winget install --id Google.OSVScannerAbout OSV Scanner
Vulnerability scanner written in Go which uses the data provided by https://osv.dev
What's new in 2.3.8
Fixes: - Fix installation issues with go install due to dependency conflicts (downgrade containerd/cgroups/v3, moby/buildkit and opencontainers/runtime-spec). (#2782) - Bug #2762 Skip packages with short commit hashes instead of aborting scan. - Bug #2781 Secure file path handling with os.OpenRoot. - Bug #2766 Correct typos across docs, configs, and Go source. Misc: - Update osv-scalibr to v0.4.6-0.20260504042738-9293bfa4f86f.
Version history
| Version | Updated | Notes |
|---|---|---|
| 2.3.8 | Unknown | Fixes: - Fix installation issues with go install due to dependency conflicts (downgrade containerd/cgroups/v3, moby/buildkit and opencontainers/runtime-spec). (#2782) - Bug #2762 Skip packages with short commit hashes in... |
| 2.3.6 | Unknown | Features: - Feature #2658 Support regex matching for package name overrides. - Feature #2510 Scan Homebrew inventory using git repository metadata. Fixes: - Bug #2750 Sanitize \r/\n in default/table/vertical output to pr... |
| 2.3.5 | Unknown | v2.3.5 Features: - Feature #2571 Enable transitive scanning for Python requirements.txt files using the deps.dev API. - Feature #2649 Add ability to allow unsafe plugins, logging a warning when any unsafe plugin is enabl... |
| 2.3.3 | Unknown | Features: - Feature #2458 Add --exclude flag to skip paths during scanning. - Feature #2477 Add pylock extractor. - Feature #2475 Add base image info to container scanning output header (in table, markdown and vertical f... |
| 2.3.2 | Unknown | v2.3.2 This release includes performance improvements for local scanning, reducing memory usage and avoiding unnecessary advisory loading. It also fixes issues with MCP's get_vulnerability_details tool, git queries in os... |
| 2.3.1 | Unknown | v2.3.1 Features: - Feature #2370 Add support for the packagedeprecation plugin via the new --experimental-flag-deprecated-packages flag. The result is available in all output formats except SPDX. Fixes: - Bug #2395 Fix l... |
| 2.3.0 | Unknown | This release migrates to the new osv.dev and osv-schema proto bindings for its internal data models (#2328). This is primarily an internal change and should not impact users. Features: - Feature #2321 Add support for lic... |
| 2.2.4 | Unknown | Features: - Feature #2256 Add experimental OSV-Scanner MCP server. (osv-scanner experimental-mcp) - Feature #2284 Update osv-scalibr integration, replacing baseimagematch with the base image enricher. - Feature #2216 War... |
| 2.2.3 | Unknown | Changelog Features: - Feature #2209 Add support for resolving git packages that have a version specified. - Feature #2210 Make the --experimental-plugins flag additive by default, and introduce a new --experimental-no-de... |
| 2.2.2 | Unknown | Features: - Feature #2113 Add support for Java reachability analysis to identify uncalled vulnerabilities in JAR files. - Feature #2177 Automatically parse osv-scanner-custom.json files as osv-scanner.json custom lockfil... |
| 2.2.1 | Unknown | Fixes - Bug #2151 Filter by ecosystem before querying. Full Changelog: v2.2.0...v2.2.1 |
| 2.2.0 | Unknown | v2.2.0 OSV-Scanner now supports all OSV-Scalibr features behind experimental flags (--experimental-plugins, see details here)! Features: - Feature #2146 Allow manual OSV-Scalibr plugin selection. - Feature #2144 Add OSV-... |
| 2.1.0 | Unknown | v2.1.0 Features: - Feature #2038 Add CycloneDX location field to the output source string. - Feature #2036 Include upstream source information in vulnerability grouping to improve accuracy. - Feature #1970 Hide unimporta... |
| 2.0.3 | Unknown | v2.0.3 Features: - Feature #1943 Added a flag to suppress "no package sources found" error. - Feature #1844 Allow flags to be passed after scan targets, e.g. osv-scanner ./scan-this-dir --format=vertical, by updating to... |
| 2.0.2 | Unknown | Fixes: - Bug #1842 Fix an issue in the GitHub Action where call analysis for Go projects using the tool directive (Go 1.24+) in go.mod files would fail. The scanner image has been updated to use a newer Go version. - Bug... |
| 2.0.1 | Unknown | Changelog Features: - Feature #1730 Add support for extracting dependencies from .NET packages.config and packages.lock.json files. - Feature #1770 Add support for extracting dependencies from rust binaries compiled with... |
| 1.9.2 | Unknown | Release notes |