Skip to content

chore: release v2.3.2 #2462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jess-lowe merged 11 commits into from
Jan 14, 2026
Merged

chore: release v2.3.2 #2462

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
d851f44
Update CHANGELOG.md
jess-lowe Jan 14, 2026
3d26f25
Update version.go
jess-lowe Jan 14, 2026
36b653b
update snaps
jess-lowe Jan 14, 2026
8aef07d
update gh actions docs
jess-lowe Jan 14, 2026
e96d6db
Apply suggestions from code review
another-rex Jan 14, 2026
c10c8a4
Update CHANGELOG.md
jess-lowe Jan 14, 2026
80c64db
Update CHANGELOG.md
jess-lowe Jan 14, 2026
1a9ad50
Apply suggestion from @another-rex
jess-lowe Jan 14, 2026
ba6488e
Apply suggestion from @another-rex
jess-lowe Jan 14, 2026
16a4a8e
Apply suggestion from @another-rex
jess-lowe Jan 14, 2026
73e0723
Recent zlib change
another-rex Jan 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,23 @@
# v2.3.2

This release includes performance improvements for local scanning, reducing memory usage and avoiding unnecessary advisory loading. It also fixes issues with MCP's get_vulnerability_details tool, git queries in `osv-scanner.json`, and ignore entry tracking, along with documentation updates.

### Fixes:

- [Bug #2415](https://github.com/google/osv-scanner/pull/2415) Add more PURL-to-ecosystem mappings
- [Bug #2422](https://github.com/google/osv-scanner/pull/2422) MCP error for get_vulnerability_id because type definition is incorrect.
- [Bug #2460](https://github.com/google/osv-scanner/pull/2460) Enable osv-scanner.json git queries
- [Bug #2456](https://github.com/google/osv-scanner/pull/2456) Properly track if an ignore entry has been used
- [Bug #2450](https://github.com/google/osv-scanner/pull/2450) **Performance:** Avoid loading the entire advisory unless it will actually be used
- [Bug #2445](https://github.com/google/osv-scanner/pull/2445) **Performance:** Don't read the entire zip into memory
- [Bug #2433](https://github.com/google/osv-scanner/pull/2433) Allow specifying user agent in v2 osvscanner package

### Misc:

- [Misc #2453](https://github.com/google/osv-scanner/pull/2453) Switch from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3
- [Misc #2447](https://github.com/google/osv-scanner/pull/2447) Include `bun.lock` as a supported lockfile
- [Misc #2444](https://github.com/google/osv-scanner/pull/2444) Document GoVersionOverride in configuration.md

# v2.3.1

### Features:
Expand Down
2 changes: 1 addition & 1 deletion cmd/osv-scanner/__snapshots__/main_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ OPTIONS:
---

[Test_run/version - 1]
osv-scanner version: 2.3.1
osv-scanner version: 2.3.2
osv-scalibr version: 0.4.1
commit: n/a
built at: n/a
Expand Down
61 changes: 15 additions & 46 deletions cmd/osv-scanner/scan/image/__snapshots__/command_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -428,8 +428,8 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
Scanning local image tarball "./testdata/test-ubuntu.tar"

Container Scanning Result (Ubuntu 22.04.5 LTS):
Total 23 packages affected by 46 known vulnerabilities (3 Critical, 14 High, 24 Medium, 3 Low, 2 Unknown) from 1 ecosystem.
19 vulnerabilities can be fixed.
Total 22 packages affected by 46 known vulnerabilities (2 Critical, 14 High, 24 Medium, 3 Low, 3 Unknown) from 1 ecosystem.
21 vulnerabilities can be fixed.


Ubuntu:22.04
Expand All @@ -442,7 +442,7 @@ Ubuntu:22.04
| dpkg | 1.21.1ubuntu2.3 | Fix Available | 1 | dpkg | # 4 Layer | ubuntu |
| gcc-12 | 12.3.0-1ubuntu1~22.04 | Partial fixes Available | 2 | gcc-12-base... (3) | # 4 Layer | ubuntu |
| glibc | 2.35-0ubuntu3.8 | Fix Available | 3 | libc-bin, libc6 | # 4 Layer | ubuntu |
| gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 5 | gpgv | # 4 Layer | ubuntu |
| gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 6 | gpgv | # 4 Layer | ubuntu |
| gnutls28 | 3.7.3-4ubuntu1.5 | Partial fixes Available | 3 | libgnutls30 | # 4 Layer | ubuntu |
| krb5 | 1.19.2-2ubuntu0.4 | Fix Available | 2 | libgssapi-krb5-2... (4) | # 4 Layer | ubuntu |
| libcap2 | 1:2.44-1ubuntu0.22.04.1 | Fix Available | 1 | libcap2 | # 4 Layer | ubuntu |
Expand All @@ -460,7 +460,6 @@ Ubuntu:22.04
| tar | 1.34+dfsg-1ubuntu0.1.22.04.2 | No fix available | 1 | tar | # 4 Layer | ubuntu |
| util-linux | 1:2.37.2-4ubuntu3.4 | No fix available | 1 | bsdutils | # 4 Layer | ubuntu |
| util-linux | 2.37.2-4ubuntu3.4 | No fix available | 1 | libblkid1... (6) | # 4 Layer | ubuntu |
| zlib | 1:1.2.11.dfsg-2ubuntu9.2 | No fix available | 1 | zlib1g | # 4 Layer | ubuntu |
+----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+

Hiding 5 number of vulnerabilities deemed unimportant, use --all-vulns to show them.
Expand All @@ -477,8 +476,8 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
Scanning local image tarball "./testdata/test-ubuntu.tar"

Container Scanning Result (Ubuntu 22.04.5 LTS):
Total 23 packages affected by 46 known vulnerabilities (3 Critical, 14 High, 24 Medium, 3 Low, 2 Unknown) from 1 ecosystem.
19 vulnerabilities can be fixed.
Total 22 packages affected by 46 known vulnerabilities (2 Critical, 14 High, 24 Medium, 3 Low, 3 Unknown) from 1 ecosystem.
21 vulnerabilities can be fixed.


Ubuntu:22.04
Expand All @@ -491,7 +490,7 @@ Ubuntu:22.04
| dpkg | 1.21.1ubuntu2.3 | Fix Available | 1 | dpkg | # 4 Layer | ubuntu |
| gcc-12 | 12.3.0-1ubuntu1~22.04 | Partial fixes Available | 2 | gcc-12-base... (3) | # 4 Layer | ubuntu |
| glibc | 2.35-0ubuntu3.8 | Fix Available | 3 | libc-bin, libc6 | # 4 Layer | ubuntu |
| gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 5 | gpgv | # 4 Layer | ubuntu |
| gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 6 | gpgv | # 4 Layer | ubuntu |
| gnutls28 | 3.7.3-4ubuntu1.5 | Partial fixes Available | 3 | libgnutls30 | # 4 Layer | ubuntu |
| krb5 | 1.19.2-2ubuntu0.4 | Fix Available | 2 | libgssapi-krb5-2... (4) | # 4 Layer | ubuntu |
| libcap2 | 1:2.44-1ubuntu0.22.04.1 | Fix Available | 1 | libcap2 | # 4 Layer | ubuntu |
Expand All @@ -509,7 +508,6 @@ Ubuntu:22.04
| tar | 1.34+dfsg-1ubuntu0.1.22.04.2 | No fix available | 1 | tar | # 4 Layer | ubuntu |
| util-linux | 1:2.37.2-4ubuntu3.4 | No fix available | 1 | bsdutils | # 4 Layer | ubuntu |
| util-linux | 2.37.2-4ubuntu3.4 | No fix available | 1 | libblkid1... (6) | # 4 Layer | ubuntu |
| zlib | 1:1.2.11.dfsg-2ubuntu9.2 | No fix available | 1 | zlib1g | # 4 Layer | ubuntu |
+----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+

Filtered Vulnerabilities:
Expand Down Expand Up @@ -545,8 +543,8 @@ failed to load image from tarball with path "../../testdata/locks-manyoci-image/
Scanning local image tarball "./testdata/test-ubuntu-with-packages.tar"

Container Scanning Result (Ubuntu 22.04.5 LTS):
Total 23 packages affected by 46 known vulnerabilities (3 Critical, 14 High, 24 Medium, 3 Low, 2 Unknown) from 1 ecosystem.
19 vulnerabilities can be fixed.
Total 22 packages affected by 46 known vulnerabilities (2 Critical, 14 High, 24 Medium, 3 Low, 3 Unknown) from 1 ecosystem.
21 vulnerabilities can be fixed.


Ubuntu:22.04
Expand All @@ -559,7 +557,7 @@ Ubuntu:22.04
| dpkg | 1.21.1ubuntu2.3 | Fix Available | 1 | dpkg | # 4 Layer | ubuntu |
| gcc-12 | 12.3.0-1ubuntu1~22.04 | Partial fixes Available | 2 | gcc-12-base... (3) | # 4 Layer | ubuntu |
| glibc | 2.35-0ubuntu3.8 | Fix Available | 3 | libc-bin, libc6 | # 4 Layer | ubuntu |
| gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 5 | gpgv | # 4 Layer | ubuntu |
| gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 6 | gpgv | # 4 Layer | ubuntu |
| gnutls28 | 3.7.3-4ubuntu1.5 | Partial fixes Available | 3 | libgnutls30 | # 4 Layer | ubuntu |
| krb5 | 1.19.2-2ubuntu0.4 | Fix Available | 2 | libgssapi-krb5-2... (4) | # 4 Layer | ubuntu |
| libcap2 | 1:2.44-1ubuntu0.22.04.1 | Fix Available | 1 | libcap2 | # 4 Layer | ubuntu |
Expand All @@ -577,7 +575,6 @@ Ubuntu:22.04
| tar | 1.34+dfsg-1ubuntu0.1.22.04.2 | No fix available | 1 | tar | # 4 Layer | ubuntu |
| util-linux | 1:2.37.2-4ubuntu3.4 | No fix available | 1 | bsdutils | # 4 Layer | ubuntu |
| util-linux | 2.37.2-4ubuntu3.4 | No fix available | 1 | libblkid1... (6) | # 4 Layer | ubuntu |
| zlib | 1:1.2.11.dfsg-2ubuntu9.2 | No fix available | 1 | zlib1g | # 4 Layer | ubuntu |
+----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+

Hiding 5 number of vulnerabilities deemed unimportant, use --all-vulns to show them.
Expand Down Expand Up @@ -2981,14 +2978,15 @@ Scanning local image tarball "./testdata/test-node_modules-npm-full.tar"
"index": 4
}
},
"groups": 5,
"groups": 6,
"vulnerabilities": [
"USN-7412-1",
"UBUNTU-CVE-2022-3219",
"UBUNTU-CVE-2025-30258",
"UBUNTU-CVE-2025-68972",
"UBUNTU-CVE-2025-68973",
"USN-7412-2"
"USN-7412-2",
"USN-7946-1"
]
},
{
Expand Down Expand Up @@ -3653,21 +3651,6 @@ Scanning local image tarball "./testdata/test-node_modules-npm-full.tar"
"vulnerabilities": [
"UBUNTU-CVE-2025-14104"
]
},
{
"package": {
"name": "zlib",
"os_package_name": "zlib1g",
"version": "1:1.2.11.dfsg-2ubuntu9.2",
"ecosystem": "Ubuntu:22.04",
"image_origin_details": {
"index": 4
}
},
"groups": 1,
"vulnerabilities": [
"UBUNTU-CVE-2026-22184"
]
}
]
}
Expand Down Expand Up @@ -3927,14 +3910,15 @@ Scanning local image tarball "./testdata/test-ubuntu.tar"
"index": 4
}
},
"groups": 5,
"groups": 6,
"vulnerabilities": [
"USN-7412-1",
"UBUNTU-CVE-2022-3219",
"UBUNTU-CVE-2025-30258",
"UBUNTU-CVE-2025-68972",
"UBUNTU-CVE-2025-68973",
"USN-7412-2"
"USN-7412-2",
"USN-7946-1"
]
},
{
Expand Down Expand Up @@ -4599,21 +4583,6 @@ Scanning local image tarball "./testdata/test-ubuntu.tar"
"vulnerabilities": [
"UBUNTU-CVE-2025-14104"
]
},
{
"package": {
"name": "zlib",
"os_package_name": "zlib1g",
"version": "1:1.2.11.dfsg-2ubuntu9.2",
"ecosystem": "Ubuntu:22.04",
"image_origin_details": {
"index": 4
}
},
"groups": 1,
"vulnerabilities": [
"UBUNTU-CVE-2026-22184"
]
}
]
}
Expand Down
57 changes: 24 additions & 33 deletions cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2360,7 +2360,7 @@ interactions:
proto: HTTP/2.0
proto_major: 2
proto_minor: 0
content_length: 9882
content_length: 9862
body: |
{
"results": [
Expand Down Expand Up @@ -2439,7 +2439,7 @@ interactions:
},
{
"id": "UBUNTU-CVE-2025-68973",
"modified": "2026-01-08T06:17:52.660259Z"
"modified": "2026-01-14T03:16:56.206118Z"
},
{
"id": "USN-7412-1",
Expand All @@ -2448,6 +2448,10 @@ interactions:
{
"id": "USN-7412-2",
"modified": "2025-10-13T04:41:00Z"
},
{
"id": "USN-7946-1",
"modified": "2026-01-14T01:31:50.517317Z"
}
]
},
Expand Down Expand Up @@ -3173,19 +3177,12 @@ interactions:
}
]
},
{
"vulns": [
{
"id": "UBUNTU-CVE-2026-22184",
"modified": "2026-01-08T06:15:02.303582Z"
}
]
}
{}
]
}
headers:
Content-Length:
- "9882"
- "9862"
Content-Type:
- application/json
status: 200 OK
Expand Down Expand Up @@ -3921,7 +3918,7 @@ interactions:
proto: HTTP/2.0
proto_major: 2
proto_minor: 0
content_length: 9882
content_length: 9862
body: |
{
"results": [
Expand Down Expand Up @@ -4000,7 +3997,7 @@ interactions:
},
{
"id": "UBUNTU-CVE-2025-68973",
"modified": "2026-01-08T06:17:52.660259Z"
"modified": "2026-01-14T03:16:56.206118Z"
},
{
"id": "USN-7412-1",
Expand All @@ -4009,6 +4006,10 @@ interactions:
{
"id": "USN-7412-2",
"modified": "2025-10-13T04:41:00Z"
},
{
"id": "USN-7946-1",
"modified": "2026-01-14T01:31:50.517317Z"
}
]
},
Expand Down Expand Up @@ -4734,19 +4735,12 @@ interactions:
}
]
},
{
"vulns": [
{
"id": "UBUNTU-CVE-2026-22184",
"modified": "2026-01-08T06:15:02.303582Z"
}
]
}
{}
]
}
headers:
Content-Length:
- "9882"
- "9862"
Content-Type:
- application/json
status: 200 OK
Expand Down Expand Up @@ -5496,7 +5490,7 @@ interactions:
proto: HTTP/2.0
proto_major: 2
proto_minor: 0
content_length: 14388
content_length: 14368
body: |
{
"results": [
Expand Down Expand Up @@ -5884,7 +5878,7 @@ interactions:
},
{
"id": "UBUNTU-CVE-2025-68973",
"modified": "2026-01-08T06:17:52.660259Z"
"modified": "2026-01-14T03:16:56.206118Z"
},
{
"id": "USN-7412-1",
Expand All @@ -5893,6 +5887,10 @@ interactions:
{
"id": "USN-7412-2",
"modified": "2025-10-13T04:41:00Z"
},
{
"id": "USN-7946-1",
"modified": "2026-01-14T01:31:50.517317Z"
}
]
},
Expand Down Expand Up @@ -6618,19 +6616,12 @@ interactions:
}
]
},
{
"vulns": [
{
"id": "UBUNTU-CVE-2026-22184",
"modified": "2026-01-08T06:15:02.303582Z"
}
]
}
{}
]
}
headers:
Content-Length:
- "14388"
- "14368"
Content-Type:
- application/json
status: 200 OK
Expand Down
Loading
Loading