Skip to content

build(deps): Bump google/osv-scanner from 1.9.2 to 2.0.1 #126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dependabot wants to merge 1 commit into from
Closed

build(deps): Bump google/osv-scanner from 1.9.2 to 2.0.1 #126

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Apr 3, 2025

Bumps google/osv-scanner from 1.9.2 to 2.0.1.

Release notes

Sourced from google/osv-scanner's releases.

v2.0.1

Changelog

Features:

  • [Feature #1730](google/osv-scanner#1730) Add support for extracting dependencies from .NET packages.config and packages.lock.json files.
  • [Feature #1770](google/osv-scanner#1770) Add support for extracting dependencies from rust binaries compiled with cargo-auditable.
  • [Feature #1761](google/osv-scanner#1761) Improve output when scanning for OS packages, we now show binary packages associated with a source package in the table output.

Fixes:

API Changes:

New Contributors

Full Changelog: google/osv-scanner@v2.0.0...v2.0.1

v2.0.0

This release merges the improvements, features, and fixes from v2.0.0-rc1, v2.0.0-beta2, and v2.0.0-beta1.

Important: This release includes several breaking changes aimed at future-proofing OSV-Scanner. Please consult our comprehensive Migration Guide to ensure a smooth upgrade.

Features:

  • Layer and base image-aware container scanning:
    • Rewritten support for Debian, Ubuntu, and Alpine container images.
    • Layer level analysis and vulnerability breakdown.
    • Supports Go, Java, Node, and Python artifacts within supported distros.
    • Base image identification via deps.dev.
    • Usage: osv-scanner scan image <image-name>:<tag>
  • Interactive HTML output:
    • Severity breakdown, package/ID/importance filtering, vulnerability details.
    • Container image layer filtering, layer info, base image identification.
    • Usage: osv-scanner scan --serve ...
  • Guided Remediation for Maven pom.xml:
    • Remediate direct and transitive dependencies (non-interactive mode).
    • New override remediation strategy.
    • Support for reading/writing pom.xml and parent POM files.

... (truncated)

Changelog

Sourced from google/osv-scanner's changelog.

v2.0.1

Features:

  • [Feature #1730](google/osv-scanner#1730) Add support for extracting dependencies from .NET packages.config and packages.lock.json files.
  • [Feature #1770](google/osv-scanner#1770) Add support for extracting dependencies from rust binaries compiled with cargo-auditable.
  • [Feature #1761](google/osv-scanner#1761) Improve output when scanning for OS packages, we now show binary packages associated with a source package in the table output.

Fixes:

Docs:

API Changes:

OSV-Scanner v2.0.0

This release merges the improvements, features, and fixes from v2.0.0-rc1, v2.0.0-beta2, and v2.0.0-beta1.

Important: This release includes several breaking changes aimed at future-proofing OSV-Scanner. Please consult our comprehensive Migration Guide to ensure a smooth upgrade.

Features:

  • Layer and base image-aware container scanning:
    • Rewritten support for Debian, Ubuntu, and Alpine container images.
    • Layer level analysis and vulnerability breakdown.
    • Supports Go, Java, Node, and Python artifacts within supported distros.
    • Base image identification via deps.dev.
    • Usage: osv-scanner scan image <image-name>:<tag>
  • Interactive HTML output:
    • Severity breakdown, package/ID/importance filtering, vulnerability details.
    • Container image layer filtering, layer info, base image identification.
    • Usage: osv-scanner scan --serve ...
  • Guided Remediation for Maven pom.xml:
    • Remediate direct and transitive dependencies (non-interactive mode).
    • New override remediation strategy.
    • Support for reading/writing pom.xml and parent POM files.
    • Private registry support for Maven metadata.

... (truncated)

Commits
  • be9015f chore: Changelog and version update for v2.0.1 (#1775)
  • 847c200 test: update snapshots (#1778)
  • daf2d56 fix: include a hint when sbom extractor cannot be found about the file name b...
  • f6d2639 test: do everything through testcmd.RunAndMatchSnapshots including JSON rep...
  • d4a8d91 docs: Clarify osv-scanner.toml documentation (#1774)
  • bcf857c ci(workflows): remediate Scorecard Token-Permissions finding (#1771)
  • fd90ed1 test: remove redundant os.Exit calls (#1772)
  • 37c745e chore: add --force and --no-cache flags to script for building test image...
  • a22536c feat: Add cargoaudit extractor to artifacts (#1770)
  • 1ad7012 feat: improve OS status scanning output (#1761)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): Bump google/osv-scanner from 1.9.2 to 2.0.1
2a39491 
Bumps [google/osv-scanner](https://github.com/google/osv-scanner) from 1.9.2 to 2.0.1.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](google/osv-scanner@v1.9.2...v2.0.1)

---
updated-dependencies:
- dependency-name: google/osv-scanner
  dependency-version: 2.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 3, 2025
@dependabot dependabot bot requested a review from skyzyx as a code owner April 3, 2025 04:57
@dependabot dependabot bot mentioned this pull request Apr 3, 2025
Closed
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github May 1, 2025

Superseded by #140.

@dependabot dependabot bot closed this May 1, 2025
@dependabot dependabot bot deleted the dependabot/github_actions/google/osv-scanner-2.0.1 branch May 1, 2025 04:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skyzyx skyzyx Awaiting requested review from skyzyx skyzyx is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants