Features:

• Feature #2658 Support regex matching for package name overrides.
• Feature #2510 Scan Homebrew inventory using git repository metadata.

Fixes:

• Bug #2750 Sanitize \r/\n in default/table/vertical output to prevent GitHub Actions workflow command injection.
• Bug #2641 Correctly output packages from osv-scanner.json source in spdx format.
• Bug #2729 Increase color contrast of vulnerability stats.
• Bug #2664 Remove second newline at end of vertical output.
• Bug #2669 Sanitize \r in gh-annotations to prevent GitHub Actions workflow command injection.

Misc:

• Update osv-scalibr to v0.4.6-0.20260428235529-7791e288d6c1.
• Update Go version to 1.26.2 (#2706).

New Contributors

• @djvirus9 made their first contribution in #2669
• @jonjensen made their first contribution in #2695
• @dosisod made their first contribution in #2729
• @ibondarenko1 made their first contribution in #2748
• @sjhddh made their first contribution in #2744
• @Mananshah237 made their first contribution in #2641
• @majiayu000 made their first contribution in #2658
• @hits313 made their first contribution in #2750

Full Changelog: v2.3.5...v2.3.6

v2.3.5

Features:

• Feature #2571 Enable transitive scanning for Python requirements.txt files using the deps.dev API.
• Feature #2649 Add ability to allow unsafe plugins, logging a warning when any unsafe plugin is enabled.

Fixes:

• Bug #2630 Improve startup performance on Windows Terminal by updating lipgloss.
• Bug #2599 Ensure the package deprecation enricher respects the same configuration as other plugins.
• Bug #2600 Ensure the Java extractor plugin for call analysis respects the same configuration as other plugins.

Misc:

• Update osv-scalibr from v0.4.2 to v0.4.5. Release notes: v0.4.3, v0.4.4, v0.4.5.
• Fix broken release workflow.

New Contributors

• @gurusai-voleti made their first contribution in #2520
• @hopkincame made their first contribution in #2564
• @tobyhawker made their first contribution in #2639

Full Changelog: v2.3.3...v2.3.5

Features:

• Feature #2458 Add --exclude flag to skip paths during scanning.
• Feature #2477 Add pylock extractor.
• Feature #2475 Add base image info to container scanning output header (in table, markdown and vertical formats).

Misc:

• Update Go version to 1.25.7.
• Update osv-scalibr from v0.4.1 to v0.4.2. Release note.
• Refactor to better align with osv-scalibr plugins and inventory data structure.

Full Changelog: v2.3.2...v2.3.3

v2.3.2

This release includes performance improvements for local scanning, reducing memory usage and avoiding unnecessary advisory loading. It also fixes issues with MCP's get_vulnerability_details tool, git queries in osv-scanner.json, and ignore entry tracking, along with documentation updates.

Fixes:

• Bug #2415 Add more PURL-to-ecosystem mappings
• Bug #2422 MCP error for get_vulnerability_id because type definition is incorrect.
• Bug #2460 Enable osv-scanner.json git queries
• Bug #2456 Properly track if an ignore entry has been used
• Bug #2450 Performance: Avoid loading the entire advisory unless it will actually be used
• Bug #2445 Performance: Don't read the entire zip into memory
• Bug #2433 Allow specifying user agent in v2 osvscanner package

Misc:

• Misc #2453 Switch from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3
• Misc #2447 Include bun.lock as a supported lockfile
• Misc #2444 Document GoVersionOverride in configuration.md

New Contributors

• @catatsuy made their first contribution in #2437
• @google-labs-jules[bot] made their first contribution in #2444
• @fumblehool made their first contribution in #2447
• @scop made their first contribution in #2453
• @Ankitsinghsisodya made their first contribution in #2457

Full Changelog: v2.3.1...v2.3.2

v2.3.1

Features:

• Feature #2370 Add support for the packagedeprecation plugin via the new --experimental-flag-deprecated-packages flag. The result is available in all output formats except SPDX.

Fixes:

• Bug #2395 Fix license scanning to correctly match new deps.dev package names.
• Bug #2333 Deduplicate SARIF outputs for GitHub.
• Bug #2259 Fix lookup of Go packages with major versions by including the subpath of Go PURLs, preventing false positives.

Misc:

• Updated Go version to v1.25.5 to support Go reachability analysis for the latest version.

This release migrates to the new osv.dev and osv-schema proto bindings for its internal data models (#2328). This is primarily an internal change and should not impact users.

Features:

• Feature #2321 Add support for license checks for RubyGems.
• Feature #2294 Replace requirementsenhanceable extractor with transitive enricher.
• Feature #2344 Use osduplicate annotators.

Fixes:

• Bug #2329 Add --ignore-scripts flag to npm lockfile generation.
• Bug #2311 Improve logic for --all-packages flag.
• Bug #2309 Exit with a non-zero code when showing help.
• Bug #2316 Pre-commit hook now defaults to scanning current directory instead of failing.
• Bug #1507 (osv-scalibr) Interpolate Maven projects before extracting repositories.

New Contributors

• @Ly-Joey made their first contribution in #2311
• @pcastellazzi made their first contribution in #2316

Full Changelog: v2.2.4...v2.3.0

Features:

• Feature #2256 Add experimental OSV-Scanner MCP server. (osv-scanner experimental-mcp)
• Feature #2284 Update osv-scalibr integration, replacing baseimagematch with the base image enricher.
• Feature #2216 Warn when vulnerabilities specified in the ignore config are not found during a scan (fixes #2206).

Fixes:

• Bug #2305 Ignore common protocols and .git suffix when checking if an advisory affects a git repository (fixes #2291).
• Bug #2300 Ensure the global logger is used in cmdlogger and osv-scalibr when set (fixes #2081).
• Bug #2295 Fix Go stdlib license result matching (fixes #2191).

Full Changelog: v2.2.3...v2.2.4

Changelog

Features:

• Feature #2209 Add support for resolving git packages that have a version specified.
• Feature #2210 Make the --experimental-plugins flag additive by default, and introduce a new --experimental-no-default-plugins flag.
• Feature #2203 Update osv-scalibr to 0.3.4 for improved dependency extraction. See osv-scalibr changelog for additional information.

Fixes:

• Bug #2214 Fix issue where input.Path was incorrectly constructed on Windows when using the -L flag.
• Fix #2241 Performance: Greatly reduce memory usage in the local matcher by only loading advisories relevant to the packages being scanned.

Full Changelog: v2.2.2...v2.2.3

Features:

• Feature #2113 Add support for Java reachability analysis to identify uncalled vulnerabilities in JAR files.
• Feature #2177 Automatically parse osv-scanner-custom.json files as osv-scanner.json custom lockfiles.

Fixes:

• Bug #2204 Add a warning to guide users to the correct GitHub Action.
• Bug #2202 Fix incorrect exit code when unimportant vulnerabilities are found in non-container scans.
• Bug #2188 Fix handling of absolute paths on Windows.

Full Changelog: v2.2.1...v2.2.2

Fixes

• Bug #2151 Filter by ecosystem before querying.

Full Changelog: v2.2.0...v2.2.1