Migrating from osv-scalibr to osv-scanner
This guide is for users who are familiar with osv-scalibr
and want to migrate to osv-scanner
. It explains how to achieve similar results with osv-scanner
.
osv-scanner
has integrated osv-scalibr
’s inventory collection and vulnerability scanning capabilities. While most of osv-scalibr
’s functionalities are available in osv-scanner
, the command-line flags and output formats are different.
Command-line Equivalence
The osv-scanner
CLI is designed to be more intuitive and user-friendly. Here’s a mapping of common osv-scalibr
commands to their osv-scanner
equivalents.
Scanning a directory
osv-scalibr:
scalibr --root /path/to/your/project --result result.json
osv-scanner:
osv-scanner /path/to/your/project
Selecting plugins
OSV-Scanner has access to the full list of OSV-Scalibr plugins, though only a well tested subset of them are enabled by default in OSV-Scanner.
In osv-scalibr
, you can select which plugins to run using the --extractors
, --detectors
flags, or alternatively using the --plugins
flag.
For a full list of available plugin names, see OSV-Scalibr’s documentation here: https://github.com/google/osv-scalibr/blob/main/docs/supported_inventory_types.md
osv-scalibr:
scalibr --plugins python/pip,go/gomod --detectors go/govulncheck /path/to/your/project
In osv-scanner
, you can achieve the same by using the --experimental-plugins
flag. This is an experimental feature.
osv-scanner:
osv-scanner --experimental-plugins python/pip,go/gomod,go/govulncheck /path/to/your/project
osv-scanner
also allows you to disable default plugins with --experimental-disable-plugins
.
For more details on manual plugin selection in osv-scanner
, see the manual plugin selection documentation.
Generating SPDX output
osv-scalibr
uses the -o
flag to specify the output format and file. For example, to generate an SPDX JSON report:
osv-scalibr:
scalibr -o spdx23-json=result.spdx.json /path/to/your/project
osv-scanner
uses the --format
flag to specify the output format and the output is written to standard output, and a separate --output
flag if you wish to save the output into a file.
osv-scanner:
osv-scanner --format spdx-2.3-json /path/to/your/project > result.spdx.json
For more details on osv-scanner
output formats, see the output documentation.
Flag Translation Table
osv-scalibr Flag | osv-scanner Flag | Notes |
---|---|---|
--version | --version | osv-scanner version |
--root | [directory] (argument) | osv-scanner scan source [directory] |
--result | --output | osv-scanner --output <file> |
-o | --format and --output | e.g. osv-scalibr -o spdx23-json=r.json becomes osv-scanner --format spdx-2.3-json --output r.json |
--plugins | --experimental-plugins | |
--extractors | --experimental-plugins | |
--detectors | --experimental-plugins | |
--annotators | --experimental-plugins | |
--ignore-sub-dirs | (no direct equivalent) | osv-scanner is not recursive by default. Use --recursive to enable. |
--skip-dirs | Not yet available | |
--skip-dir-regex | Not yet available | |
--skip-dir-glob | Not yet available | |
--max-file-size | Not yet available | |
--use-gitignore | (default behavior) | Use --no-ignore to disable. |
--remote-image | [image] (argument) | osv-scanner scan image [image] |
--image-tarball | --archive | osv-scanner scan image --archive [tarball] |
--image-local-docker | [image] (argument) | osv-scanner scan image [image] (it will look for local images first) |
--image-platform | Not yet available | |
--gobinary-version-from-content | Not yet available | |
--govulncheck-db | Not yet available | |
--spdx-document-name | Not yet available | |
--spdx-document-namespace | Not yet available | |
--spdx-creators | Not yet available | |
--cdx-component-name | Not yet available | |
--cdx-component-type | Not yet available | |
--cdx-component-version | Not yet available | |
--cdx-authors | Not yet available | |
--verbose | --verbosity | osv-scanner --verbosity <level> , e.g. debug . |
--explicit-extractors | (default behavior) | |
--filter-by-capabilities | (default behavior) | osv-scanner automatically filters plugins. |
--windows-all-drives | Not yet available | |
--offline | --offline | |
--local-registry | --maven-registry | Only for Maven. |