Google has launched OSV Scanner, a new tool that allows developers to scan for vulnerabilities in open source software dependencies used in their project.
The scanner pulls data from OSV.dev, the distributed vulnerability database for open source code that Google released in February 2021to offer relevant information on known security issues affecting open source code.
Open source code issues
Open source software developers typically rely in their projects on a number of tools, libraries, and components that are already available, which usually leads to faster development of more complex solutions.
These building blocks are often crucial to a program’s basic functionality, giving it specialized capabilities that would otherwise have to be written from scratch.
Like any code, these open source components are not immune to security vulnerabilities. When incorporated into other software projects, these defects are also transmitted.
For large programs that use many dependencies, tracking security issues that arise with each build and assessing the potential impact on the program itself becomes a complex task.
Considering that many of these dependencies have their own dependencies, the sheer number of packages that need to be assessed for security makes tracking vulnerabilities a difficult undertaking.
This is where Google’s new OSV scanner comes in, which automatically matches code across all dependencies of a given software project, including transitive dependencies, and notifies developers when an update to security is required.
“The OSV-Scanner generates reliable, high-quality vulnerability information that bridges the gap between a developer’s list of packages and the information in vulnerability databases,” the announcement reads. .
The scanner uses openly distributed reviews from authoritative and trusted sources following the OSV Schema for triage of vulnerabilities in the installed package version.
Currently, the OSV.dev service supports 16 major coding ecosystems, including Linux kernel, Android, Debian, Alpine, PyPI, npm, OSS-Fuzz, and Maven.
It is the largest open-source vulnerability database in the world, with 23,000 advisories in 2022 alone.
Google says the next step for OSV Scanner is to improve support for C/C++ vulnerabilities, tackle a very challenging software ecosystem, and integrate standalone CI actions to enable easy scheduling of scans.
Going forward, OSV Scanner will also recommend the suggested minimum version change that fixes the identified security flaw.