v2.3.1

Features:

• Feature #2370 Add support for the packagedeprecation plugin via the new --experimental-flag-deprecated-packages flag. The result is available in all output formats except SPDX.

Fixes:

• Bug #2395 Fix license scanning to correctly match new deps.dev package names.
• Bug #2333 Deduplicate SARIF outputs for GitHub.
• Bug #2259 Fix lookup of Go packages with major versions by including the subpath of Go PURLs, preventing false positives.

Misc:

• Updated Go version to v1.25.5 to support Go reachability analysis for the latest version.

This release migrates to the new osv.dev and osv-schema proto bindings for its internal data models (#2328). This is primarily an internal change and should not impact users.

Features:

• Feature #2321 Add support for license checks for RubyGems.
• Feature #2294 Replace requirementsenhanceable extractor with transitive enricher.
• Feature #2344 Use osduplicate annotators.

Fixes:

• Bug #2329 Add --ignore-scripts flag to npm lockfile generation.
• Bug #2311 Improve logic for --all-packages flag.
• Bug #2309 Exit with a non-zero code when showing help.
• Bug #2316 Pre-commit hook now defaults to scanning current directory instead of failing.
• Bug #1507 (osv-scalibr) Interpolate Maven projects before extracting repositories.

New Contributors

• @Ly-Joey made their first contribution in #2311
• @pcastellazzi made their first contribution in #2316

Full Changelog: v2.2.4...v2.3.0

Features:

• Feature #2256 Add experimental OSV-Scanner MCP server. (osv-scanner experimental-mcp)
• Feature #2284 Update osv-scalibr integration, replacing baseimagematch with the base image enricher.
• Feature #2216 Warn when vulnerabilities specified in the ignore config are not found during a scan (fixes #2206).

Fixes:

• Bug #2305 Ignore common protocols and .git suffix when checking if an advisory affects a git repository (fixes #2291).
• Bug #2300 Ensure the global logger is used in cmdlogger and osv-scalibr when set (fixes #2081).
• Bug #2295 Fix Go stdlib license result matching (fixes #2191).

Full Changelog: v2.2.3...v2.2.4

Changelog

Features:

• Feature #2209 Add support for resolving git packages that have a version specified.
• Feature #2210 Make the --experimental-plugins flag additive by default, and introduce a new --experimental-no-default-plugins flag.
• Feature #2203 Update osv-scalibr to 0.3.4 for improved dependency extraction. See osv-scalibr changelog for additional information.

Fixes:

• Bug #2214 Fix issue where input.Path was incorrectly constructed on Windows when using the -L flag.
• Fix #2241 Performance: Greatly reduce memory usage in the local matcher by only loading advisories relevant to the packages being scanned.

Full Changelog: v2.2.2...v2.2.3

Features:

• Feature #2113 Add support for Java reachability analysis to identify uncalled vulnerabilities in JAR files.
• Feature #2177 Automatically parse osv-scanner-custom.json files as osv-scanner.json custom lockfiles.

Fixes:

• Bug #2204 Add a warning to guide users to the correct GitHub Action.
• Bug #2202 Fix incorrect exit code when unimportant vulnerabilities are found in non-container scans.
• Bug #2188 Fix handling of absolute paths on Windows.

Full Changelog: v2.2.1...v2.2.2

Fixes

• Bug #2151 Filter by ecosystem before querying.

Full Changelog: v2.2.0...v2.2.1

OSV-Scanner now supports all OSV-Scalibr features behind experimental flags (--experimental-plugins, see details here)!

Features:

• Feature #2146 Allow manual OSV-Scalibr plugin selection.
• Feature #2144 Add OSV-Scalibr version to osv-scanner --version output.
• Feature #2021 Add experimental support for running OSV-Scalibr detectors.
• Feature #2079 Fall back to offline extractor if the transitive one fails, so at least direct dependencies are returned.
• Feature #2032 Add summary section at the top of outputs and a 'Fixed Version' column.
• Feature #2076 Support Ubuntu severity type.

Fixes:

• Bug #2141 Fix OSV-Scanner json scans not matching with correct ecosystem.
• Bug #2084 Show absolute paths when scanning containers.
• Bug #2126 Log and preserve package count before continuing on db error.
• Bug #2095 Pass through plugin capabilities correctly.
• Bug #2051 Properly flag if running on Linux or Mac OSs for plugin compatibility.
• Bug #2072 Add missing "text" property in description fields.
• Bug #2068 Change links in output to go to the specific vulnerability page instead of the list page.
• Bug #2064 Fix SARIF v3 output to include results.

API Changes:

• API Change #2096 Allow log handler to be overridden.

New Contributors

• @brabster made their first contribution in #2072
• @Aejkatappaja made their first contribution in #2032
• @dizzydroid made their first contribution in #2106

Full Changelog: v2.1.0...v2.2.0

v2.1.0

Features:

• Feature #2038 Add CycloneDX location field to the output source string.
• Feature #2036 Include upstream source information in vulnerability grouping to improve accuracy.
• Feature #1970 Hide unimportant vulnerabilities by default to reduce noise, and adds a --show-all-vulns flag to show all.
• Feature #2003 Add experimental summary output format for the reporter.
• Feature #1988 Add support for CycloneDX 1.6 report format.
• Feature #1987 Add support for gems.locked files used by Bundler.
• Feature #1980 Enable transitive dependency extraction for Python requirements.txt files.
• Feature #1961 Deprecate the --sbom flag in favor of the existing -L/--lockfile flag for scanning SBOMs.
• Feature #1963 Stabilize various experimental fields in the output by moving them out of the experimental struct.
• Feature #1957 Use a dedicated exit code for invalid configuration files.

Fixes:

• Bug #2046 Correctly set the user agent string for all outgoing requests.
• Bug #2019 Use more natural language in the descriptions for extractor-related flags.
• Bug #1982 Correctly parse Ubuntu package information with suffixes (e.g. :Pro, :LTS).
• Bug #2000 Ensure CDATA content in XML is correctly outputted in guided remediation.
• Bug #1949 Fix filtering of package types in vulnerability counts.

New Contributors

• @Vialathor made their first contribution in #1949

Full Changelog: v2.0.3...v2.1.0

v2.0.3

Features:

• Feature #1943 Added a flag to suppress "no package sources found" error.
• Feature #1844 Allow flags to be passed after scan targets, e.g. osv-scanner ./scan-this-dir --format=vertical, by updating to cli/v3
• Feature #1882 Added a stable tag to container images for releases that follow semantic versioning.
• Feature #1846 Experimental: Add --experimental-extractors and --experimental-disable-extractors flags to allow for more granular control over which OSV-Scalibr dependency extractors are used.

Fixes:

• Bug #1856 Improve XML output by guessing and matching the indentation of existing <dependency> elements.
• Bug #1850 Prevent escaping of single quotes in XML attributes for better readability and correctness.
• Bug #1922 Prevent a potential panic in MatchVulnerabilities when the API response is nil, particularly on timeout.
• Bug #1916 Add the "ubuntu" namespace to the debian purl type to correctly parse dpkg BOMs generated on Ubuntu.
• Bug #1871 Ensure inventories are sorted by PURL in addition to name and version to prevent incorrect deduplication of packages.
• Bug #1919 Improve error reporting by including the underlying error when the response body from a Maven registry cannot be read.
• Bug #1857 Fix an issue where SPDX output is not correctly outputted because it was getting overwritten.
• Bug #1873 Fix the GitHub Action to not ignore general errors during execution.
• Bug #1955 Fix issue causing error messages to be spammed when not running in a git repository.
• Bug #1930 Fix issue where Maven client loses auth data during extraction.

Misc:

• Update dependencies and updated golang to 1.24.4

New Contributors

• @jacj9 made their first contribution in #1860
• @ikkebr made their first contribution in #1830
• @LeonLow97 made their first contribution in #1882
• @osv-robot made their first contribution in #1912
• @laojianzi made their first contribution in #1922
• @Avgor46 made their first contribution in #1916

Full Changelog: v2.0.2...v2.0.3

Fixes:

• Bug #1842 Fix an issue in the GitHub Action where call analysis for Go projects using the tool directive (Go 1.24+) in go.mod files would fail. The scanner image has been updated to use a newer Go version.
• Bug #1806 Fix an issue where license overrides were not correctly reflected in the final scan results and license summary.
• Fix #1825, #1809, #1805, #1803, #1787 Enhance XML output stability and consistency by preserving original spacing and minimizing unnecessary escaping. This helps reduce differences when XML files are processed.

New Contributors

• @s-index made their first contribution in #1812
• @shahar-h made their first contribution in #1842

Full Changelog: v2.0.1...v2.0.2