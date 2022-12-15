



Google has released a new free tool that gives open source developers easy access to vulnerability information related to their projects.

A Go-based tool called OSV-Scanner provides automated functionality that checks developers’ code and dependencies against a list of known vulnerabilities and provides immediate feedback when patches or updates are needed. Offers.

Software projects are typically built on top of a pile of dependencies rather than starting from scratch. Developers incorporate external software libraries into their projects to add additional functionality. However, open source packages often contain undocumented code pulled from other libraries. This practice creates what are known as transitive dependencies in your software, meaning it can contain multiple layers of vulnerabilities that are difficult to track manually.

In fact, transitive dependencies have contributed to an increase in open source security risks over the past year. A recent report by Endor Labs found that 95% of open source vulnerabilities have transitive or indirect dependencies. Another report by Sonatype also highlights that 6 out of 7 vulnerabilities affecting open source are transitive dependencies.

According to Google, the new tool starts by finding these transitive dependencies by analyzing the manifest, possibly the software bill of materials (SBOM), and the commit hash. Next, connect to an Open Source Vulnerability (OSV) database to view related vulnerabilities.

OSV-Scanner produces reliable, high-quality vulnerability information, bridging the gap between a package’s developer list and the information in the vulnerability database, says Rex Pan, a software engineer on the Google Open Source Security team. said in a blog post.

Pan said the OSV.dev service has a higher quality database compared to alternative closed source advisory databases and scanners because anyone can improve the advisory. Additionally, the OSV format unambiguously stores information about affected versions in a machine-readable format that can be accurately mapped to a package’s developer list. All of these features help reduce the number of vulnerability notifications, make them more actionable, and make the patching process more efficient.

As a next step, Google will improve support for C/C++ vulnerabilities while also adding features to OSV-Scanner, including the ability to automatically remediate vulnerabilities by suggesting the smallest version bump with the greatest impact. You mentioned adding your own functionality.

