



Posted by Rex Pan, Software Engineer, Google Open Source Security Team

Today we are releasing OSV-Scanner, a free tool that allows open source developers to easily access vulnerability information related to their projects.

Last year, we worked to improve vulnerability triage for developers and consumers of open source software. This included publishing the Open Source Vulnerability (OSV) schema and launching the OSV.dev service, the first distributed open source vulnerability database. OSV allows all of the various open source ecosystems and vulnerability databases to publish and consume information in one simple, accurate, and machine-readable format.

OSV-Scanner is the next step in this effort, providing a front end to the officially supported OSV database that ties a project’s list of dependencies to the vulnerabilities that affect them.

A software project is typically built on top of a mountain of dependencies (external software libraries that you include in your project), adding functionality without having to develop it from scratch. Each dependency can have existing known vulnerabilities or new vulnerabilities that can be discovered at any time. There are too many dependencies and versions to track manually, so automation is needed.

Scanners provide this automated capability by checking your code and dependencies against a list of known vulnerabilities and notifying you if patches or updates are required. Scanners offer incredible benefits to project security. That is why the 2021 US Executive Order on Cybersecurity included this kind of automation as a national standard requirement for secure software development.

OSV-Scanner produces reliable, high-quality vulnerability information, bridging the gap between developers’ package lists and information in vulnerability databases. Because the OSV.dev database is open source and distributed, it has several advantages over closed source advisory databases and scanners.

Each advisory comes from an open and trusted source (such as the RustSec advisory database) A list of the developer’s packages All of the above makes vulnerabilities less communicated, more actionable, and resolved less time needed to

When you run OSV-Scanner on your project, it first detects all used transitive dependencies by analyzing the manifest, SBOM, and commit hashes. The scanner then connects this information to her OSV database and displays the vulnerabilities associated with the project.

OSV-Scanner is also integrated with OpenSSF Scorecard vulnerability checks. This extends the analysis from the project’s direct vulnerabilities to include all dependencies’ vulnerabilities as well. This means that the 1.2 million projects regularly evaluated by Scorecard provide a more comprehensive measure of project security.

The OSV project has come a long way since our last post last June. The OSV schema is heavily adapted from vulnerability databases such as GitHub Security Advisories and Android Security Bulletins. OSV.dev currently supports 16 ecosystems including all major language ecosystems, Linux distributions (Debian and Alpine), Android, Linux kernel and OSS-Fuzz. This means that the OSV.dev database is currently the largest open source vulnerability database of its kind, with a total of over 38,000 advisories, up from 15,000 a year ago. increase.

The OSV.dev website has also been completely overhauled with an improved UI and more information about each vulnerability. Notable open source projects are also starting to rely on OSV.dev such as DependencyTrack and Flutter.

We still have a lot to do. Our plans for OSV-Scanner go beyond building a simple vulnerability scanner. We want to build the best vulnerability management tools that minimize the burden of remediating known vulnerabilities. Here are some of our ideas for making this happen.

The first step is to integrate more with the developer’s workflow by providing a standalone CI action. This simplifies setup and scheduling for tracking new vulnerabilities. Improved C/C++ vulnerability support: C/C++ is one of the most difficult ecosystems to manage vulnerabilities in because there is no canonical package manager that identifies C/C++ software. OSV fills this gap by building a high-quality database of C/C++ vulnerabilities by adding accurate commit-level metadata to CVEs. We are also considering adding our own functionality to OSV-Scanner. For example, you can perform call graph analysis to take advantage of vulnerability information for specific feature levels, or automatically remediate vulnerabilities by suggesting minimum version bumps for maximum impact. VEX Support: Automatically generate VEX statements using call graph analysis and more.

You can download and try OSV-Scanner in your project by following the instructions on the new website osv.dev. Or try Scorecard to automatically run OSV-Scanner on your GitHub project. Feel free to let us know what you think. Please send us your feedback by opening an issue on Github or via the OSV mailing list.

