Google just launched a new tool called OSV-Scanner, a free and open source tool that gives developers easy access to information about vulnerabilities related to their project.
In 2021, Google launched the OSV.dev service, an open source distributed vulnerability database allowing diverse open source ecosystems and vulnerability databases to publish and use information in a single machine-readable format.
According to Google, OSV-Scanner now provides an officially supported overlay to this OSV database that combines a list of project dependencies with the vulnerabilities that affect them.
What else does this offer offer?
OSV-Scanner is apparently integrated with the OpenSSF Scorecard Vulnerabilities Check tool, which means it will be able to extend the analysis from just direct project vulnerabilities to also include vulnerabilities in all its dependencies.
Since software projects often include many third-party dependencies from external software libraries, with too many different versions to track manually, automation will be useful for security according to Google.
Additionally, each vulnerability advisory comes from an “open and authoritative source,” such as the RustSec Advisory Database.
Google says that anyone can suggest improvements to the advice, making the database very high quality.
If you are interested in trying OSV-Scanner, you can go to website (opens in a new tab) and follow the instructions or read GitHub Guide (opens in a new tab).
No wonder Google wants to dedicate resources to Open Source Security, open source vulnerabilities remain a key endpoint for hackers to find their way into systems.
In fact, a report by cybersecurity firm Snyk, in partnership with the Linux Foundation, found that two out of five (41%) companies are unsure about the security of their open source code.
This lack of trust hinders adoption of the technology in many cases. The number of companies willing to implement open source software in their production environments has actually decreased by 5%, from 95% in 2021 to 90% this year.
- Want to be safe online? Check out our guide to the best firewalls