Free Google tool scans open source code for vulnerabilities  

Google released in December a free tool for open-source developers to easily find vulnerability information. OSV-Scanner provides an interface to the OSV database that connects a project’s dependency list with vulnerabilities that potentially affect the project.

This is a new phase of two other recent Google ventures aimed at improving vulnerability screening for developers and users of open-source software. One was the publication of the security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html" target="_blank" rel="noreferrer noopener">Open Source Vulnerability (OSV) schema, a database that brings together thousands of vulnerabilities from 16 ecosystems, including OSS-Fuzz, Go, Rust, Python and DWF. The other initiative was the launch of the OSV.dev service, which allows different open-source ecosystems and vulnerability databases to publish and consume information in a simple, accurate and machine-readable format.

In general, software projects have numerous dependencies; external libraries are incorporated to add functionality without having to develop them from scratch. These dependencies may contain vulnerabilities previously known or discovered after the software development. Manually controlling all these dependencies, their versions, and their vulnerabilities is an error-prone and inefficient task, so it is necessary to automate it.

This is where so-called scanners can help. They have automated features that compare code and its dependencies against lists of vulnerabilities and notify you of patches or updates when required. To give you an idea of the importance of this kind of activity, the United States’ Executive Order for Cybersecurity 2021 included this kind of automation as a requirement for national standards for secure software development.

Specifically, in the case of OSV-Scanner, because the OSV.dev database used for querying is open source and distributed, it has several benefits compared to closed-source advisory bases and scanners, according to Google. For example, each vulnerability notice comes from an open and authoritative source. Anyone can suggest improvements to the advisories, helping to maintain a high-quality database. In addition, the OSV format is machine-readable.

OSV-Scanner first finds the dependencies of the software in question and then connects this information with the OSV database to display relevant weaknesses in the project. As the tool is integrated into the OpenSSF Scorecard, the analysis will also consider the vulnerabilities of the 1.2 million projects regularly assessed by the Scorecard.

In all, the OSV.dev service, the working basis of the OSV-Scanner tool, brings together 16 ecosystems, including the main Linux languages, systems and distributions, making it the most prominent open-source vulnerability database, according to Google, with a total of more than 38,000 alerts.

What’s coming up?

Google’s plans for OSV-Scanner are not just to offer it as a simple scanner but to develop an excellent vulnerability management tool that will also help minimize the burden of fixing known bugs.

In the first stage, the intention is to integrate the tool with developers’ workflows, allowing easy configuration and scheduling to track the emergence of vulnerabilities.

In addition, it aspires to improve vulnerability compatibility for C/C++ languages, which, in Google’s view, is one of the most difficult ecosystems regarding vulnerability management due to the lack of a canonical package manager to identify C/C++ code.

Google also wants to add unique features to OSV-Scanner, such as the ability to use vulnerability information at the function level by analysing call graphs and possibly fixing vulnerabilities automatically by suggesting minimal changes.

OSV-Scanner can be downloaded from osv.dev. Another option is to run the tool automatically with GitHub project using Scorecard.