Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google Announces Vulnerability Scanner for Open Source Developers

Google this week announced OSV-Scanner, a free scanner that open source developers can use to receive vulnerability details relevant to their projects.

The high number of dependencies that software projects rely on increases the risk of falling victim to a supply chain attack or to the exploitation of unknown vulnerabilities.

Google this week announced OSV-Scanner, a free scanner that open source developers can use to receive vulnerability details relevant to their projects.

The high number of dependencies that software projects rely on increases the risk of falling victim to a supply chain attack or to the exploitation of unknown vulnerabilities.

Working to improve the security of the ecosystem by helping the community triage vulnerabilities in open source software, Google last year launched an open source vulnerability database, and is now providing a front-end for that database, in the form of the OSV-Scanner.

“Software projects are commonly built on top of a mountain of dependencies […]. Each dependency potentially contains existing known vulnerabilities or new vulnerabilities that could be discovered at any time. There are simply too many dependencies and versions to keep track of manually, so automation is required,” Google notes.

Scanners are meant to automate the process of identifying known vulnerabilities by matching the code and dependencies to a pre-compiled list and notifying developers of the identified issues.

“The OSV-Scanner generates reliable, high-quality vulnerability information that closes the gap between a developer’s list of packages and the information in vulnerability databases,” Google says.

Open source and distributed, the OSV.dev database includes advisories from open and authoritative sources, accepts improvement suggestions from anyone, unambiguously stores information about impacted dependencies in the machine-readable OSV format, and delivers fewer, actionable vulnerability notifications to improve remediation time.

The OSV.dev database supports 16 ecosystems, including Linux distributions (Debian and Alpine), Android, Linux Kernel, and OSS-Fuzz, and contains a total of more than 38,000 advisories.

Advertisement. Scroll to continue reading.

Available via the osv.dev website, the OSV-Scanner first identifies all dependencies that a project uses and then connects the information with the OSV database to display details on relevant vulnerabilities.

Also integrated with the OpenSSF Scorecard’s vulnerabilities check, the scanner can detect security defects in all dependencies, in addition to the project’s direct vulnerabilities.

“Our plan for OSV-Scanner is not just to build a simple vulnerability scanner; we want to build the best vulnerability management tool—something that will also minimize the burden of remediating known vulnerabilities,” the internet giant says.

Google plans to integrate the scanner with developer workflows via standalone CI actions, to improve C/C++ vulnerability support, to add unique features such as call graph analysis and automatic remediation, and to add automatic generation of VEX statements.

Related: Google’s GUAC Open Source Tool Centralizes Software Security Metadata

Related: Google Launches Bug Bounty Program for Open Source Projects

Related: Open Source Security Foundation Now Counts 60 Members

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights