Google has released OSV-Scanner, an open source tool for the Open Source Vulnerability (OSV) database. It assesses a project’s dependencies against the OSV database, displaying all vulnerabilities associated with the project.
When started on a project, OSV-Scanner first determines all used dependencies by analyzing manifests and software specifications (SBOM). This information is used to query the OSV database and discuss any vulnerabilities associated with the project. Vulnerabilities are reported either in a tabular format or optionally in a JSON-based OSV format.
Oliver Chang, a senior staff engineer at Google, and Russ Cox, an engineer at Google, say this approach can be used to describe vulnerabilities in any open source ecosystem while not requiring ecosystem-dependent logic to handle them.
The OSV format provides a machine-readable JSON schema for representing vulnerability information. The format is designed to enforce a version specification that matches the names and schemas used in actual open source packages.
Rex Pan, a software engineer at Google, says the team aims to improve C and C++ support by building a high-quality database of C/C++ vulnerabilities by adding accurate commit-level metadata to CVE.
That’s not all. OSV-Scanner is also integrated into the OpensSSF Vulnerability Scorecard.