Google Launches Free Vulnerability Scanner
Written by Sue Gee   
Thursday, 29 December 2022

Google has announced the availability of OSV-Scanner, a free tool that acts as a front end interface to the Open Source Vulnerability (OSV) database. The OSV-Scanner assesses a project's dependencies against the OSV database showing all vulnerabilities relating to the project.

As we reported at the time Google launched the OSV.dev service in 2021 as the first distributed open source vulnerability database. OSV allows all the different open source ecosystems and vulnerability databases to publish and consume information in one simple, precise, and machine readable format.

As explained in Track Open Source Vulnerabilities With Google's OSV Database, OSV goes beyond beyond the current state of CVE tracking by using its own JSON schema for presenting vulnerability information which enables it to provide precise data on where a vulnerability was introduced and where it got fixed.

Since its launch the OSV schema has been taken up by vulnerability databases such as GitHub Security Advisories and Android Security Bulletins. Altogether OSV.dev now supports 16 ecosystems, including all major language ecosystems, Linux distributions (Debian and Alpine), as well as Android, Linux Kernel, and OSS-Fuzz. This means the OSV.dev database is now the biggest open source vulnerability database of its kind, with a total of over 38,000 advisories.

osvchart

According to Rex Pan of the Google Open Source Security Team:

Since the OSV.dev database is open source and distributed, it has several benefits in comparison with closed source advisory databases and scanners:

 

  • Each advisory comes from an open and authoritative source (e.g. the RustSec Advisory Database)
  • Anyone can suggest improvements to advisories, resulting in a very high quality database
  • The OSV format unambiguously stores information about affected versions in a machine-readable format that precisely maps onto a developer’s list of packages
  • The above all results in fewer, more actionable vulnerability notifications, which reduces the time needed to resolve them

 

The OSV-Scanner is the next step and provides an officially supported frontend to the OSV database that connects a project’s list of dependencies with the vulnerabilities that affect them.

osv-scanner

The steps for installing and running the CLI on a project are on OSV's website. Running the scanner will first find all the transitive dependencies that are being used by analyzing manifests, SBOMs, and commit hashes. The scanner then connects this information with the OSV database and displays the vulnerabilities relevant to the project.  

 osslogo

More Information

Announcing OSV-Scanner: Vulnerability Scanner for Open Source

osv.dev 

osv.dev on Github

Related Articles

Track Open Source Vulnerabilities With Google's OSV Database

Secure Coding Best Practices for 2022

The State Of Secure Software Development - Three OpenSSF Courses

Semgrep - More Than Just a Glorified Grep

EU Bug Bounty - Software Security as a Civil Right 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


Zitadel Announces Funding And Future Plans
21/11/2024

Zitadel has announced a major funding round that will be used to expand technical teams and fund further product development. The company is the creator of an open source project for cloud-native iden [ ... ]



Pico 2W Announced But There Is A Surprise!
25/11/2024

Raspberry Pi released the Pico 2 a few months ago and we have been waiting for the Pico 2W since then. But Pimoroni beat them to the draw with the Pico Plus 2W based on the RM2 radio module and hinted [ ... ]


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Thursday, 29 December 2022 )