Google has released OSV-Scanner, a new vulnerability scanner tool that is free and open source. The free tool is powered by the Go programming language and utilizes the Open Source Vulnerabilities (OSV) database. OSV allows “all the different open source ecosystems and vulnerability databases to consume and publish” data in one location, according to Google.
Google’s open source platform supports 16 ecosystems, major languages, Linux distributions, Android, Linux Kernal, and OSS-Fuzz.
The OSV database has over 38,000 advisories, which is up from 15,000 only a year ago.
Using OSV-Scanner on your project will “first find all the transitive dependencies that are being used by analyzing manifests, SBOMs, and commit hashes. The scanner then connects this information with the OSV database and displays the vulnerabilities relevant to your project,” according to Google.
Google is still enhancing capabilities for OSV-Scanner to include support for C/C++, VEX, and “to be able to automatically remediate vulnerabilities by suggesting minimal version bumps that provide the maximal impact.”
How to download and use OSV-Scanner
There are two ways to use OSV-Scanner: you can download and use OSV-Scanner on your projects from osv.dev or automatically run OSV-Scanner on your GitHub project using Scorecard.
