Google this week released the OSV Scanner – an open-source vulnerability scanner linked to the OSV.dev database that debuted last year.
Written in the Go programming language, OSV-Scanner was designed to scan open-source applications to assess the security of all included dependencies – software libraries that are added to projects to provide pre-built functionality so developers don’t recreate those features need to create their own.
Modern applications can have many dependencies. For example, researchers from Mozilla and Concordia University in Canada recently created a single-page web application with the React framework using the create-react-app command. The result was a project with seven runtime dependencies and nine development dependencies.
But each of these direct dependencies had other dependencies called transitive dependencies. The React package includes loose-envify as a transitive dependency – one that itself depends on other libraries. All in all, this simple one-page “Hello World” app required a total of 1,764 dependencies [PDF].
As Rex Pan, a software engineer on Google’s open source security team, noted in a blog post Tuesday, checking thousands of dependencies isn’t something developers can do alone.
“Each dependency may contain existing known vulnerabilities or new vulnerabilities that could be discovered at any time,” he wrote. “There are just too many dependencies and versions to track manually, so automation is needed.”
Automated security scanning is also recommended as a best practice in the US Executive Order of May 12, 2021 “Improving the Nation’s Cybersecurity”.
When OSV-Scanner runs on an application, it creates a list of direct and transitive dependencies with known vulnerabilities, which the application developer can then potentially fix by specifying safe versions of packages where available and compatible.
Vendors like Checkmarx also offer dependency detection services and products.
OSV Scanner pulls vulnerability data from the OSV.dev database, which was launched last year to make vulnerability information more comprehensive and accessible. It complements other open-source security initiatives at The Chocolate Factory, such as the company’s open-source vulnerability format and its SLSA framework to protect against supply chain attacks.
According to Pan, the OSV.dev database is now the largest open-source vulnerability database of its kind, containing 38,000 notices — more than double the number a year ago.
Looking ahead, Pan says Google wants to upgrade the OSV scanner from a simple scanner to a vulnerability management tool. This will likely include the development of continuous integration actions that ease setup and scan scheduling, C/C++ support (a challenge due to the lack of a default package manager), function-level vulnerability intelligence via call graph analysis, and automatic vulnerability mitigation (similar to npm audit fix). ®
https://www.theregister.com/2022/12/15/google_debuts_osvscanner_a_gobased/ Google debuts OSV scanner to find vulnerabilities in open source apps • The Register