



Google has released OSV-Scanner, an open source front-end interface to the Open Source Vulnerability (OSV) database. The OSV database is a distributed open source database that stores vulnerability information in OSV format. OSV-Scanner assesses project dependencies against an OSV database that shows all project-related vulnerabilities.

When run on a project, OSV-Scanner first analyzes the manifest, software bill of materials (SBOM) and commit hashes to identify all dependencies in use. This information is used to query the OSV database and discuss vulnerabilities related to your project. Vulnerabilities are reported in tabular or optionally JSON-based OSV format.

OSV-Scanner vulnerability output (Credit: Google)

The OSV format provides a machine-readable JSON schema for displaying vulnerability information. This format is designed to enforce version specifications in line with the naming and scheme used by real open source packages. Oliver Chang, Senior Staff Engineer at Google, and Russ Cox, Distinguished Engineer at Google, say that this approach “can be used to account for vulnerabilities in any open source ecosystem, while also requiring the ecosystem to handle them.” It doesn’t require logic that depends on

“schema_version”: “1.3.0”, “id”: “GHSA-c3g4-w6cv-6v7h”, “modified”: “2022-04-01T13:56:42Z”, “published”: “2022-04-01T13 ” :56:42Z”, “Alias”: [ “CVE-2022-27651″ ]”summary”: “Buildah Linux container default inheritable capabilities not empty”, “details”: “Bugs found where buildah builds containers …”, “Affected” : [

{

“package”: {

“ecosystem”: “Go”,

“name”: “github.com/containers/buildah”

},

“ranges”: [

{

“type”: “SEMVER”,

“events”: [

{

“introduced”: “0”

},

{

“fixed”: “1.25.0”

}

]

} ]} ],”reference”: [

{

“type”: “WEB”,

“url”: “https://github.com/containers/buildah/commit/…”

},

{

“type”: “PACKAGE”,

“url”: “https://github.com/containers/buildah”

}

]

}

Use osv-scanner -r /path/to/your/dir to scan a directory for lockfiles, SBOM, and git directories. The optional -r flag enables recursive scanning. SPDX and CycloneDX SBOMs using package URLs are currently supported. A number of lock files are currently supported, including yarn.lock, composer.lock, go.mod, and Gemfile.lock.

$ osv-scanner –docker image_name:latest. This requires docker to be installed and currently does not scan the filesystem of Docker containers. For more information about this preview feature, see our GitHub issue.

OSV-Scanner can be configured to ignore vulnerabilities by ID. This feature also supports optionally providing an ignore expiration date and reason. Ignored vulnerabilities are specified under the IgnoreVulns key.

[[IgnoredVulns]]id = “GO-2022-0968” # ignoreUntil = 2022-11-09 reason = “No ssh server connected or hosted for Go”

OSV-Scanner is also integrated with OpensSSF Scorecard vulnerability checks. Scorecards is an automated security tool that identifies unsafe supply chain practices in open source projects. This extends the scorecard analysis from direct project vulnerabilities to also include vulnerabilities within project dependencies.

Rex Pan, a software engineer at Google, shared details about what’s next for OSV-Scanner. The team is looking to offer a standalone his CI action that allows for further integration into workflows. Pan shared that he aims to improve C and C++ support by “building a high-quality database of C/C++ vulnerabilities by adding accurate commit-level metadata to CVEs.” did.

OSV-Scanner is available under Apache License 2.0 from GitHub. For more information on the announcement, see the release blog post.

