Google made the free, open-source security scanner available. Google made an effort to enhance vulnerability triage for users and developers of open source software last year. The first distributed open source vulnerability database, OSV.dev, as well as the Open Source Vulnerability (OSV) schema were published as a result. OSV enables information to be published and consumed in a single straightforward, accurate, and machine-readable manner across all diverse open source ecosystems and vulnerability databases.
The OSV-Scanner, which integrates a project’s list of dependencies with the vulnerabilities that affect them, is the next stage in this endeavor. It offers an officially supported client to the OSV database.
By comparing your code and dependencies against databases of known vulnerabilities, scanners offer this automated capacity. They then let you know whether any patches or changes are required. The 2021 U.S. Executive Order on Cybersecurity specified this form of automation as a prerequisite for national standards on secure software development since scanners offer immeasurable benefits to project security.
The OSV-Scanner bridges the gap between a developer’s list of packages and the data in vulnerability databases by producing trustworthy, high-quality vulnerability information. The OSV.dev database is distributed and open source, which gives it various advantages over closed source advisory databases and scanners.
By examining manifests, SBOMs, and commit hashes, OSV-Scanner will first identify all the transitive dependencies that are being used in your project. After tying this data to the OSV database, the scanner shows the vulnerabilities pertinent to your project.
Information Security Experts Weigh in
Experts in information security offer their perspectives on this story and how businesses like Google can use their resources for the benefit of the entire open source ecosystem. Read the response below.
“Google’s release of its free open source security scanner is a sign of the times. This year, we’ve seen big tech and hyperscalers become more active participants in open source, realising the benefits of agility and scalability it offers. It’s great to see these organisations use their resources for the benefit of the whole open source ecosystem.
“Google has been stepping up its role in open source more than many other organisations. In 2022 alone, Aiven’s research found that Google’s monthly commits to GitHub were up 20% compared to 2021 and Google’s active GitHub contributors overtook Microsoft’s contributions by 200+.
“There is a huge amount of innovation happening in the open source that benefits everyone. Google continues to strengthen its position as a leading figure in the open source space, and this is a great example of this. This project is not there for the benefit of Google, but to support the whole Open Source ecosystem. Thanks to tools like https://osv.dev/ maintainers have now more and better tools to keep software up-to-date and free of known vulnerabilities. It’s time other organisations follow in their footsteps, giving back to open source and being stewards of the community.”