Google Announces Vulnerability Scanner for Open Source Developers

Google this week announced OSV-Scanner, a free scanner that open source developers can use to receive vulnerability details relevant to their projects.

The high number of dependencies that software projects rely on increases the risk of falling victim to a supply chain attack or to the exploitation of unknown vulnerabilities.

Working to improve the security of the ecosystem by helping the community triage vulnerabilities in open source software, Google last year launched an open source vulnerability database, and is now providing a front-end for that database, in the form of the OSV-Scanner.

“Software projects are commonly built on top of a mountain of dependencies […]. Each dependency potentially contains existing known vulnerabilities or new vulnerabilities that could be discovered at any time. There are simply too many dependencies and versions to keep track of manually, so automation is required,” Google notes.

Scanners are meant to automate the process of identifying known vulnerabilities by matching the code and dependencies to a pre-compiled list and notifying developers of the identified issues.

“The OSV-Scanner generates reliable, high-quality vulnerability information that closes the gap between a developer’s list of packages and the information in vulnerability databases,” Google says.

Open source and distributed, the OSV.dev database includes advisories from open and authoritative sources, accepts improvement suggestions from anyone, unambiguously stores information about impacted dependencies in the machine-readable OSV format, and delivers fewer, actionable vulnerability notifications to improve remediation time.

The OSV.dev database supports 16 ecosystems, including Linux distributions (Debian and Alpine), Android, Linux Kernel, and OSS-Fuzz, and contains a total of more than 38,000 advisories.

Available via the osv.dev website, the OSV-Scanner first identifies all dependencies that a project uses and then connects the information with the OSV database to display details on relevant vulnerabilities.

Also integrated with the OpenSSF Scorecard’s vulnerabilities check, the scanner can detect security defects in all dependencies, in addition to the project’s direct vulnerabilities.

“Our plan for OSV-Scanner is not just to build a simple vulnerability scanner; we want to build the best vulnerability management tool—something that will also minimize the burden of remediating known vulnerabilities,” the internet giant says.

Google plans to integrate the scanner with developer workflows via standalone CI actions, to improve C/C++ vulnerability support, to add unique features such as call graph analysis and automatic remediation, and to add automatic generation of VEX statements.

Related: Google’s GUAC Open Source Tool Centralizes Software Security Metadata

Related: Google Launches Bug Bounty Program for Open Source Projects

Related: Open Source Security Foundation Now Counts 60 Members