Google launches new open-source security scanning tool

News
By Will McCurdy
published

OSV-Scanner tool may provide convenient access to a huge database of vulnerabilities, Google says

An image of security icons for a network encircling a digital blue earth.
(Image credit: Shutterstock)

Google has just launched a new tool called OSV-Scanner, a free open source tool it says gives developers easy access to vulnerability information relevant to their project.

In 2021, Google launched the OSV.dev service, a distributed open-source vulnerability database, enabling a variety of open-source ecosystems and vulnerability databases to publish and consume information in one machine-readable format.

According to Google, the OSV-Scanner now provides an officially supported frontend to this OSV database, which connects a project’s list of dependencies with the vulnerabilities that affect them.

What else does this offer?

OSV-Scanner is apparently integrated into the OpenSSF's Scorecard Vulnerabilities check, which means it will be able to extend the analysis from just a project’s direct vulnerabilities to also include vulnerabilities in all its dependencies.

Since software projects often involve many third-party dependencies stemming from outside software libraries, with too many different versions to keep track of manually, automation will be useful for ensuring security according to Google. 

In addition, each vulnerability advisory comes from an "open and authoritative source", for example, the RustSec Advisory Database.

Google says anyone can suggest improvements to advisories, resulting in a very high-quality database.

If you are interested in trying out OSV-Scanner you can head to the website and follow the instructions, or read the GitHub guide.

READ MORE:

> Google backs call for tighter open source security in aftermath of Log4j

> This popular open-source web server has some serious security flaws

> Our guide to the best malware removal tools 

It’s not surprising that Google is looking to pour resources into Open Source Security, open source vulnerabilities remain a key endpoint for hackers to find their way into systems.

In fact, a report from cybersecurity company Snyk, in conjunction with the Linux Foundation found that two in five (41%) firms are not confident in the security of their open-source code.

This lack of trust is handicapping the adoption of the technology in many cases, the number of companies willing to deploy open-source software within their production environments actually fell 5%, from 95% in 2021 to 90% this year.

  • Interested in staying safe online? Check out our guide to the best firewalls
Will McCurdy

Will McCurdy has been writing about technology for over five years. He has a wide range of specialities including cybersecurity, fintech, cryptocurrencies, blockchain, cloud computing, payments, artificial intelligence, retail technology, and venture capital investment. He has previously written for AltFi, FStech, Retail Systems, and National Technology News and is an experienced podcast and webinar host, as well as an avid long-form feature writer.