v0.7.2

What's Changed

• parse & compare versions as big integers to support really large numbers (#155)

Full Changelog: v0.7.1...v0.7.2

v0.7.1

What's Changed

• Cargo.lock starts with a capital letter (#151)
• Update module name to make it easier to consume packages (#150)

New Contributors

• @another-rex made their first contribution in #151

Full Changelog: v0.7.0...v0.7.1

v0.7.0

This version adds support for extra databases, which has a bunch of cool use-cases including drafting OSVs locally before submitting them to databases, and exotic use of the OSV specification to check for things that are not technically vulnerabilities but are still undesirable (e.g. dependencies that are end of life, deprecated, unmaintained, or whose license means they can't be used in a project).

When combined with the ability to provide arbitrary packages via CSVs, this can also make it easier for communities who are not yet represented as an official ecosystem in the OSV specification as they can still begin to author security advisories using the OSV spec with a proposed ecosystem name that the detector can use.

Because extra databases are configured in config files, the detector also now supports ignoring specific parts of config files; note that by default the detector assumes you trust any config file it finds, including any extra databases that are configured (remote or otherwise) - it is up to you to decide if you don't want any extra databases to be loaded.

In addition to the above, the detector also now supports parsing mix.lock files for the Hex ecosystem, understands the new last_affected event in OVSs, and uses a unique exit code when it cannot find any supported lockfiles in the provided arguments which can be useful for tooling.

What's Changed

• support extra databases (#114)
• adjust error message to indicate directories must have "at least one" lockfile (#137)
• support skipping specific parts of configs (#141)
• remove --cache-all-databases flag (#143)
• support last_affected in OSVs (#142)
• support parsing mix.lock (#124)
• use a unique exit code to indicate that no lockfiles could be found in the given args (#138)

Full Changelog: v0.6.2...v0.7.0

v0.6.2

What's Changed

• pass args to parser when using --parse-as csv-row (#129)
• require at least three fields to be present in csv rows (#130)
• improve readme section about csv parsers(#131)

Full Changelog: v0.6.1...v0.6.2

v0.6.1

What's Changed

• use "updated at" date from cache when in offline mode (#116)
• close each osv file immediately after being loaded instead of after all loading is finished (#117)
• make lockfile read order deterministic (#119)
• don't load databases or config when only listing packages (#120)
• clean paths to lockfile and configs so that output is consistent (#121)

Full Changelog: v0.6.0...v0.6.1

v0.6.0

This version has a few major improvements, starting with adding support for using the osv.dev API to check for vulnerabilities - this can serve a means to checking for known vulnerabilities in dependencies that only have a git commit hash instead of a comparable version.

To supplement this, some of the lockfile parsers have been taught how to extract a commit hash if present - though not all of them support this yet, so the detector now also supports being passed package details as a CSV row (either via a file or on the commandline); this is useful for doing one-off queries and for checking dependencies that the detector currently can't infer for you (looking at you NuGet).

And finally, this version also changes the order of operations so now we:

1. parse all the lockfiles (& configs),
2. load the databases,
3. check for known vulnerabilities in each lockfile.

This means the detector can both do more work in parallel and do less work overall by only loading each database once (instead of once-per-lockfile) - it also makes the output a bit nicer by separating the database loading info out from the lockfile check results.

We've also now got a GitHub Action you can use to easily check your dependencies for known vulnerabilities!

What's Changed

• support using the osv.dev api directly (#94)
• parse all lockfiles and load all databases before checking for vulnerabilities (#101)
• support parsing commits from the following lockfiles
  • yarn.lock (#104)
  • package-lock.json (#105)
  • pnpm.yaml (#107)
  • Gemfile.lock (#108)
  • composer.lock (#94)
• support providing arbitrary packages to check via a csv (#93 & #111)
• use name and version properties if present when parsing pnpm.yaml locks (#106)

Full Changelog: v0.5.0...v0.6.0

v0.5.0

This version lands support for ignoring OVS both via a CLI flag and via config files - by default the detector will look for either an .osv-detector.yml or .osv-detector.yaml in the directory of each lockfile it's checking, which can contain an ignore array.

The detector also now supports parsing pom.xml for the Maven ecosystem.

What's Changed

• support parsing pom.xml / maven / java (#81)
• support ignoring vulnerabilities (#91)
• support config files (#95)

Full Changelog: v0.4.1...v0.5.0

v0.4.1

What's Changed

• exit with "generic error" code instead of "vuls. found" code when no valid path is provided (#86)
• validate --parse-as so that a sensible error is shown when a directory is passed and an invalid --parse-as value is provided (#85)
• use correct plural & singular forms in text output (#88)
• make flag usage text more accurate (#89)

Full Changelog: v0.4.0...v0.4.1

v0.4.0

This version focused on inputs and outputs: the detector now supports being passed multiple files and even directories, and can output results in JSON format.

What's Changed

• sort packages with the same name by their versions (#72)
• trim off leading "v" in version strings when parsing to make comparing more robust (#74)
• support json output (#77)
• support being passed multiple files in a single call (#73)
• support being passed a directory to check for supported lockfiles (#79)

Full Changelog: v0.3.0...v0.4.0

v0.3.0

This version switches the detector over from the GitHub advisory database to the databases provided by osv.dev, which aggregates a number of advisory databases (including the GitHub advisory database) into single ecosystem databases.

What's Changed

• switch to using ecosystem databases from osv.dev (#59)
• normalize names of python packages to favor false positives over false negatives (#56)
• support SEMVER ranges (#57)
• support OSV advisories with just versions array in affected (#58)
• fallback to using details field if summary is not present (#60)
• don't report vulnerabilities multiple times under different aliases (#61)
• add --cache-all-databases flag (#68)

Full Changelog: v0.2.1...v0.3.0