- Google has announced a new tool, OSV-Scanner, a free scanner that open-source developers can use to get vulnerability details relevant to their projects.
- By designing OSV-Scanner, Google aims to improve the security of the ecosystem by identifying vulnerabilities easily in open-source software.
- OSV-Scanner provides an automated capability to match a developer’s code and dependencies against lists of known vulnerabilities.
Google has announced the launch of OSV-Scanner, a free and open-source scanner designed to provide developers easy access to vulnerability information related to their open-source projects, bringing many open-source ecosystems’ vulnerability databases together.
Easy access to vulnerability information
Previously, Google launched Open Source Vulnerability (OSV) schema and OSV.dev service, the first distributed open-source vulnerability databases, in 2021. OSV brings all diverse open-source ecosystems’ vulnerability databases in one machine-readable format to publish and consume. The database supports 16 ecosystems such as Linux distributions Debian, Android, Linux Kernel, PyPI, and OSS-Fuzz, and contains more than 38,000 advisories.
Google says that as the next step, with the launch of the OSV-Scanner, the company will help organizations to have easy access to vulnerabilities related to their projects. OSV-Scanner provides an officially supported frontend to this OSV database that connects a project’s list of dependencies with the vulnerabilities affecting them. Google notes on its blog post.
« Software projects are commonly built on top of a mountain of dependencies—external software libraries you incorporate into a project to add functionalities without developing them from scratch. Each dependency potentially contains existing known vulnerabilities or new vulnerabilities that could be discovered at any time. There are simply too many dependencies and versions to keep track of manually, so automation is required. »
The tech giant adds that scanners enable an automated capability by matching the code and dependencies against lists of known vulnerabilities. It then notifies the developer if patches or updates are needed.
Available via the OSV.dev website, the OSV-Scanner’s working method is first to identify all dependencies in a project and then connect the information with the OSV database for further details about relevant vulnerabilities.
OSV-Scanner is also integrated with the OpenSSF Scorecard’s vulnerabilities check. It can detect the project’s direct vulnerabilities as well as security defects in all dependencies. The new tool brings regularly evaluated projects by the Scorecard, a comprehensive measure of their project security.
Building the best vulnerability management tool
Google says that there is still a lot to do. Its plan for OSV-Scanner is not just to build a simple vulnerability scanner. The company aims to build the best vulnerability management tool, something that will also minimize the burden of remediating known vulnerabilities. Here are some of Google’s ideas for achieving this:
- The first step is further integrating with developer workflows by offering standalone CI actions, allowing for easy setup and schedule to keep track of new vulnerabilities.
- Improve C/C++ vulnerability support: One of the toughest ecosystems for vulnerability management is C/C++, due to the lack of a canonical package manager to identify C/C++ software. OSV is filling this gap by building a high-quality database of C/C++ vulnerabilities by adding precise commit-level metadata to CVEs.
- They are also looking to add unique features to OSV-Scanner, like the ability to utilize specific function level vulnerability information by doing call graph analysis and to be able to automatically remediate vulnerabilities by suggesting minimal version bumps that provide the maximal impact.
- VEX support: Automatically generating VEX statements using, for example, call graph analysis.