In brief: Open-source development projects often must rely on many external dependencies, saving developers the work of building new functionality from scratch. Google's new tool is the latest part of its efforts to help such projects track and solve vulnerabilities the dependencies introduce, building on top of its community database.
Google introduced OSV-Scanner this week, a free tool that lets developers making open-source software scan for known vulnerabilities in the dependencies they use. The scanner checks their projects against Google's Open Source Vulnerability (OSV) schema and the OSV.dev service.
When developers run OSV-Scanner on their work, it searches their manifests, SBOMs, and commit hashes to find transitive dependencies. It then links the information it finds to Google's OSV database to find vulnerabilities and inform the developers.
Google launched the OSV database last February to help open-source developers easily find and contribute information about vulnerabilities in their dependencies. Since open-source projects can rely on large numbers of dependencies, an accessible database can help developers quickly determine which ones introduced new liabilities. The OSV-Scanner introduces a new layer of automation to the process.
Google designed the OSV-Scanner to comply with the 2021 US Executive Order for Cybersecurity, which requires automation as part of its standards for software development security. The government introduced the order amid a rash of high-profile cyberattacks like the SolarWinds hack and the ransomware strike on the Colonial Pipeline.
A few measures Google took should ensure the OSV-Scanner delivers a manageable number of security notifications developers can act on within reasonable timescales. Scanner results come from authoritative sources that feed into the OSV database, but its community-led nature also ensures a rich repository of information on vulnerabilities. The database also keeps its information in a machine-readable format that perfectly maps to developer package lists.
More improvements for the OSV-Scanner are on the way. Google plans to introduce standalone CI actions to facilitate scheduling and initial setup. The company is also building a new C/C++ vulnerability database which includes precise commit-level metadata to CVEs.
In the future, call graph analysis should let the OSV-Scanner use specific function-level vulnerability information. Call graph analysis could also eventually automatically generate VEX statements. Furthermore, Google wants the scanner to be able to propose minimal version bumps for projects where they would have maximum impact to automatically solve vulnerabilities.
The OSV-Scanner is available on Google's GitHub page.