winget install --id Google.OSVScanner
About OSV Scanner
Vulnerability scanner written in Go which uses the data provided by https://osv.dev
What's new in 2.4.0
Features: - Feature #2815 Add support for the CycloneDX 1.7 specification (bumps cyclonedx-go to v0.11.0). - Feature #2799 Enable .csproj and Central Package Management (nugetcpm) source scanning plugins by default. - Feature #2871 Extract and parse Alpine OS distro version (e.g. Alpine:v3.17, Alpine:edge) from PURL distro qualifiers to scan packages under their respective Alpine ecosystems. - Feature #2801 Enable the swift/packageresolved plugin by default to support SwiftURL vulnerability scans. - Feature #2666 Add a Docker-based variant of the pre-commit hook in .pre-commit-hooks.yaml to avoid local compilation. - Feature #2637 Add a new configuration setting ScanGoModVersion (disabled by default) to avoid parsing toolchain version directives directly from go.mod, preventing misleading warnings. - Feature #2772 Scan container images built with Canonical Chisel by enabling the os/chisel extractor plugin. Fixes: - Bug #2807 Sanitize package name, source, and version fields in the vertical output format to prevent GitHub Actions workflow command injection vulnerabilities from crafted lock files. - Bug #2876 Improve HTML scan report usability by supporting standard click modifiers (Ctrl/Cmd/middle click) to open vulnerabilities in new tabs, and preserving scroll position when switching tabs. - Bug #2783 Keep transitive dependency scanning enabled when specifying the --offline-vulnerabilities flag. - Bug #2808 Deduplicate equivalent OSV matcher requests before executing bulk queries to reduce API overhead. - Bug #2837 Prevent panics during offline matcher scans (e.g. on unsup...
Version history
| Version | Updated | Notes |
|---|---|---|
| 2.4.0 | Unknown | Features: - Feature #2815 Add support for the CycloneDX 1.7 specification (bumps cyclonedx-go to v0.11.0). - Feature #2799 Enable .csproj and Central Package Management (nugetcpm) source scanning plugins by default. - Fe... |
| 2.3.8 | Unknown | Fixes: - Fix installation issues with go install due to dependency conflicts (downgrade containerd/cgroups/v3, moby/buildkit and opencontainers/runtime-spec). (#2782) - Bug #2762 Skip packages with short commit hashes in... |
| 2.3.6 | Unknown | Features: - Feature #2658 Support regex matching for package name overrides. - Feature #2510 Scan Homebrew inventory using git repository metadata. Fixes: - Bug #2750 Sanitize \r/\n in default/table/vertical output to pr... |
| 2.3.5 | Unknown | v2.3.5 Features: - Feature #2571 Enable transitive scanning for Python requirements.txt files using the deps.dev API. - Feature #2649 Add ability to allow unsafe plugins, logging a warning when any unsafe plugin is enabl... |
| 2.3.3 | Unknown | Features: - Feature #2458 Add --exclude flag to skip paths during scanning. - Feature #2477 Add pylock extractor. - Feature #2475 Add base image info to container scanning output header (in table, markdown and vertical f... |
| 2.3.2 | Unknown | v2.3.2 This release includes performance improvements for local scanning, reducing memory usage and avoiding unnecessary advisory loading. It also fixes issues with MCP's get_vulnerability_details tool, git queries in os... |
| 2.3.1 | Unknown | v2.3.1 Features: - Feature #2370 Add support for the packagedeprecation plugin via the new --experimental-flag-deprecated-packages flag. The result is available in all output formats except SPDX. Fixes: - Bug #2395 Fix l... |
| 2.3.0 | Unknown | This release migrates to the new osv.dev and osv-schema proto bindings for its internal data models (#2328). This is primarily an internal change and should not impact users. Features: - Feature #2321 Add support for lic... |
| 2.2.4 | Unknown | Features: - Feature #2256 Add experimental OSV-Scanner MCP server. (osv-scanner experimental-mcp) - Feature #2284 Update osv-scalibr integration, replacing baseimagematch with the base image enricher. - Feature #2216 War... |
| 2.2.3 | Unknown | Changelog Features: - Feature #2209 Add support for resolving git packages that have a version specified. - Feature #2210 Make the --experimental-plugins flag additive by default, and introduce a new --experimental-no-de... |
| 2.2.2 | Unknown | Features: - Feature #2113 Add support for Java reachability analysis to identify uncalled vulnerabilities in JAR files. - Feature #2177 Automatically parse osv-scanner-custom.json files as osv-scanner.json custom lockfil... |
| 2.2.1 | Unknown | Fixes - Bug #2151 Filter by ecosystem before querying. Full Changelog: v2.2.0...v2.2.1 |
| 2.2.0 | Unknown | v2.2.0 OSV-Scanner now supports all OSV-Scalibr features behind experimental flags (--experimental-plugins, see details here)! Features: - Feature #2146 Allow manual OSV-Scalibr plugin selection. - Feature #2144 Add OSV-... |
| 2.1.0 | Unknown | v2.1.0 Features: - Feature #2038 Add CycloneDX location field to the output source string. - Feature #2036 Include upstream source information in vulnerability grouping to improve accuracy. - Feature #1970 Hide unimporta... |
| 2.0.3 | Unknown | v2.0.3 Features: - Feature #1943 Added a flag to suppress "no package sources found" error. - Feature #1844 Allow flags to be passed after scan targets, e.g. osv-scanner ./scan-this-dir --format=vertical, by updating to... |
| 2.0.2 | Unknown | Fixes: - Bug #1842 Fix an issue in the GitHub Action where call analysis for Go projects using the tool directive (Go 1.24+) in go.mod files would fail. The scanner image has been updated to use a newer Go version. - Bug... |
| 2.0.1 | Unknown | Changelog Features: - Feature #1730 Add support for extracting dependencies from .NET packages.config and packages.lock.json files. - Feature #1770 Add support for extracting dependencies from rust binaries compiled with... |
| 1.9.2 | Unknown | Release notes |