Google Launches Free Vulnerability Scanner
Written by Sue Gee   
Thursday, 29 December 2022

Google has announced the availability of OSV-Scanner, a free tool that acts as a front end interface to the Open Source Vulnerability (OSV) database. The OSV-Scanner assesses a project's dependencies against the OSV database showing all vulnerabilities relating to the project.

As we reported at the time Google launched the service in 2021 as the first distributed open source vulnerability database. OSV allows all the different open source ecosystems and vulnerability databases to publish and consume information in one simple, precise, and machine readable format.

As explained in Track Open Source Vulnerabilities With Google's OSV Database, OSV goes beyond beyond the current state of CVE tracking by using its own JSON schema for presenting vulnerability information which enables it to provide precise data on where a vulnerability was introduced and where it got fixed.

Since its launch the OSV schema has been taken up by vulnerability databases such as GitHub Security Advisories and Android Security Bulletins. Altogether now supports 16 ecosystems, including all major language ecosystems, Linux distributions (Debian and Alpine), as well as Android, Linux Kernel, and OSS-Fuzz. This means the database is now the biggest open source vulnerability database of its kind, with a total of over 38,000 advisories.


According to Rex Pan of the Google Open Source Security Team:

Since the database is open source and distributed, it has several benefits in comparison with closed source advisory databases and scanners:


  • Each advisory comes from an open and authoritative source (e.g. the RustSec Advisory Database)
  • Anyone can suggest improvements to advisories, resulting in a very high quality database
  • The OSV format unambiguously stores information about affected versions in a machine-readable format that precisely maps onto a developer’s list of packages
  • The above all results in fewer, more actionable vulnerability notifications, which reduces the time needed to resolve them


The OSV-Scanner is the next step and provides an officially supported frontend to the OSV database that connects a project’s list of dependencies with the vulnerabilities that affect them.


The steps for installing and running the CLI on a project are on OSV's website. Running the scanner will first find all the transitive dependencies that are being used by analyzing manifests, SBOMs, and commit hashes. The scanner then connects this information with the OSV database and displays the vulnerabilities relevant to the project.  


More Information

Announcing OSV-Scanner: Vulnerability Scanner for Open Source on Github

Related Articles

Track Open Source Vulnerabilities With Google's OSV Database

Secure Coding Best Practices for 2022

The State Of Secure Software Development - Three OpenSSF Courses

Semgrep - More Than Just a Glorified Grep

EU Bug Bounty - Software Security as a Civil Right 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


Pure Virtual C++ 2024 Sessions Announced

Microsoft has announced the sessions for Pure Virtual C++ 2024, which is taking place on April 30th 15:00 UTC. People who sign up will get access to five sessions happening on the day, alongside a ran [ ... ]

Is PHP in Trouble?

The April 2024 headline for the TIOBE Index, which ranks programming languages in terms of their popularity, reads, "Is PHP losing its mojo" asking this question because this month PHP has dropped out [ ... ]

More News

raspberry pi books



or email your comment to:

Last Updated ( Thursday, 29 December 2022 )