Google has just launched a new tool called OSV-Scanner, a free open source tool it says gives developers easy access to vulnerability information relevant to their project.
In 2021, Google launched the OSV.dev service, a distributed open-source vulnerability database, enabling a variety of open-source ecosystems and vulnerability databases to publish and consume information in one machine-readable format.
According to Google, the OSV-Scanner now provides an officially supported frontend to this OSV database, which connects a project’s list of dependencies with the vulnerabilities that affect them.
What else does this offer?
OSV-Scanner is apparently integrated into the OpenSSF’s Scorecard Vulnerabilities check, which means it will be able to extend the analysis from just a project’s direct vulnerabilities to also include vulnerabilities in all its dependencies.
Since software projects often involve many third-party dependencies stemming from outside software libraries, with too many different versions to keep track of manually, automation will be useful for ensuring security according to Google.
In addition, each vulnerability advisory comes from an “open and authoritative source”, for example, the RustSec Advisory Database.
Google says anyone can suggest improvements to advisories, resulting in a very high-quality database.
It’s not surprising that Google is looking to pour resources into Open Source Security, open source vulnerabilities remain a key endpoint for hackers to find their way into systems.
In fact, a report from cybersecurity company Snyk, in conjunction with the Linux Foundation found that two in five (41%) firms are not confident in the security of their open-source code.
This lack of trust is handicapping the adoption of the technology in many cases, the number of companies willing to deploy open-source software within their production environments actually fell 5%, from 95% in 2021 to 90% this year.
- Interested in staying safe online? Check out our guide to the best firewalls