In short: Open source development projects often have to rely on many external dependencies, which saves developers from having to build new features from scratch. Google’s new tool is the latest part of its effort to help such projects track down and fix dependency vulnerabilities by drawing on its community database.
This week, Google introduced OSV-Scanner, a free tool that allows open source software developers to scan for known vulnerabilities in the dependencies they use. The scanner checks their projects with Google Open Source Vulnerability (OSV) Scheme and OSV.dev service.
When developers run OSV-Scanner at work, it scans their manifests, SBOM, and commit hashes to find transitive dependencies. It then links the information found to the Google OSV database to find vulnerabilities and report back to developers.
Google launched the OSV database last February to help open source developers easily find and provide information about vulnerabilities in their dependencies. Since open source projects may rely on a large number of dependencies, having a database available can help developers quickly identify which ones have made new commitments. OSV-Scanner represents a new level of process automation.
Google has developed OSV-Scanner in accordance with 2021 U.S. Executive Order on Cyber Security, which requires automation within its software development security standards. The government issued the order amid a series of high-profile cyberattacks, such as the SolarWinds hack and the ransomware attack on the Colonial Pipeline.
Google has taken several steps to ensure that OSV-Scanner provides a manageable amount of security notices that developers can act on within a reasonable amount of time. Scan results come from authoritative sources that go into the OSV database, but its community-driven nature also provides a rich repository of vulnerability information. The database also stores information in a machine-readable format that perfectly matches developer package listings.
More improvements are being prepared for OSV-Scanner. Google plans to introduce separate CI activities to make planning and initial setup easier. The company is also building a new C/C++ vulnerability database that includes precise commit-level metadata for CVEs.
In the future, call graph analysis should allow OSV-Scanner to use vulnerability information at the feature level. Call graph analysis can also eventually generate VEX statements automatically. In addition, Google wants the scanner to be able to suggest minimal version changes for projects where they will have the maximum impact on automatic remediation of vulnerabilities.
OSV scanner accessible on the Google GitHub page.