Google recently released OSV-Scanner, a tool that gives open source developers easy access to check for unpatched vulnerabilities in code and applications, taking into account the entire chain of dependencies associated with the code.
OSV-Scanner allows to detect situations in which an application becomes vulnerable due to problems in one of the libraries used as a dependency. In this case, the vulnerable library can be used indirectly, ie called via another dependency.
Last year, we undertook an effort to improve vulnerability classification for developers and consumers of open source software. This involved the publication of the open source vulnerability schema (OSV) and the launch of the OSV.dev service, the first distributed open source vulnerability database. OSV enables all the different open source ecosystems and vulnerability databases to publish and consume information in a simple, accurate, and machine-readable format.
Software projects are often built on top of a mountain of dependencies: instead of starting from scratch, the developers incorporate external software libraries in projects and add additional functionality. However, open source packageso often contain undocumented code snippets that are extracted from other libraries. This practice creates what is known as “transitive dependencies” in software and means that it may contain multiple layers of vulnerability that are difficult to trace manually.
Transitive dependencies have become a growing source of open source security risk over the last year. A recent report from Endor Labs found that 95% of open source vulnerabilities are in transitive or indirect dependencies, and a separate report from Sonatype also highlighted that transitive dependencies account for six out of seven vulnerabilities affecting open source.
According to Google, the new tool will start by looking for these transitive dependencies by analyzing manifests, software bills of materials (SBOMs) where available, and commit hashes. It will then connect to the open source vulnerability database (OSV) to display relevant vulnerabilities.
OSV Scanner can auto scan recursively a directory tree, identifying projects and applications by the presence of git directories (information about vulnerabilities determined through commit hash analysis), SBOM (Software Bill Of Material in SPDX and CycloneDX formats) files, manifests, or block administrators from archive packages such as Yarn, NPM, GEM, PIP, and Cargo. It also supports scanning the padding of docker container images built based on packages from the Debian repositories.
The OSV-Scanner is the next step in this effort, as it provides an officially supported interface to the OSV database that connects a project's list of dependencies with the vulnerabilities that affect them.
The OSV database reflects the problem correction status, confirmations with the appearance and correction of the vulnerability, the range of versions affected by the vulnerability, links to the project repository with the code and the notification of the problem. The provided API allows you to trace the manifestation of a vulnerability at the commit and tag level and analyze the exposure to the issue from derivative products and dependencies.
Finally it is worth mentioning that the project code is written in Go and is distributed under the Apache 2.0 license. You can check more details about it in the following link.
Developers can download and try OSV-Scanner from the osv.dev website or use the OpenSSF Scorecard vulnerability check to automatically run the scanner in a GitHub project.
Be the first to comment