Google Launches Scanner to Uncover Open Source Vulnerabilities

Securing the software supply chain is an increasingly complex and time-consuming challenge for enterprises. To help developers find vulnerability data for open source components, Google launched OSV-Scanner on Tuesday.

Modern software development requires managing multiple dependencies – software libraries and components that add functionality to the application without having to develop them from scratch. Developers need to be aware of vulnerabilities which may exist in the components, but the task is complicated by the fact that each dependency potentially contains other dependencies.

A new report from the Station 9 research team at Endor Labs found that 95% of all vulnerabilities in open source software are found in transitive dependencies – code packages that are indirectly pulled into projects by other dependencies. Developers need to be able to manage vulnerabilities in the dependencies they selected as well as in these transitive dependencies. To complicate matters even more, the same research report found that even the latest version of a package could still have known vulnerabilities.

Last year, Google launched the OSV.dev service, a distributed open source vulnerability database, to help developers with vulnerability management. OSV.dev encompasses 16 different open source ecosystems and vulnerability databases, with a total of 38,000 advisories. The idea is to use the service for vulnerability tracking, triage, and patch automation. Google's Rex Pan calls OSV-Scanner, which connects a project's list of dependencies with the vulnerabilities that affect them, the "next step" in managing open source vulnerabilities.

With OSV-Scanner, developers can match code and dependencies against a list of known vulnerabilities and identify any available patches or newer versions of the software component. The scanner identifies all the transitive dependencies being used by the project by analyzing software manifests, software bill of materials, and commit hashes. The scanner then connects to OSV.dev to display the known vulnerabilities in the project.

The information generated by the scanner "closes the gap between a developer's list of packages and the information in vulnerability databases," Pan wrote in the blog post announcing the new tool. Features such as the ability to utilize specific function level vulnerability information automated remediation will be available in the future, Pan wrote.

OSV-Scanner automates the discovery and patching of vulnerabilities in the software supply chain. The 2021 United States Executive Order for Cybersecurity specifically included automated tools "that check for known and potential vulnerabilities and remediate them" as a requirement for national standards on secure software development.

Developers can download and try out OSV-Scanner from the osv.dev website or use OpenSSF Scorecard's Vulnerabilities check to automatically run the scanner on a GitHub project, Google says.