In short: open source development projects often have to rely on a lot of external dependencies, which saves developers from having to create new features from scratch. Google’s new tool is the latest part of its efforts to help such projects track and fix vulnerabilities that present dependencies, drawing on its community database.

This week, Google introduced OSV-Scanner, a free tool that allows open source software developers to scan known vulnerabilities in the dependencies they use. The scanner checks their projects for compliance with the Google Open Source Vulnerability (OSV) scheme and the OSV.dev service.

When developers run OSV-Scanner in their work, it looks through their manifestos, SBOM, and commit hashes to find transitive dependencies. It then links the information found to the Google OSV database to find vulnerabilities and inform developers.

Google launched the OSV database last February to help open source developers easily find and provide information about vulnerabilities in their dependencies. Since open source projects can rely on a large number of dependencies, an accessible database can help developers quickly identify which ones have made new commitments. OSV-Scanner introduces a new level of process automation.

Google has developed OSV-Scanner in accordance with the US Cybersecurity Executive Order of 2021, which requires automation as part of its software development security standards. The government imposed the order amid a number of high-profile cyber attacks, such as the hacking of SolarWinds and the attack of the ransomware program on the Colonial Pipeline.

Google has taken several measures to ensure that OSV-Scanner provides a manageable number of security notifications that developers can act on within a reasonable time frame. The scan results come from reputable sources that are fed into the OSV database, but its community-driven nature also provides a rich repository of vulnerability information. The database also stores information in a machine-readable format that perfectly matches the developer package lists.

Additional improvements for OSV-Scanner are being prepared. Google plans to introduce separate CI actions to simplify planning and initial setup. The company is also creating a new C/C++ vulnerability database that includes accurate commit-level metadata for CVE.

In the future, analysis of the call graph should allow OSV-Scanner to use information about vulnerabilities at the function level. Call graph analysis can also eventually automatically generate VEX statements. In addition, Google wants the scanner to be able to offer minimal version changes for projects where they will have the maximum impact on the automatic elimination of vulnerabilities.

OSV-Scanner is available on the Google GitHub page.