This week, Google announced a new tool to help open-source developers detect possible vulnerabilities in their projects. The new tool is called OSV-Scanner and is available on GitHub. Earlier, Google published the Open Source Vulnerability schema and launched the OSV.dev service (open-source vulnerability database), so the scanner is another tool that further helps developers make their software safer.
OSV-Scanner is created to track all possible security flaws in all the components used by the software piece. The new tool is handy because many software uses external libraries that are added to implement some logic without developing it from scratch. Each of those libraries may have some known or newly discovered vulnerabilities, but the more dependencies the software has, the more difficult it is to track them manually.
According to the Google Blog, the tool uses information from open and authoritative sources that can receive suggestions from anyone. Currently, the database contains over 38 000 records for major programming language ecosystems, Linux Kernel, Linux distributions, and Android. The information is stored in machine-readable OSV format.
Detailed information on how to run the tool is available on GitHub. Also, it is already integrated into OpenSSF Scorecard’s Vulnerabilities check, so the Scanner will also check the projects monitored by the Scorecard.