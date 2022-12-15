



Google this week released OSV-Scanner, an open-source vulnerability scanner linked to the OSV.dev database that debuted last year.

Written in the Go programming language, OSV-Scanner is designed to scan open source applications and assess the security of their embedded dependent software libraries. These software libraries are added to the project to provide pre-built functionality so developers don’t have to recreate those functionality themselves. Own.

A modern application can have many dependencies. For example, a researcher at Mozilla and Concordia University in Canada recently used the create-react-app command to create his single-page web application in the React framework. The result is a project with 7 runtime dependencies and 9 development dependencies.

But each of these direct dependencies had another dependency called a transitive dependency. The react package includes Loose-envify as a transitive dependency that itself depends on other libraries.Overall, this basic single-page “Hello world” app required a total of 1,764 dependencies [PDF].

As Rex Pan, a software engineer on Google’s open source security team, said in a blog post on Tuesday, sifting through thousands of dependencies isn’t something a developer can do on their own.

“Each dependency may contain existing known vulnerabilities or new vulnerabilities that can be discovered at any time,” he wrote. “We need automation because there are too many dependencies and versions to track manually.”

Automated security scans are also recommended as a best practice in the May 12, 2021 US Executive Order Improving the Nation’s Cybersecurity.

Running OSV-Scanner on your application will generate a list of direct and transitive dependencies with known vulnerabilities. Application developers may be able to work around this by specifying safe versions of packages when available and compatible.

It’s similar to JavaScript-focused tools like npm audit and Socket, but covers a broader set of packaging systems. These include Android, crates.io, Debian GNU/Linux, GitHub Actions, Go, Hex, Linux kernel, Maven, npm, NuGet, OSS-Fuzz, Packagist, Pub, PyPI, and RubyGems.

Vendors such as Checkmarx also offer dependency detection services and products.

OSV-Scanner retrieves vulnerability data from the OSV.dev database. This was introduced last year to make vulnerability information more comprehensive and accessible. It complements The Chocolate Factory’s other open source security initiatives, including its Open Source Vulnerability format and SLSA framework for defending against supply chain attacks.

According to Pan, the OSV.dev database is now the largest open source vulnerability database of its kind, containing 38,000 advisories, more than double the number of listings a year ago.

Pan said Google wants to upgrade OSV-Scanner from a simple scanner to a vulnerability management tool. This includes development of continuous integration actions to facilitate setup and scheduling of scans, C/C++ support (a challenge due to the lack of a standard package manager), function-level vulnerability information with call graph analysis, and automatic vulnerability Mitigation development may be included. (along the lines of npm audit fix).

