In summary, open source development projects often have many external dependencies, which saves developers from having to create new features. Google’s latest tool uses its community database to help such projects track and fix dependencies’ vulnerabilities.
Google released OSV-Scanner, a free tool for open source software developers to scan dependencies for vulnerabilities, this week. The scanner checks their projects for compliance with Google Open Source Vulnerability (OSV) and OSV.dev.
Developers use OSV-Scanner to find transitive dependencies in manifestos, SBOM, and commit hashes. It then searches the Google OSV database for vulnerabilities and alerts developers.
Google launched the OSV database last February to help open source developers find and report vulnerabilities in their dependencies. An accessible database can help developers quickly identify new dependencies in open source projects, which can have many. OSV-Scanner automates processes further.
The US Cybersecurity Executive Order of 2021 requires automation in software development security standards, so Google developed OSV-Scanner. After the SolarWinds hack and the Colonial Pipeline ransomware attack, the government issued the order.
Google has taken several steps to limit OSV-Scanner’s security notifications so developers can act on them quickly. The OSV database contains scan results from trusted sources and a wealth of vulnerability data from the community. The machine-readable database matches developer package lists.
OSV-Scanner is being enhanced. Google will separate CI actions to simplify planning and setup. The company is also creating a C/C++ vulnerability database with accurate CVE commit-level metadata.
OSV-Scanner will use function-level vulnerabilities from call graph analysis in the future. Call graph analysis can eventually generate VEX statements automatically. Google also wants the scanner to offer minimal version changes for projects with the greatest impact on automatic vulnerability elimination.
Comments are closed.