Google’s OSV Scanner is a brand new tool for developers that allows them to check for potential vulnerabilities in the open-source software dependencies they use in their projects.
To provide relevant information on known security problems affecting open-source software, the scanner uses data from OSV.dev.
Issues with open-source codes
Developers of open-source software often rely on existing tools, libraries and components in their projects, which can lead to quicker development of complex solutions.
These blocks can be crucial to the program’s core functionality and give it special capabilities not possible with a standard program.
These open-source code components can be vulnerable to security flaws just like any other code. These flaws can also be passed on to others when they are incorporated into other software projects.
Large programs with many dependencies can be difficult to track security problems and evaluate the possible impact on program performance.
Consider that most dependencies are dependent on each other, making vulnerability tracking difficult.
Google’s OSV scanner automatically matches code within a software project and notify developers when security updates are required.
The announcement states that the OSV-Scanner “generates reliable and high-quality vulnerabilities information that closes a gap between a developer’s list of packages, and the information found in vulnerability databases.”
This scanner utilizes openly distributed advisory from reliable and authoritative sources according to the .
The OSV.dev support currently 16 major coding environments, such as Android, Debian Linux, Alpine, PyPI and OSS-Fuzz.
This is the largest open-source vulnerability data base in the world, with 23,000 advisory messages by 2022.
Google states that the next steps for OSV scanner are to enhance C/C++ vulnerability protection, tackle a complex software environment, and incorporate standalone CI actions in order to make scheduling scans easy.
OSV Scanner may recommend a minimal version bump in the future to address the security issue.
OSV scanner is completely free and open to all.