Google Open-Source Vulnerability Scanning Tool
The Open Source Vulnerability (OSV) database’s front-end interface, OSV-Scanner, was made available by Google in December 2022. The OSV database is a distributed, open-source database that keeps OSV-formatted vulnerability data. By comparing a project’s dependencies to the OSV database, the OSV-Scanner determines all vulnerabilities that pertain to the project.
OSV-Scanner first ascertains all the dependencies that are in use by inspecting manifests, software bill of materials (SBOMs), and commit hashes when it is executed on a project.
This data is used to query the OSV database and talk about any project-related vulnerabilities.
Vulnerabilities are disclosed in tabular style or, optionally, in the OSV format, which is based on JSON.
The OSV format provides a machine-readable JSON schema for presenting vulnerability information. The format is designed to enforce version specification that aligns with the naming and schemes used in the actual open-source package. Oliver Chang, senior staff engineer at Google, and Russ Cox, distinguished engineer at Google, state that this approach “can be used to describe vulnerabilities in any open source ecosystem, while not requiring ecosystem-dependent logic to process them.”
Osv-scanner -r /path/to/your/dir searches a directory for lockfiles, SBOMs, and git folders. A recursive scan is enabled via the optional -r flag. Package URL-based SBOMs for SPDX and CycloneDX are currently supported. Several lockfiles, including yarn.lock, composer.lock, go.mod, and Gemfile.lock, are currently supported.
It is also possible to scan the list of installed packages in a Debian image to pull out any vulnerabilities for them: $ osv-scanner --docker image_name:latest. This requires docker to be installed and does not currently scan the filesystem of the Docker container. More details on this preview feature can be found in the GitHub issue.
OSV-Scanner can be configured to ignore vulnerabilities by their ID. This feature also supports optionally providing a date for when the ignore will expire and a reason. Ignored vulnerabilities are specified under the IgnoreVulns key.
OSV-Scanner has also been integrated into the OpensSSF Scorecard’s Vulnerabilities check. Scorecards is an automated security tool that identifies risky supply chain practices in open-source projects. This extends Scorecards analysis from the project’s direct vulnerabilities to also include any vulnerabilities within the project’s dependencies.
Rex Pan, software engineer at Google, shared some details on what is next for OSV-Scanner. The team is looking to offer a standalone CI action to enable further integration into workflows. Pan shared that they are looking to improve C and C++ support by “building a high quality database of C/C++ vulnerabilities by adding precise commit level metadata to CVEs.”
OSV-Scanner is available via GitHub under the Apache License 2.0. More details on the announcement can be found in the release blog post.
Suggest an edit to this article
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
