According to Google, the next stage for OSV Scanner is to enhance C/C++ vulnerability support, take on a very difficult software ecosystem, and integrate standalone CI operations to make scheduling scans simple. In the future, OSV Scanner will additionally advise installing the minimal version upgrade that fixes the discovered security problem.
A new tool from Google called OSV Scanner enables developers to check for vulnerabilities in the open source software dependencies they utilise in their projects. To provide pertinent information about known security concerns affecting open source code, the scanner gets information from OSV.dev, the distributed vulnerability database for open source code that Google released in February 2021.
The use of a variety of pre-existing tools, libraries, and components by open-source software developers often speeds up the development of more complicated solutions.
A program’s basic operation frequently depends on these building components, which provide it unique features that would otherwise require custom coding.
These open source components can nevertheless have security flaws, just like any other type of code. These problems spread when added to other software projects. Tracking security concerns that develop with each build and assessing their possible effects on the programme itself becomes a challenging chore for large projects that require numerous dependencies.
Given the number of packages that must be assessed from a security standpoint, and the fact that many of these dependencies have dependencies of their own, tracking vulnerabilities becomes a challenging task.
When a security upgrade is required, Google’s new OSV Scanner automatically matches code across all dependencies for a given software project, including transitive dependencies, and notifies the developers. The deployed package version of the scanner leverages publicly available advisories from reputable, authoritative sources in accordance with the OSV template for vulnerability triage.
The Linux Kernel, Android, Debian, Alpine, PyPI, npm, OSS-Fuzz, and Maven are just a few of the 16 key coding ecosystems that the OSV.dev service currently supports.