Features:

• Feature #2458 Add --exclude flag to skip paths during scanning.
• Feature #2477 Add pylock extractor.
• Feature #2475 Add base image info to container scanning output header (in table, markdown and vertical formats).

Misc:

• Update Go version to 1.25.7.
• Update osv-scalibr from v0.4.1 to v0.4.2. Release note.
• Refactor to better align with osv-scalibr plugins and inventory data structure.

Full Changelog: v2.3.2...v2.3.3

v2.3.2

This release includes performance improvements for local scanning, reducing memory usage and avoiding unnecessary advisory loading. It also fixes issues with MCP's get_vulnerability_details tool, git queries in osv-scanner.json, and ignore entry tracking, along with documentation updates.

Fixes:

• Bug #2415 Add more PURL-to-ecosystem mappings
• Bug #2422 MCP error for get_vulnerability_id because type definition is incorrect.
• Bug #2460 Enable osv-scanner.json git queries
• Bug #2456 Properly track if an ignore entry has been used
• Bug #2450 Performance: Avoid loading the entire advisory unless it will actually be used
• Bug #2445 Performance: Don't read the entire zip into memory
• Bug #2433 Allow specifying user agent in v2 osvscanner package

Misc:

• Misc #2453 Switch from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3
• Misc #2447 Include bun.lock as a supported lockfile
• Misc #2444 Document GoVersionOverride in configuration.md

New Contributors

• @catatsuy made their first contribution in #2437
• @google-labs-jules[bot] made their first contribution in #2444
• @fumblehool made their first contribution in #2447
• @scop made their first contribution in #2453
• @Ankitsinghsisodya made their first contribution in #2457

Full Changelog: v2.3.1...v2.3.2

v2.3.1

Features:

• Feature #2370 Add support for the packagedeprecation plugin via the new --experimental-flag-deprecated-packages flag. The result is available in all output formats except SPDX.

Fixes:

• Bug #2395 Fix license scanning to correctly match new deps.dev package names.
• Bug #2333 Deduplicate SARIF outputs for GitHub.
• Bug #2259 Fix lookup of Go packages with major versions by including the subpath of Go PURLs, preventing false positives.

Misc:

• Updated Go version to v1.25.5 to support Go reachability analysis for the latest version.

This release migrates to the new osv.dev and osv-schema proto bindings for its internal data models (#2328). This is primarily an internal change and should not impact users.

Features:

• Feature #2321 Add support for license checks for RubyGems.
• Feature #2294 Replace requirementsenhanceable extractor with transitive enricher.
• Feature #2344 Use osduplicate annotators.

Fixes:

• Bug #2329 Add --ignore-scripts flag to npm lockfile generation.
• Bug #2311 Improve logic for --all-packages flag.
• Bug #2309 Exit with a non-zero code when showing help.
• Bug #2316 Pre-commit hook now defaults to scanning current directory instead of failing.
• Bug #1507 (osv-scalibr) Interpolate Maven projects before extracting repositories.

New Contributors

• @Ly-Joey made their first contribution in #2311
• @pcastellazzi made their first contribution in #2316

Full Changelog: v2.2.4...v2.3.0

Features:

• Feature #2256 Add experimental OSV-Scanner MCP server. (osv-scanner experimental-mcp)
• Feature #2284 Update osv-scalibr integration, replacing baseimagematch with the base image enricher.
• Feature #2216 Warn when vulnerabilities specified in the ignore config are not found during a scan (fixes #2206).

Fixes:

• Bug #2305 Ignore common protocols and .git suffix when checking if an advisory affects a git repository (fixes #2291).
• Bug #2300 Ensure the global logger is used in cmdlogger and osv-scalibr when set (fixes #2081).
• Bug #2295 Fix Go stdlib license result matching (fixes #2191).

Full Changelog: v2.2.3...v2.2.4

Changelog

Features:

• Feature #2209 Add support for resolving git packages that have a version specified.
• Feature #2210 Make the --experimental-plugins flag additive by default, and introduce a new --experimental-no-default-plugins flag.
• Feature #2203 Update osv-scalibr to 0.3.4 for improved dependency extraction. See osv-scalibr changelog for additional information.

Fixes:

• Bug #2214 Fix issue where input.Path was incorrectly constructed on Windows when using the -L flag.
• Fix #2241 Performance: Greatly reduce memory usage in the local matcher by only loading advisories relevant to the packages being scanned.

Full Changelog: v2.2.2...v2.2.3

Features:

• Feature #2113 Add support for Java reachability analysis to identify uncalled vulnerabilities in JAR files.
• Feature #2177 Automatically parse osv-scanner-custom.json files as osv-scanner.json custom lockfiles.

Fixes:

• Bug #2204 Add a warning to guide users to the correct GitHub Action.
• Bug #2202 Fix incorrect exit code when unimportant vulnerabilities are found in non-container scans.
• Bug #2188 Fix handling of absolute paths on Windows.

Full Changelog: v2.2.1...v2.2.2

Fixes

• Bug #2151 Filter by ecosystem before querying.

Full Changelog: v2.2.0...v2.2.1

OSV-Scanner now supports all OSV-Scalibr features behind experimental flags (--experimental-plugins, see details here)!

Features:

• Feature #2146 Allow manual OSV-Scalibr plugin selection.
• Feature #2144 Add OSV-Scalibr version to osv-scanner --version output.
• Feature #2021 Add experimental support for running OSV-Scalibr detectors.
• Feature #2079 Fall back to offline extractor if the transitive one fails, so at least direct dependencies are returned.
• Feature #2032 Add summary section at the top of outputs and a 'Fixed Version' column.
• Feature #2076 Support Ubuntu severity type.

Fixes:

• Bug #2141 Fix OSV-Scanner json scans not matching with correct ecosystem.
• Bug #2084 Show absolute paths when scanning containers.
• Bug #2126 Log and preserve package count before continuing on db error.
• Bug #2095 Pass through plugin capabilities correctly.
• Bug #2051 Properly flag if running on Linux or Mac OSs for plugin compatibility.
• Bug #2072 Add missing "text" property in description fields.
• Bug #2068 Change links in output to go to the specific vulnerability page instead of the list page.
• Bug #2064 Fix SARIF v3 output to include results.

API Changes:

• API Change #2096 Allow log handler to be overridden.

New Contributors

• @brabster made their first contribution in #2072
• @Aejkatappaja made their first contribution in #2032
• @dizzydroid made their first contribution in #2106

Full Changelog: v2.1.0...v2.2.0

v2.1.0

Features:

• Feature #2038 Add CycloneDX location field to the output source string.
• Feature #2036 Include upstream source information in vulnerability grouping to improve accuracy.
• Feature #1970 Hide unimportant vulnerabilities by default to reduce noise, and adds a --show-all-vulns flag to show all.
• Feature #2003 Add experimental summary output format for the reporter.
• Feature #1988 Add support for CycloneDX 1.6 report format.
• Feature #1987 Add support for gems.locked files used by Bundler.
• Feature #1980 Enable transitive dependency extraction for Python requirements.txt files.
• Feature #1961 Deprecate the --sbom flag in favor of the existing -L/--lockfile flag for scanning SBOMs.
• Feature #1963 Stabilize various experimental fields in the output by moving them out of the experimental struct.
• Feature #1957 Use a dedicated exit code for invalid configuration files.

Fixes:

• Bug #2046 Correctly set the user agent string for all outgoing requests.
• Bug #2019 Use more natural language in the descriptions for extractor-related flags.
• Bug #1982 Correctly parse Ubuntu package information with suffixes (e.g. :Pro, :LTS).
• Bug #2000 Ensure CDATA content in XML is correctly outputted in guided remediation.
• Bug #1949 Fix filtering of package types in vulnerability counts.

New Contributors

• @Vialathor made their first contribution in #1949

Full Changelog: v2.0.3...v2.1.0