Google introduced osv-scanner to verify the presence of incorporate vulnerabilities in the code and applications, taking into account the entire chain of dependencies related to the code. OSV-Scanner allows you to identify situations when the application becomes vulnerable due to problems in one of the libraries used as dependence. At the same time, a vulnerable library can be used indirectly, i.e. Call through another dependence. The project code is written in GO and is distributed under the license Apache 2.0.
OSV-Scanner can automatically recurrently scan the catalogs tree, determining the projects and applications for the presence of GIT catalogs (information on vulnerabilities is determined through the analysis of Hashi Commodes), SBOM files (Software Bill of Material in the formats spdx and cycloneDX ), manifesto or locoma-files of package managers, such as Yarn, NPM, Gem, Pip and Cargo. The scan of the filling of images of Docker containers collected on the basis of packages from DEBIAN repositories.
is also supported.
Information on vulnerabilities is taken from the database osv (Open Source Vulnerabilites), covering information about security problems in the repository of crates.io (rust) , GO, Maven, NPM (JavaScript), Nuget (C#), Packagist (PHP), Pypi (Python), Rubygems, Android, Debian and Alpine, as well as vulnerabilities in the Linux nucleus and information from reports about vulnerabilities in projects posted on Github. The OSV database reflects the status of the problem of the problem, the commits with the advent and correction of vulnerability, the range subject to vulnerability, references to the project repository with code and notification of the problem are reflected. The API provided allows at the level of commits and tags to track the manifestation of vulnerability and analyze the susceptibility to the problem of derivatives and dependencies.
