Vulnerability Management, DevSecOps, Supply chain

Google launches new tool to identify open source vulnerabilities  

A sign is posted in front of a Google office

Google has released a new free tool that allows open-source developers to more easily access vulnerability information relevant to their projects.  

The Go-based tool — called OSV-Scanner — provides an automated capability to match a developer’s code and dependencies against lists of known vulnerabilities and deliver instant feedback if patches or updates are needed.  

Software projects are usually built on top of a mountain of dependencies — instead of starting from zero, developers incorporate external software libraries into the projects and add additional functionalities. However, open-source packages often contain undocumented pieces of code that are pulled from other libraries. This practice creates what are known as “transitive dependencies” in software, and means it may contain multiple layers of vulnerability that are hard to track manually.  

Indeed, transitive dependencies have become a growing source of open-source security risk over the past year. A recent report by Endor Labs found that 95% of open-source vulnerabilities are found in transitive or indirect dependencies, and another separate report by Sonatype also highlighted that transitive dependencies account for six of every seven vulnerabilities affecting open source.  

According to Google, the new tool will start with finding these transitive dependencies by analyzing manifests, software bills of materials (SBOMs) where available, and commit hashes. It will then connect with the Open Source Vulnerability (OSV) database to display relevant vulnerabilities.  

“The OSV-Scanner generates reliable, high-quality vulnerability information that closes the gap between a developer’s list of packages and the information in vulnerability databases,” Rex Pan, software engineer at Google Open Source security team, said in the blog post.  

Since anyone can improve advisories, Pan said that the service has a high-quality database compared with alternative closed-source advisory databases and scanners. In addition, the OSV format unambiguously stores information on affected versions in a machine-readable format that can accurately map onto a developer’s list of packages. All these features can help contribute to fewer and more actionable vulnerability notifications, making the patching process more efficient.  

As for the next step, Google said it is working to improve C/C++ vulnerability support while adding unique features to OSV-Scanner, such as the function of automatically remediating vulnerabilities by suggesting minimal version bumps that provide the maximal impact. 

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.