Google’s new OS vulnerability scanner, Microsoft falls behind in OS efforts

Google made the free, open-source security scanner available. Google made an effort to enhance vulnerability triage for users and developers of open source software last year. The first distributed open source vulnerability database, OSV.dev, as well as the Open Source Vulnerability (OSV) schema were published as a result. OSV enables information to be published and consumed in a single straightforward, accurate, and machine-readable manner across all diverse open source ecosystems and vulnerability databases.

The OSV-Scanner, which integrates a project’s list of dependencies with the vulnerabilities that affect them, is the next stage in this endeavor. It offers an officially supported client to the OSV database.

By comparing your code and dependencies against databases of known vulnerabilities, scanners offer this automated capacity. They then let you know whether any patches or changes are required. The 2021 U.S. Executive Order on Cybersecurity specified this form of automation as a prerequisite for national standards on secure software development since scanners offer immeasurable benefits to project security.

The OSV-Scanner bridges the gap between a developer’s list of packages and the data in vulnerability databases by producing trustworthy, high-quality vulnerability information. The OSV.dev database is distributed and open source, which gives it various advantages over closed source advisory databases and scanners.

By examining manifests, SBOMs, and commit hashes, OSV-Scanner will first identify all the transitive dependencies that are being used in your project. After tying this data to the OSV database, the scanner shows the vulnerabilities pertinent to your project.

Information Security Experts Weigh in

Experts in information security offer their perspectives on this story and how businesses like Google can use their resources for the benefit of the entire open source ecosystem. Read the response below.