Google has released a new free tool that allows open-source developers to more easily access vulnerability information relevant to their projects.
The Go-based tool — called OSV-Scanner — provides an automated capability to match a developer’s code and dependencies against lists of known vulnerabilities and deliver instant feedback if patches or updates are needed.
Software projects are usually built on top of a mountain of dependencies — instead of starting from zero, developers incorporate external software libraries into the projects and add additional functionalities. However, open-source packages often contain undocumented pieces of code that are pulled from other libraries. This practice creates what are known as “transitive dependencies” in software, and means it may contain multiple layers of vulnerability that are hard to track manually.
Indeed, transitive dependencies have become a growing source of open-source security risk over the past year. A recent report by Endor Labs found that 95% of open-source vulnerabilities are found in transitive or indirect dependencies, and another separate report by Sonatype also highlighted that transitive dependencies account for six of every seven vulnerabilities affecting open source.
According to Google, the new tool will start with finding these transitive dependencies by analyzing manifests, software bills of materials (SBOMs) where available, and commit hashes. It will then connect with the Open Source Vulnerability (OSV) database to display relevant vulnerabilities.
“The OSV-Scanner generates reliable, high-quality vulnerability information that closes the gap between a developer’s list of packages and the information in vulnerability databases,” Rex Pan, software engineer at Google Open Source security team, said in the blog post.
Since anyone can improve advisories, Pan said that the OSV.dev service has a high-quality database compared with alternative closed-source advisory databases and scanners. In addition, the OSV format unambiguously stores information on affected versions in a machine-readable format that can accurately map onto a developer’s list of packages. All these features can help contribute to fewer and more actionable vulnerability notifications, making the patching process more efficient.
As for the next step, Google said it is working to improve C/C++ vulnerability support while adding unique features to OSV-Scanner, such as the function of automatically remediating vulnerabilities by suggesting minimal version bumps that provide the maximal impact.
