Google Releases Open-Source Vulnerability Scanning Tool

Published on Jan 07, 2023

OSV-Scanner is an open-source front-end interface to the Open Source Vulnerability Database (OSV). An OSV database is a distributed, open-source database that stores vulnerability information in OSV format. In the OSV-Scanner, all vulnerabilities associated with a project are assessed against the OSV database.

A project’s dependencies are first determined by OSV-Scanner’s analysis of manifests, software bill of materials (SBOMs), and commit hashes. We use this information to query the OSV database and discuss any vulnerabilities associated with the project. Vulnerabilities are reported in tabular format or, optionally, in OSV format.

A machine-readable JSON schema is provided by the OSV format for presenting vulnerability information. The format is intended to enforce version specifications that are aligned with the naming and scheme used in the actual open-source package. According to Oliver Chang, senior staff engineer at Google, and Russ Cox, distinguished engineer at Google, this approach “can describe vulnerabilities in any open source ecosystem without requiring ecosystem-specific logic.”

Using osv-scanner -r /path/to/your/dir, you can scan a directory for lockfiles, SBOMs, and git directories. Recursive scanning is enabled by the -r flag. As of now, SPDX and CycloneDX SBOMs using Package URLs are supported. The lockfiles yarn.lock, composer.lock, go.mod, and gemfile.lock are currently supported.

The following command can be used to scan the list of installed packages in a Debian image for vulnerabilities: $ osv-scanner –docker image_name:latest. This requires the installation of Docker and does not currently scan the filesystem of the Docker container. The GitHub issue provides more details on this preview feature.

OSV-Scanner can be configured to ignore vulnerabilities based on their ID. As part of this feature, it is also possible to provide a date and a reason for when the ignore will expire. The IgnoreVulns key specifies which vulnerabilities should be ignored.

The OSV-Scanner has also been integrated into the OpensSSF Scorecard’s vulnerability assessment. An automated security tool called Scorecards identifies risky supply chain practices in open-source projects. As a result, Scorecards analyses not only the project’s direct vulnerabilities, but also any vulnerabilities within the project’s dependencies.

Rex Pan, a software engineer at Google, provided some details regarding what is planned for OSV-Scanner in the near future. In order to facilitate further integration into workflows, the team intends to offer a standalone CI action. Pan stated they intend to improve C and C++ support by “building a high quality database of C/C++ vulnerabilities by adding precise commit level metadata to CVEs.”