After releasing the Open Source Vulnerabilities database (OSV.dev) in February, Google has launched the OSV-Scanner, a free command line vulnerability scanner that open source developers can use to check for vulnerabilities in their projects’ dependencies.
Finding vulnerabilities in open-source dependencies
“OSV.dev allows all the different open source ecosystems and vulnerability databases to publish and consume information in one simple, precise, and machine readable format,” explained Rex Pan, a software engineer with the Google Open Source Security Team.
“Altogether OSV.dev now supports 16 ecosystems, including all major language ecosystems, Linux distributions (Debian and Alpine), as well as Android, Linux Kernel, and OSS-Fuzz. This means the OSV.dev database is now the biggest open source vulnerability database of its kind, with a total of over 38,000 advisories from 15,000 advisories a year ago.”
The OSV-Scanner functions as a frontend to the OSV.dev database.
First it goes through a project’s lockfiles (files storing the information of a dependency graph), SBOMs, and git directories for the latest commit hash, then lists transitive dependencies and versions used in the developer’s projects, and finally compares that list with the the OSV database (via the OSV.dev API).
The resulting output looks something like this:
OSV-Scanner can be installed on Linux, macOS or Windows. It has also been integrated in the OpenSSF Scorecard’s Vulnerabilities check.
“To build the list of dependencies, you can point OSV-Scanner at your project directory, or manually pass in the path to individual manifest files,” Google says. The tool can be configured to ignore specific vulnerabilities.
Google plans to turn OSV-Scanner into a full-fledged vulnerability management tool by further integrating with developer workflows (via standalone CI actions), adding features such as automatic remediation of vulnerabilities by making minimal version bumps, and by improving C/C++ vulnerability support.