Google released a new free tool earlier this week. With this tool, open source developers will be able to easily access vulnerability information about their projects.
Called OSV Scanner, this Go-based tool has a mechanism that maps the developer's code and dependencies to lists of known vulnerabilities, and automatically returns if patches or updates are needed.
Software projects often have multiple dependencies. However, there are mostly undocumented pieces of code from open source packages pulled from other libraries. This application creates what we call transitive dependencies in software. This means that it may contain multiple layers of security vulnerabilities that are difficult to track manually.
When developers run OSV-Scanner in their projects, they will start finding transitive dependencies by analyzing manifests, SBOMs and processing hashes. It will then connect to the Open Source Vulnerability (OSV) database to view the relevant vulnerabilities.
You can try OSV-Scanner now!
If you want the OSV-Scanner from the new website osv.dev You can try it in your projects by following the instructions. Or alternatively, to run OSV-Scanner automatically in your Github project, score cardYou can use .
Detailed information security.googleblog.com You can reach it at.
To the project's Github address github.com/google/osv-scanner You can access via