google · jess-lowe · Jan 14, 2026 · Jan 14, 2026 · Jan 14, 2026 · Jan 14, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,23 @@
+# v2.3.2
+
+This release includes performance improvements for local scanning, reducing memory usage and avoiding unnecessary advisory loading. It also fixes issues with MCP's get_vulnerability_details tool, git queries in `osv-scanner.json`, and ignore entry tracking, along with documentation updates.
+
+### Fixes:
+
+- [Bug #2415](https://github.com/google/osv-scanner/pull/2415) Add more PURL-to-ecosystem mappings
+- [Bug #2422](https://github.com/google/osv-scanner/pull/2422) MCP error for get_vulnerability_id because type definition is incorrect.
+- [Bug #2460](https://github.com/google/osv-scanner/pull/2460) Enable osv-scanner.json git queries
+- [Bug #2456](https://github.com/google/osv-scanner/pull/2456) Properly track if an ignore entry has been used
+- [Bug #2450](https://github.com/google/osv-scanner/pull/2450) **Performance:** Avoid loading the entire advisory unless it will actually be used
+- [Bug #2445](https://github.com/google/osv-scanner/pull/2445) **Performance:** Don't read the entire zip into memory
+- [Bug #2433](https://github.com/google/osv-scanner/pull/2433) Allow specifying user agent in v2 osvscanner package
+
+### Misc:
+
+- [Misc #2453](https://github.com/google/osv-scanner/pull/2453) Switch from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3
+- [Misc #2447](https://github.com/google/osv-scanner/pull/2447) Include `bun.lock` as a supported lockfile
+- [Misc #2444](https://github.com/google/osv-scanner/pull/2444) Document GoVersionOverride in configuration.md
+
 # v2.3.1
 
 ### Features:

diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap
@@ -46,7 +46,7 @@ OPTIONS:
 ---
 
 [Test_run/version - 1]
-osv-scanner version: 2.3.1
+osv-scanner version: 2.3.2
 osv-scalibr version: 0.4.1
 commit: n/a
 built at: n/a

diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap
@@ -96,7 +96,7 @@ Loaded filter from: <rootdir>/testdata/locks-many/osv-scanner-test.toml
           "rules": [],
           "supportedTaxonomies": [],
           "taxa": [],
-          "version": "2.3.1"
+          "version": "2.3.2"
         },
         "extensions": []
       },
@@ -365,7 +365,7 @@ Total 2 packages affected by 7 known vulnerabilities (3 Critical, 4 High, 0 Medi
           ],
           "supportedTaxonomies": [],
           "taxa": [],
-          "version": "2.3.1"
+          "version": "2.3.2"
         },
         "extensions": []
       },
@@ -3004,7 +3004,7 @@ Total 1 package affected by 2 known vulnerabilities (0 Critical, 2 High, 0 Mediu
           ],
           "supportedTaxonomies": [],
           "taxa": [],
-          "version": "2.3.1"
+          "version": "2.3.2"
         },
         "extensions": []
       },

diff --git a/docs/github-action.md b/docs/github-action.md
@@ -54,7 +54,7 @@ permissions:
 
 jobs:
   scan-pr:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].2"
 ```
 
 ### View results
@@ -97,7 +97,7 @@ permissions:
 
 jobs:
   scan-scheduled:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].2"
 ```
 
 As written, the scanner will run on 12:30 pm UTC every Monday, and also on every push to the main branch. You can change the schedule by following the instructions [here](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule).
@@ -132,7 +132,7 @@ permissions:
 
 jobs:
   osv-scan:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].2"
     with:
       # Only scan the top level go.mod file without recursively scanning directories since
       # this is pipeline is about releasing the go module and binary
@@ -184,7 +184,7 @@ Examples
 ```yml
 jobs:
   scan-pr:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].2"
     with:
       scan-args: |-
         --lockfile=./path/to/lockfile1
@@ -196,7 +196,7 @@ jobs:
 ```yml
 jobs:
   scan-pr:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].2"
     with:
       scan-args: |-
         --recursive
@@ -222,7 +222,7 @@ jobs:
     name: Vulnerability scanning
     # makes sure the extraction step is completed before running the scanner
     needs: extract-deps
-    uses: "google/osv-scanner-action/.github/workflows/[email protected].1"
+    uses: "google/osv-scanner-action/.github/workflows/[email protected].2"
     with:
       # Download the artifact uploaded in extract-deps step
       download-artifact: converted-OSV-Scanner-deps
@@ -272,7 +272,7 @@ jobs:
           {target_arch: armhf},
           {target_arch: aarch64}
         ]
-    uses: "extract/osv-scanner/.github/workflows/[email protected].1"
+    uses: "extract/osv-scanner/.github/workflows/[email protected].2"
     with:
       download-artifact: "${{ matrix.platform.target_arch }}-OSV-Scanner-deps"
       matrix-property: "${{ matrix.platform.target_arch }}-"