargo.lock starts with a capital letter (#151)
• Update module name to make it easier to consume packages (#150)

New Contributors

• @another-rex made their first contribution in #151

Full Changelog: v0.7.0...v0.7.1

v0.7.0

This version adds support for extra databases, which has a bunch of cool use-cases including drafting OSVs locally before submitting them to databases, and exotic use of the OSV specification to check for things that are not technically vulnerabilities but are still undesirable (e.g. dependencies that are end of life, deprecated, unmaintained, or whose license means they can't be used in a project).

When combined with the ability to provide arbitrary packages via CSVs, this can also make it easier for communities who are not yet represented as an official ecosystem in the OSV specification as they can still begin to author security advisories using the OSV spec with a proposed ecosystem name that the detector can use.

Because extra databases are configured in config files, the detector also now supports ignoring specific parts of config files; note that by default the detector assumes you trust any config file it finds, including any extra databases that are configured (remote or otherwise) - it is up to you to decide if you don't want any extra databases to be loaded.

In addition to the above, the detector also now supports parsing mix.lock files for the Hex ecosystem, understands the new last_affected event in OVSs, and uses a unique exit code when it cannot find any supported lockfiles in the provided arguments which can be useful for tooling.

What's Changed

• support extra databases (#114)
• adjust error message to indicate directories must have "at least one" lockfile (#137)
• support skipping specific parts of configs (#141)
• remove --cache-all-databases flag (#143)
• support last_affected in OSVs (#142)
• support parsing mix.lock (#124)
• use a unique exit code to indicate that no lockfiles could be found in the given args (#138)

Full Changelog: v0.6.2...v0.7.0

v0.6.2

What's Changed

• pass args to parser when using --parse-as csv-row (#129)
• require at least three fields to be present in csv rows (#130)
• improve readme section about csv parsers(#131)

Full Changelog: v0.6.1...v0.6.2

v0.6.1

What's Changed

• use "updated at" date from cache when in offline mode (#116)
• close each osv file immediately after being loaded instead of after all loading is finished (#117)
• make lockfile read order deterministic (#119)
• don't load databases or config when only listing packages (#120)
• clean paths to lockfile and configs so that output is consistent (#121)

Full Changelog: v0.6.0...v0.6.1

v0.6.0

This version has a few major improvements, starting with adding support for using the osv.dev API to check for vulnerabilities - this can serve a means to checking for known vulnerabilities in dependencies that only have a git commit hash instead of a comparable version.

To supplement this, some of the lockfile parsers have been taught how to extract a commit hash if present - though not all of them support this yet, so the detector now also supports being passed package details as a CSV row (either via a file or on the commandline); this is useful for doing one-off queries and for checking dependencies that the detector currently can't infer for you (looking at you NuGet).

And finally, this version also changes the order of operations so now we:

1. parse all the lockfiles (& configs),
2. load the databases,
3. check for known vulnerabilities in each lockfile.

This means the detector can both do more work in parallel and do less work overall by only loading each database once (instead of once-per-lockfile) - it also makes the output a bit nicer by separating the database loading info out from the lockfile check results.

We've also now got a GitHub Action you can use to easily check your dependencies for known vulnerabilities!

What's Changed

• support using the osv.dev api directly (#94)
• parse all lockfiles and load all databases before checking for vulnerabilities (#101)
• support parsing commits from the following lockfiles
  • yarn.lock (#104)
  • package-lock.json (#105)
  • pnpm.yaml (#107)
  • Gemfile.lock (#108)
  • composer.lock (#94)
• support providing arbitrary packages to check via a csv (#93 & #111)
• use name and version properties if present when parsing pnpm.yaml locks (#106)

Full Changelog: v0.5.0...v0.6.0

v0.5.0

This version lands support for ignoring OVS both via a CLI flag and via config files - by default the detector will look for either an .osv-detector.yml or .osv-detector.yaml in the directory of each lockfile it's checking, which can contain an ignore array.

The detector also now supports parsing pom.xml for the Maven ecosystem.

What's Changed

• support parsing pom.xml / maven / java (#81)
• support ignoring vulnerabilities (#91)
• support config files (#95)

Full Changelog: v0.4.1...v0.5.0