New Google Tool Scans for Vulnerabilities in Open-Source Project Dependencies

Google has released a new tool that could help developers detect vulnerabilities in their projects’ open-source software dependencies.

The utility, dubbed OSV-Scanner, relies on OSV.dev, a distributed open-source vulnerability database Google released in February 2021.

Software developers implement dependencies (e.g., software libraries, packages) to add functionality within their projects without developing the components from scratch. The sheer number of dependencies, though, makes it challenging to keep track of every vulnerability that could affect them.

OSV-Scanner is an automation tool that eliminates the guesswork from vulnerability check-ups by cross-checking your “code and dependencies against lists of known vulnerabilities and notifying you if patches or updates are needed.”

Running the vulnerability scanner will first analyze manifests, commit hashes and SBOMs (software bill of materials) to detect all dependencies built within a project. OSV-Scanner then matches the information against the OSV database and returns a list of all vulnerabilities that affect your project.

OSV.dev currently supports 16 ecosystems, including Linux Kernel, Android, OSS-Fuzz, Linux distributions (Alpine and Debian), RubyGems, PyPI, NuGet, npm, Go and Maven. The database hosts more than 38,000 advisories, making it the most extensive open-source vulnerability database in existence.

Although OSV-Scanner can only detect vulnerabilities for now, Google plans to add features to turn it into a more versatile tool that can address them.

“We are also looking to add unique features to OSV-Scanner, like the ability to utilize specific function level vulnerability information by doing call graph analysis, and to be able to automatically remediate vulnerabilities by suggesting minimal version bumps that provide the maximal impact,” reads the company’s announcement.

Users can download and use OSV-Scanner for free from GitHub or the OSV.dev website. Alternatively, developers could automatically run the utility on their GitHub projects by using the Scorecard risk assessment tool for open-source projects.