Google debuts OSV-Scanner – a Go tool for finding security holes in open source

Google this week released OSV-Scanner – an open source vulnerability scanner linked to the OSV.dev database that debuted last year.

Written in the Go programming language, OSV-Scanner is designed to scan open source applications to assess the security of any incorporated dependencies – software libraries that get added to projects to provide pre-built functions so developers don't have to recreate those functions on their own.

Modern applications can have a lot of dependencies. For example, researchers from Mozilla and Concordia University in Canada recently created a single-page web application with the React framework using the create-react-app command. The result was a project with seven runtime dependencies and nine development dependencies.

But each of these direct dependencies had other dependencies, known as transitive dependencies. The react package includes loose-envify as a transitive dependency – one that itself depends on other libraries. All told, this basic single-page "Hello world" app required a total of 1,764 dependencies [PDF].

As Rex Pan, a software engineer on Google's Open Source Security Team, observed on Tuesday in a blog post, vetting thousands of dependences isn't something developers can do on their own.

"Each dependency potentially contains existing known vulnerabilities or new vulnerabilities that could be discovered at any time," he wrote. "There are simply too many dependencies and versions to keep track of manually, so automation is required."

• Auto vulnerability scanners turn up mostly false positives
• Uncle Sam orders federal agencies to step up scans for govt IT security holes
• GitHub's Dependabot learns to report bad news you can use
• DARPA slaps $2m on the bar for the ULTIMATE security bug SLAYER

Automated security scanning is also recommended as best practice in the May 12, 2021 US Executive Order, "Improving the Nation's Cybersecurity."

Running OSV-Scanner on an application produces a list of direct and transitive dependencies with known vulnerabilities, which the application developer then may be able to address by specifying safe versions of packages, if available and compatible.

It's similar to JavaScript-focused tools like npm audit or Socket, but covers a broader set of packaging systems. These include: Android, crates.io, Debian GNU/Linux, GitHub Actions, Go, Hex, Linux kernel, Maven, npm, NuGet, OSS-Fuzz, Packagist, Pub, PyPI, and RubyGems.

Vendors such as Checkmarx also offer dependency-detection services and products.

OSV-Scanner pulls vulnerability data from the OSV.dev database, introduced last year to make vulnerability information more comprehensive and more accessible. It complements other open source security initiatives from The Chocolate Factory like the company's Open Source Vulnerability format and its SLSA framework for defending against supply chain attacks.

According to Pan, the OSV.dev database is now the largest open source vulnerability database of its kind, weighing in at 38,000 advisories – more than twice the number of listings a year ago.

Looking ahead, Pan says Google wants to upgrade OSV-Scanner from a straightforward scanner into a vulnerability management tool. This is likely to involve the development of continuous integration actions that facilitate setup and scan scheduling, C/C++ support (a challenge due to the lack of a standard package manager), function-level vulnerability information via call graph analysis, and automatic vulnerability mitigation (along the lines of npm audit fix). ®