minder icon indicating copy to clipboard operation
minder copied to clipboard
verified publisher icon stacklok

build(deps): bump github.com/google/osv-scalibr from 0.3.2 to 0.4.0

Open dependabot[bot] opened this issue 3 months ago • 0 comments

Bumps github.com/google/osv-scalibr from 0.3.2 to 0.4.0.

Release notes

Sourced from github.com/google/osv-scalibr's releases.

v0.4.0

  • Global plugin config: Plugins can now be configured through a unified flag from the CLI and proto field from the library
    • Using e.g. --plugin-config=max_file_size_bytes:10000000 --plugin-config=go_binary:{version_from_content:true}
    • Migration for all plugins to use this setup is still in progress
    • This adds a new plugin config param to the list.go plugin initializers (list.FromNames()) and is thus a breaking change for current list.go API users
  • New secret scanners: MariaDB creds, MySQL mylogin.cnf creds, VAPID keys
  • Guided Remediation support for Python projects managed with Pipenv
  • Enricher that adds package deprecation information: -plugins=packagedeprecation/depsdev
  • Annotator for DPKG package sources: -plugins=misc/dpkg-source

v0.3.6

  • New extractors: K8s images, .node-version, pylock.toml, VirtualBox disk images, openEuler support in RPM extractor
  • New secret detectors: 1password, Postgres pgpassfile, crates.io API token
  • Package licenses now surfaced in the SPDX output
  • Per-file error reporting in scan results

v0.3.5

  • New extractors: docker-compose images, nvm packages,
  • New secret detectors: Stripe API keys, GCP OAuth2 access tokens, GitHub tokens, Slack tokens, Azure storage account access keys
  • Guided remediation: Support for pyproject.toml to relax strategy
  • --extractor-override flag which forces specific extractors to run on specific file patterns

v0.3.4

  • New secret detectors: DigitalOcean API keys, OpenAI project keys, Tink plaintext keysets, GitLab PAT, HashiCorp Vault+App tokens, GitHub app refresh tokens
    • See the docs for an overview of all currently supported secret types.
  • Luarocks software extractor
  • Secret detection+validation can now be enabled individually with e.g. --plugins=secrets/gcpsak,secrets/gcpsakvalidate
  • Support fetching Maven dependencies from Artifact Registry
  • Improvements to semantic version comparison

v0.3.3

  • Vulnerability matching on Extracted packages with OSV.dev: Enable in the CLI with --plugins=vulnmatch/osvdev
  • Secret extractors with validation: Anthropic API keys, Perplexity API keys, Grok xAI API keys, Docker Hub PAT, private keys,
  • Inventory extractors: MacPorts, Winget, asdf package manager, Nimble
  • Vuln detectors: Docker Socket Exposure

Thanks to all Patch Reward Program participants for the new plugins!

If you're interested in contributing through the PRP yourself and earning rewards, check out https://bughunters.google.com/about/rules/open-source/6436351477940224/osv-scalibr-patch-rewards-program-rules

Commits
  • ed0917e Bump SCALIBR version in preparation for a new release.
  • e2b6a31 Remove unused proto enum (previously used by the now-deprecated Annotations)
  • 0bc215c Refactor the postmanapikey validator to use the simplevalidate library.
  • 5537112 Extend the simplevalidate interface by adding a mechanism that constructs the...
  • 53fbb7f Migrate the PyPi API key validators to the simplevalidate library.
  • 9cda0c5 Replace spaces in test descriptions in filesystem/list.go.
  • 2aa890d enable modernize linter and Log a warning if a user runs SCALIBR without an...
  • 9d7809c PUBLIC: Update plugin docs and migrate the github API keys validators to the ...
  • 8157778 feat(new-enricher): add packagedeprecation enricher
  • add6aee Merge pull request #1532 from cuixq:fix
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependabot[bot] avatar Nov 24 '25 06:11 dependabot[bot]