Sourced from google/osv-scanner-action's releases.

v2.2.1

What's Changed

OSV-Scanner now supports all OSV-Scalibr features behind experimental flags (--experimental-plugins, see details here)!

Features:

• [Feature #2146](google/osv-scanner#2146) Allow manual OSV-Scalibr plugin selection.
• [Feature #2144](google/osv-scanner#2144) Add OSV-Scalibr version to osv-scanner --version output.
• [Feature #2021](google/osv-scanner#2021) Add experimental support for running OSV-Scalibr detectors.
• [Feature #2079](google/osv-scanner#2079) Fall back to offline extractor if the transitive one fails, so at least direct dependencies are returned.
• [Feature #2032](google/osv-scanner#2032) Add summary section at the top of outputs and a 'Fixed Version' column.
• [Feature #2076](google/osv-scanner#2076) Support Ubuntu severity type.

Fixes:

• [Bug #2141](google/osv-scanner#2141) Fix OSV-Scanner json scans not matching with correct ecosystem.
• [Bug #2084](google/osv-scanner#2084) Show absolute paths when scanning containers.
• [Bug #2126](google/osv-scanner#2126) Log and preserve package count before continuing on db error.
• [Bug #2095](google/osv-scanner#2095) Pass through plugin capabilities correctly.
• [Bug #2051](google/osv-scanner#2051) Properly flag if running on Linux or Mac OSs for plugin compatibility.
• [Bug #2072](google/osv-scanner#2072) Add missing "text" property in description fields.
• [Bug #2068](google/osv-scanner#2068) Change links in output to go to the specific vulnerability page instead of the list page.
• [Bug #2064](google/osv-scanner#2064) Fix SARIF v3 output to include results.
• [Bug #2151](google/osv-scanner#2151) Filter by ecosystem before querying.

API Changes:

• [API Change #2096](google/osv-scanner#2096) Allow log handler to be overridden.

---

[!WARNING] This release was originally incorrectly pointing to the bugged v2.2.0 osv-scanner release, it has now been retagged to the correct v2.2.1 release.

• 456ceb7 Merge pull request #91 from google/update-to-v2.2.1
• 233fa8e Update unified workflow example to point to v2.2.1 reusable workflows
• 8878e97 Update reusable workflows to point to v2.2.1 actions
• 6580e6c "Update actions to use v2.2.1 osv-scanner image"
• 79f88c2 Merge pull request #90 from google/fix-update-script
• 63b1aa2 Use the right and
• eecdbcc Fix variable name
• ba543a9 fix: Allow the update script to contain previous tags
• d576d6d Merge pull request #79 from jess-lowe/jess-lowe-patch-1
• 4c3b1e9 Merge pull request #80 from jess-lowe/jess-lowe-patch-2
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)