Skip to content

Commit 408fcd6

Browse files
another-rexanother-rex
authored
chore: release osv-scanner v2.3.8 (#2786)
Release osv-scanner v2.3.8
1 parent a6cc80e commit 408fcd6

19 files changed

Lines changed: 876 additions & 878 deletions

CHANGELOG.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,17 @@
1-
# v2.3.7
1+
# v2.3.7/v2.3.8
22

33
### Fixes:
44

55
- Fix installation issues with `go install` due to dependency conflicts (downgrade `containerd/cgroups/v3`, `moby/buildkit` and `opencontainers/runtime-spec`).
6+
- [Bug #2762](https://github.com/google/osv-scanner/pull/2762) Skip packages with short commit hashes instead of aborting scan.
7+
- [Bug #2781](https://github.com/google/osv-scanner/pull/2781) Secure file path handling with `os.OpenRoot`.
8+
- [Bug #2766](https://github.com/google/osv-scanner/pull/2766) Correct typos across docs, configs, and Go source.
69

710
### Misc:
811

912
- Update osv-scalibr to `v0.4.6-0.20260504042738-9293bfa4f86f`.
13+
- Remove replace directive (#2782).
14+
- Update contributing.md (#2779).
1015

1116
# v2.3.6
1217

cmd/osv-scanner/__snapshots__/main_test.snap

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ OPTIONS:
4646
---
4747

4848
[Test_run/version - 1]
49-
osv-scanner version: 2.3.7
49+
osv-scanner version: 2.3.8
5050
osv-scalibr version: 0.4.5
5151
commit: n/a
5252
built at: n/a

cmd/osv-scanner/mcp/__snapshots__/integration_test.snap

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,6 @@ lockfile:<rootdir>/testdata/go-project/go.mod: found 1 package with issues
2424
Severity: '5.9'; Minimal Fix Version: '1.1.0';
2525

2626
1 known vulnerability found in lockfile:<rootdir>/testdata/go-project/go.mod
27-
Hiding 15 number of vulnerabilities deemed unimportant, use --all-vulns to show them.
27+
Hiding 23 number of vulnerabilities deemed unimportant, use --all-vulns to show them.
2828

2929
---

cmd/osv-scanner/scan/image/__snapshots__/command_test.snap

Lines changed: 48 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -444,7 +444,7 @@ Scanning local image tarball "./testdata/test-ubuntu.tar"
444444
445445
446446
Container Scanning Result (Ubuntu 22.04.5 LTS) (Based on "ubuntu" image):
447-
Total 25 packages affected by 84 known vulnerabilities (6 Critical, 21 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem.
447+
Total 25 packages affected by 83 known vulnerabilities (6 Critical, 20 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem.
448448
28 vulnerabilities can be fixed.
449449
450450
@@ -455,7 +455,7 @@ Ubuntu:22.04
455455
| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |
456456
+----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+
457457
| coreutils | 8.32-4.1ubuntu1.2 | No fix available | 2 | coreutils | # 4 Layer | ubuntu |
458-
| dpkg | 1.21.1ubuntu2.3 | Partial fixes Available | 2 | dpkg | # 4 Layer | ubuntu |
458+
| dpkg | 1.21.1ubuntu2.3 | Fix Available | 1 | dpkg | # 4 Layer | ubuntu |
459459
| gcc-12 | 12.3.0-1ubuntu1~22.04 | Partial fixes Available | 2 | gcc-12-base... (3) | # 4 Layer | ubuntu |
460460
| glibc | 2.35-0ubuntu3.8 | Partial fixes Available | 11 | libc-bin, libc6 | # 4 Layer | ubuntu |
461461
| gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 4 | gpgv | # 4 Layer | ubuntu |
@@ -496,7 +496,7 @@ Scanning local image tarball "./testdata/test-ubuntu.tar"
496496
497497
498498
Container Scanning Result (Ubuntu 22.04.5 LTS) (Based on "ubuntu" image):
499-
Total 25 packages affected by 84 known vulnerabilities (6 Critical, 21 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem.
499+
Total 25 packages affected by 83 known vulnerabilities (6 Critical, 20 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem.
500500
28 vulnerabilities can be fixed.
501501
502502
@@ -507,7 +507,7 @@ Ubuntu:22.04
507507
| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |
508508
+----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+
509509
| coreutils | 8.32-4.1ubuntu1.2 | No fix available | 2 | coreutils | # 4 Layer | ubuntu |
510-
| dpkg | 1.21.1ubuntu2.3 | Partial fixes Available | 2 | dpkg | # 4 Layer | ubuntu |
510+
| dpkg | 1.21.1ubuntu2.3 | Fix Available | 1 | dpkg | # 4 Layer | ubuntu |
511511
| gcc-12 | 12.3.0-1ubuntu1~22.04 | Partial fixes Available | 2 | gcc-12-base... (3) | # 4 Layer | ubuntu |
512512
| glibc | 2.35-0ubuntu3.8 | Partial fixes Available | 11 | libc-bin, libc6 | # 4 Layer | ubuntu |
513513
| gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 4 | gpgv | # 4 Layer | ubuntu |
@@ -567,7 +567,7 @@ Scanning local image tarball "./testdata/test-ubuntu-with-packages.tar"
567567
568568
569569
Container Scanning Result (Ubuntu 22.04.5 LTS) (Based on "ubuntu" image):
570-
Total 25 packages affected by 84 known vulnerabilities (6 Critical, 21 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem.
570+
Total 25 packages affected by 83 known vulnerabilities (6 Critical, 20 High, 39 Medium, 6 Low, 12 Unknown) from 1 ecosystem.
571571
28 vulnerabilities can be fixed.
572572
573573
@@ -578,7 +578,7 @@ Ubuntu:22.04
578578
| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |
579579
+----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+
580580
| coreutils | 8.32-4.1ubuntu1.2 | No fix available | 2 | coreutils | # 4 Layer | ubuntu |
581-
| dpkg | 1.21.1ubuntu2.3 | Partial fixes Available | 2 | dpkg | # 4 Layer | ubuntu |
581+
| dpkg | 1.21.1ubuntu2.3 | Fix Available | 1 | dpkg | # 4 Layer | ubuntu |
582582
| gcc-12 | 12.3.0-1ubuntu1~22.04 | Partial fixes Available | 2 | gcc-12-base... (3) | # 4 Layer | ubuntu |
583583
| glibc | 2.35-0ubuntu3.8 | Partial fixes Available | 11 | libc-bin, libc6 | # 4 Layer | ubuntu |
584584
| gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 4 | gpgv | # 4 Layer | ubuntu |
@@ -619,8 +619,8 @@ Scanning local image tarball "./testdata/test-java-full.tar"
619619
620620
621621
Container Scanning Result (Alpine Linux v3.21) (Based on "eclipse-temurin" image):
622-
Total 26 packages affected by 96 known vulnerabilities (5 Critical, 44 High, 41 Medium, 5 Low, 1 Unknown) from 2 ecosystems.
623-
96 vulnerabilities can be fixed.
622+
Total 31 packages affected by 108 known vulnerabilities (5 Critical, 50 High, 46 Medium, 5 Low, 2 Unknown) from 2 ecosystems.
623+
108 vulnerabilities can be fixed.
624624
625625
626626
Maven
@@ -634,12 +634,17 @@ Maven
634634
| com.nimbusds:nimbus-jose-jwt | 9.31 | Fix Available | 2 | # 12 Layer | -- |
635635
| commons-beanutils:commons-beanutils | 1.9.4 | Fix Available | 1 | # 12 Layer | -- |
636636
| dnsjava:dnsjava | 3.4.0 | Fix Available | 1 | # 12 Layer | -- |
637-
| io.netty:netty-codec | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- |
638-
| io.netty:netty-codec-http | 4.1.100.Final | Fix Available | 5 | # 12 Layer | -- |
639-
| io.netty:netty-codec-http2 | 4.1.100.Final | Fix Available | 2 | # 12 Layer | -- |
637+
| io.netty:netty-codec | 4.1.100.Final | Fix Available | 2 | # 12 Layer | -- |
638+
| io.netty:netty-codec-dns | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- |
639+
| io.netty:netty-codec-http | 4.1.100.Final | Fix Available | 10 | # 12 Layer | -- |
640+
| io.netty:netty-codec-http2 | 4.1.100.Final | Fix Available | 3 | # 12 Layer | -- |
641+
| io.netty:netty-codec-mqtt | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- |
642+
| io.netty:netty-codec-redis | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- |
640643
| io.netty:netty-codec-smtp | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- |
641644
| io.netty:netty-common | 4.1.100.Final | Fix Available | 2 | # 12 Layer | -- |
642645
| io.netty:netty-handler | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- |
646+
| io.netty:netty-handler-proxy | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- |
647+
| io.netty:netty-transport-native-epoll | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- |
643648
| org.apache.avro:avro | 1.9.2 | Fix Available | 2 | # 12 Layer | -- |
644649
| org.apache.commons:commons-compress | 1.21 | Fix Available | 2 | # 12 Layer | -- |
645650
| org.apache.commons:commons-configuration2 | 2.8.0 | Fix Available | 2 | # 12 Layer | -- |
@@ -864,8 +869,8 @@ Scanning local image tarball "./testdata/test-package-tracing.tar"
864869
865870
866871
Container Scanning Result (Alpine Linux v3.20) (Based on "alpine" image):
867-
Total 10 packages affected by 265 known vulnerabilities (2 Critical, 14 High, 13 Medium, 2 Low, 234 Unknown) from 2 ecosystems.
868-
265 vulnerabilities can be fixed.
872+
Total 10 packages affected by 313 known vulnerabilities (2 Critical, 14 High, 13 Medium, 2 Low, 282 Unknown) from 2 ecosystems.
873+
313 vulnerabilities can be fixed.
869874
870875
871876
Go
@@ -874,42 +879,42 @@ Go
874879
+---------+-------------------+---------------+------------+------------------+---------------+
875880
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
876881
+---------+-------------------+---------------+------------+------------------+---------------+
877-
| stdlib | 1.22.4 | Fix Available | 39 | # 9 Layer | -- |
882+
| stdlib | 1.22.4 | Fix Available | 47 | # 9 Layer | -- |
878883
+---------+-------------------+---------------+------------+------------------+---------------+
879884
+---------------------------------------------------------------------------------------------+
880885
| Source:artifact:/go/bin/ptf-1.2.0 |
881886
+---------+-------------------+---------------+------------+------------------+---------------+
882887
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
883888
+---------+-------------------+---------------+------------+------------------+---------------+
884-
| stdlib | 1.22.4 | Fix Available | 39 | # 2 Layer | -- |
889+
| stdlib | 1.22.4 | Fix Available | 47 | # 2 Layer | -- |
885890
+---------+-------------------+---------------+------------+------------------+---------------+
886891
+---------------------------------------------------------------------------------------------+
887892
| Source:artifact:/go/bin/ptf-1.3.0 |
888893
+---------+-------------------+---------------+------------+------------------+---------------+
889894
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
890895
+---------+-------------------+---------------+------------+------------------+---------------+
891-
| stdlib | 1.22.4 | Fix Available | 39 | # 4 Layer | -- |
896+
| stdlib | 1.22.4 | Fix Available | 47 | # 4 Layer | -- |
892897
+---------+-------------------+---------------+------------+------------------+---------------+
893898
+---------------------------------------------------------------------------------------------+
894899
| Source:artifact:/go/bin/ptf-1.3.0-moved |
895900
+---------+-------------------+---------------+------------+------------------+---------------+
896901
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
897902
+---------+-------------------+---------------+------------+------------------+---------------+
898-
| stdlib | 1.22.4 | Fix Available | 39 | # 3 Layer | -- |
903+
| stdlib | 1.22.4 | Fix Available | 47 | # 3 Layer | -- |
899904
+---------+-------------------+---------------+------------+------------------+---------------+
900905
+---------------------------------------------------------------------------------------------+
901906
| Source:artifact:/go/bin/ptf-1.4.0 |
902907
+---------+-------------------+---------------+------------+------------------+---------------+
903908
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
904909
+---------+-------------------+---------------+------------+------------------+---------------+
905-
| stdlib | 1.22.4 | Fix Available | 39 | # 2 Layer | -- |
910+
| stdlib | 1.22.4 | Fix Available | 47 | # 2 Layer | -- |
906911
+---------+-------------------+---------------+------------+------------------+---------------+
907912
+---------------------------------------------------------------------------------------------+
908913
| Source:artifact:/go/bin/ptf-vulnerable |
909914
+---------+-------------------+---------------+------------+------------------+---------------+
910915
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |
911916
+---------+-------------------+---------------+------------+------------------+---------------+
912-
| stdlib | 1.22.4 | Fix Available | 39 | # 7 Layer | -- |
917+
| stdlib | 1.22.4 | Fix Available | 47 | # 7 Layer | -- |
913918
+---------+-------------------+---------------+------------+------------------+---------------+
914919
Alpine:v3.20
915920
+------------------------------------------------------------------------------------------------------------------------------+
@@ -2329,7 +2334,7 @@ Scanning local image tarball "./testdata/test-image-with-deprecated.tar"
23292334
"index": 2
23302335
}
23312336
},
2332-
"groups": 39,
2337+
"groups": 47,
23332338
"vulnerabilities": [
23342339
"GO-2024-2963",
23352340
"GO-2024-3105",
@@ -2368,8 +2373,16 @@ Scanning local image tarball "./testdata/test-image-with-deprecated.tar"
23682373
"GO-2026-4865",
23692374
"GO-2026-4869",
23702375
"GO-2026-4870",
2376+
"GO-2026-4918",
23712377
"GO-2026-4946",
2372-
"GO-2026-4947"
2378+
"GO-2026-4947",
2379+
"GO-2026-4971",
2380+
"GO-2026-4976",
2381+
"GO-2026-4977",
2382+
"GO-2026-4980",
2383+
"GO-2026-4981",
2384+
"GO-2026-4982",
2385+
"GO-2026-4986"
23732386
]
23742387
},
23752388
{
@@ -3249,11 +3262,10 @@ Scanning local image tarball "./testdata/test-node_modules-npm-full.tar"
32493262
"index": 4
32503263
}
32513264
},
3252-
"groups": 2,
3265+
"groups": 1,
32533266
"vulnerabilities": [
32543267
"USN-7768-1",
3255-
"UBUNTU-CVE-2025-6297",
3256-
"UBUNTU-CVE-2026-2219"
3268+
"UBUNTU-CVE-2025-6297"
32573269
]
32583270
},
32593271
{
@@ -4190,7 +4202,7 @@ Scanning local image tarball "./testdata/test-ubuntu.tar"
41904202
"index": 7
41914203
}
41924204
},
4193-
"groups": 91,
4205+
"groups": 99,
41944206
"vulnerabilities": [
41954207
"GO-2022-0477",
41964208
"GO-2022-0493",
@@ -4281,8 +4293,16 @@ Scanning local image tarball "./testdata/test-ubuntu.tar"
42814293
"GO-2026-4865",
42824294
"GO-2026-4869",
42834295
"GO-2026-4870",
4296+
"GO-2026-4918",
42844297
"GO-2026-4946",
4285-
"GO-2026-4947"
4298+
"GO-2026-4947",
4299+
"GO-2026-4971",
4300+
"GO-2026-4976",
4301+
"GO-2026-4977",
4302+
"GO-2026-4980",
4303+
"GO-2026-4981",
4304+
"GO-2026-4982",
4305+
"GO-2026-4986"
42864306
]
42874307
}
42884308
]
@@ -4334,11 +4354,10 @@ Scanning local image tarball "./testdata/test-ubuntu.tar"
43344354
"index": 4
43354355
}
43364356
},
4337-
"groups": 2,
4357+
"groups": 1,
43384358
"vulnerabilities": [
43394359
"USN-7768-1",
4340-
"UBUNTU-CVE-2025-6297",
4341-
"UBUNTU-CVE-2026-2219"
4360+
"UBUNTU-CVE-2025-6297"
43424361
]
43434362
},
43444363
{

0 commit comments

Comments
 (0)