chore: v2.2.3 changelog (#2255)

Co-authored-by: Rex P <[email protected]>

Author: jess-lowe

CHANGELOG.md

@@ -1,3 +1,16 @@
+# v2.2.3
+
+### Features:
+
+- [Feature #2209](https://github.com/google/osv-scanner/pull/2209) Add support for resolving git packages that have a version specified.
+- [Feature #2210](https://github.com/google/osv-scanner/pull/2210) Make the `--experimental-plugins` flag additive by default, and introduce a new `--experimental-no-default-plugins` flag.
+- [Feature #2203](https://github.com/google/osv-scanner/pull/2203) Update `osv-scalibr` to 0.3.4 for improved dependency extraction. See osv-scalibr changelog for additional information.
+
+### Fixes:
+
+- [Bug #2214](https://github.com/google/osv-scanner/pull/2214) Fix issue where `input.Path` was incorrectly constructed on Windows when using the `-L` flag.
+- [Fix #2241](https://github.com/google/osv-scanner/pull/2241) **Performance:** Greatly reduce memory usage in the local matcher by only loading advisories relevant to the packages being scanned.
+
 # v2.2.2
 
 ### Features:

cmd/osv-scanner/__snapshots__/main_test.snap

@@ -23,7 +23,7 @@ OPTIONS:
 ---
 
 [Test_run/version - 1]
-osv-scanner version: 2.2.2
+osv-scanner version: 2.2.3
 osv-scalibr version: 0.3.4
 commit: n/a
 built at: n/a

cmd/osv-scanner/scan/source/__snapshots__/command_test.snap

@@ -96,7 +96,7 @@ Loaded filter from: <rootdir>/testdata/locks-many/osv-scanner.toml
           "rules": [],
           "supportedTaxonomies": [],
           "taxa": [],
-          "version": "2.2.2"
+          "version": "2.2.3"
         },
         "extensions": []
       },
@@ -343,7 +343,7 @@ Total 2 packages affected by 7 known vulnerabilities (3 Critical, 3 High, 0 Medi
           ],
           "supportedTaxonomies": [],
           "taxa": [],
-          "version": "2.2.2"
+          "version": "2.2.3"
         },
         "extensions": []
       },
@@ -2262,7 +2262,7 @@ Total 1 package affected by 2 known vulnerabilities (0 Critical, 2 High, 0 Mediu
           ],
           "supportedTaxonomies": [],
           "taxa": [],
-          "version": "2.2.2"
+          "version": "2.2.3"
         },
         "extensions": []
       },

docs/github-action.md

@@ -54,7 +54,7 @@ permissions:
 
 jobs:
   scan-pr:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].2"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].3"
 ```
 
 ### View results
@@ -97,7 +97,7 @@ permissions:
 
 jobs:
   scan-scheduled:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].3"
 ```
 
 As written, the scanner will run on 12:30 pm UTC every Monday, and also on every push to the main branch. You can change the schedule by following the instructions [here](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule).
@@ -132,7 +132,7 @@ permissions:
 
 jobs:
   osv-scan:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].3"
     with:
       # Only scan the top level go.mod file without recursively scanning directories since
       # this is pipeline is about releasing the go module and binary
@@ -184,7 +184,7 @@ Examples
 ```yml
 jobs:
   scan-pr:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].3"
     with:
       scan-args: |-
         --lockfile=./path/to/lockfile1
@@ -196,7 +196,7 @@ jobs:
 ```yml
 jobs:
   scan-pr:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].3"
     with:
       scan-args: |-
         --recursive
@@ -222,7 +222,7 @@ jobs:
     name: Vulnerability scanning
     # makes sure the extraction step is completed before running the scanner
     needs: extract-deps
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].3"
     with:
       # Download the artifact uploaded in extract-deps step
       download-artifact: converted-OSV-Scanner-deps