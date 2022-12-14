



Securing the software supply chain has become an increasingly complex and time-consuming challenge for enterprises. To make it easier for developers to find vulnerability data for open source components, Google released his OSV-Scanner on Tuesday.

Modern software development requires managing multiple dependent software libraries and components that add functionality to an application. There is no need to develop these components from scratch. Developers must be aware of possible vulnerabilities in their components, but the task is complicated by the fact that each dependency can contain other dependencies.

According to a new report from Endor Labs’ Station 9 research team, 95% of all vulnerabilities in open source software are found in transitive dependency code packages that are indirectly brought into the project by other dependencies. I’m here. Developers should be able to manage selected dependencies and the vulnerabilities of these transitive dependencies. To further complicate matters, the same research report found that even the latest versions of packages may still have known vulnerabilities.

Last year, Google launched the OSV.dev service, a distributed open source vulnerability database, to help developers manage vulnerabilities. OSV.dev contains 16 different open source ecosystems and vulnerability databases with a total of 38,000 advisories. The idea is to use the service for vulnerability tracking, triage, and patch automation, Google’s Rex Pan describes his OSV-Scanner, which associates a project’s list of dependencies with the vulnerabilities that affect them. is the “next step” for managing open source vulnerabilities.

OSV-Scanner allows developers to check their code and dependencies against a list of known vulnerabilities and identify available patches or new versions of software components. The scanner identifies all transitive dependencies used in your project by analyzing software manifests, software bills of materials, and commit hashes. The scanner then connects to OSV.dev and displays known vulnerabilities in your project.

The information generated by the scanner “bridges the gap between the developer’s list of packages and the information in the vulnerability database,” Pang wrote in a blog post announcing the new tool. Automated remediation features, such as the ability to leverage vulnerability information for specific feature levels, will become available in the future, he wrote.

OSV-Scanner automates software supply chain vulnerability discovery and patching. The 2021 U.S. Executive Order on Cybersecurity specifically included automated tools to “check for known and potential vulnerabilities and remediate them” as a requirement for national standards for secure software development. rice field.

Developers can download and try out OSV-Scanner from the osv.dev website, or use OpenSSF Scorecard’s vulnerability checks to automatically run the scanner on their GitHub project, Google said.

