Google has launched OSV Scanner, a new tool that allows developers to scan for vulnerabilities in open-source software dependencies used in their project.
The scanner draws data from OSV.dev, the distributed vulnerability database for open source code that Google released in February 2021, to offer relevant information about known security issues affecting open-source code.
Open-source code issues
Open-source software developers typically rely in their projects on a number of already-available tools, libraries, and components, that typically leads to faster development of more complex solutions.
These building blocks are often crucial for the core functionality of a program, giving it specialized capabilities that would otherwise have to be written from scratch.
Like any code, these open-source components are not impervious to security vulnerabilities. When incorporated to other software projects, these flaws also pass on.
For large programs that use many dependencies, tracking the security issues that arise with each build and evaluating the potential impact on the program itself becomes a complex task.
If one considers that many of these dependencies have dependencies of their own, the number of packages that need to be evaluated from a security perspective makes vulnerability tracking a difficult undertaking.
This is where Google’s new OSV Scanner comes into play, automatically matching code in all dependencies for a given software project, including transitive dependencies, and notifying the developers when a security update is required.
“The OSV-Scanner generates reliable, high-quality vulnerability information that closes the gap between a developer’s list of packages and the information in vulnerability databases,” reads the announcement.
The scanner uses openly distributed advisories from authoritative and reliable sources following the OSV schema for vulnerability triage in the installed package version.
Currently, the OSV.dev service supports 16 major coding ecosystems, including the Linux Kernel, Android, Debian, Alpine, PyPI, npm, OSS-Fuzz, and Maven.
It is the world’s largest open-source vulnerability database, counting 23,000 advisories in 2022 alone.
Google says the next step for OSV Scanner is to improve C/C++ vulnerability support, tackling a very challenging software ecosystem, and integrate standalone CI actions to allow easy scheduling of scans.
In the future, OSV Scanner will also recommend the minimal suggested version bump that addresses the identified security flaw.
OSV Scanner is free for everyone to use without restrictions and is available for download via GitHub or the osv.dev website.