OSV-Scanner: A free vulnerability scanner for open-source software

2022-12-14 14:12

After releasing the Open Source Vulnerabilities database in February, Google has launched the OSV-Scanner, a free command line vulnerability scanner that open source developers can use to check for vulnerabilities in their projects' dependencies.

Finding vulnerabilities in open-source dependencies.

"OSV.dev allows all the different open source ecosystems and vulnerability databases to publish and consume information in one simple, precise, and machine readable format," explained Rex Pan, a software engineer with the Google Open Source Security Team.

"Altogether OSV.dev now supports 16 ecosystems, including all major language ecosystems, Linux distributions, as well as Android, Linux Kernel, and OSS-Fuzz. This means the OSV.dev database is now the biggest open source vulnerability database of its kind, with a total of over 38,000 advisories from 15,000 advisories a year ago."

The tool can be configured to ignore specific vulnerabilities.

Google plans to turn OSV-Scanner into a full-fledged vulnerability management tool by further integrating with developer workflows, adding features such as automatic remediation of vulnerabilities by making minimal version bumps, and by improving C/C++ vulnerability support.

News URL

https://www.helpnetsecurity.com/2022/12/14/vulnerabilities-open-source-dependencies/

#opensource #vulnerability