OSV-Scanner, a vulnerability scanner from Google

OSV Scanner

OSV-Scanner works as a front end to the OSV.dev database

Google recently released OSV-Scanner, a tool that gives open source developers easy access to check for unpatched vulnerabilities in code and applications, taking into account the entire chain of dependencies associated with the code.

OSV-Scanner allows to detect situations in which an application becomes vulnerable due to problems in one of the libraries used as a dependency. In this case, the vulnerable library can be used indirectly, ie called via another dependency.

Last year, we undertook an effort to improve vulnerability classification for developers and consumers of open source software. This involved the publication of the open source vulnerability schema (OSV) and the launch of the OSV.dev service, the first distributed open source vulnerability database. OSV enables all the different open source ecosystems and vulnerability databases to publish and consume information in a simple, accurate, and machine-readable format.

Software projects are often built on top of a mountain of dependencies: instead of starting from scratch, the developers incorporate external software libraries in projects and add additional functionality. However, open source packageso often contain undocumented code snippets that are extracted from other libraries. This practice creates what is known as “transitive dependencies” in software and means that it may contain multiple layers of vulnerability that are difficult to trace manually.

Transitive dependencies have become a growing source of open source security risk over the last year. A recent report from Endor Labs found that 95% of open source vulnerabilities are in transitive or indirect dependencies, and a separate report from Sonatype also highlighted that transitive dependencies account for six out of seven vulnerabilities affecting open source.

According to Google, the new tool will start by looking for these transitive dependencies by analyzing manifests, software bills of materials (SBOMs) where available, and commit hashes. It will then connect to the open source vulnerability database (OSV) to display relevant vulnerabilities.

OSV Scanner can auto scan recursively a directory tree, identifying projects and applications by the presence of git directories (information about vulnerabilities determined through commit hash analysis), SBOM (Software Bill Of Material in SPDX and CycloneDX formats) files, manifests, or block administrators from archive packages such as Yarn, NPM, GEM, PIP, and Cargo. It also supports scanning the padding of docker container images built based on packages from the Debian repositories.

The OSV-Scanner is the next step in this effort, as it provides an officially supported interface to the OSV database that connects a project's list of dependencies with the vulnerabilities that affect them.

La information about vulnerabilities is taken from the OSV database (Open Source Vulnerabilities), which covers information about security issues in Сrates.io (Rust), Go, Maven, NPM (JavaScript), NuGet (C#), Packagist (PHP), PyPI (Python), RubyGems, Android, Debian and Alpine, as well as Linux kernel vulnerability data and project vulnerability reports hosted on GitHub.

The OSV database reflects the problem correction status, confirmations with the appearance and correction of the vulnerability, the range of versions affected by the vulnerability, links to the project repository with the code and the notification of the problem. The provided API allows you to trace the manifestation of a vulnerability at the commit and tag level and analyze the exposure to the issue from derivative products and dependencies.

Finally it is worth mentioning that the project code is written in Go and is distributed under the Apache 2.0 license. You can check more details about it in the following link.

Developers can download and try OSV-Scanner from the osv.dev website or use the OpenSSF Scorecard vulnerability check  to automatically run the scanner in a GitHub project.

The content of the article adheres to our principles of editorial ethics. To report an error click here.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.