OSV-Scanner: Protecting Your Open-Source Dependencies

In today’s digital age, cyber security threats are becoming increasingly prevalent and sophisticated. As a result, organizations need to have robust security measures in place to protect their networks and data from malicious attacks. One such tool that can help organizations achieve this is the OSV-Scanner. The OSV-Scanner, or Open Source Vulnerability Scanner, is a tool created by Google that utilizes the OSV database to scan for known vulnerabilities in open-source dependencies. In this blog post, we will take a closer look at the OSV-Scanner, including its features, installation process, and usage. We will also explore the different output formats that the scanner offers and how to use them effectively. Overall, the Google OSV-Scanner is an essential tool for any organization that uses open-source software, helping them to keep their software secure and protect their customers’ data.

Table of Content hide

1. OSV-Scanner

2. Install OSV-Scanner

2.1. Install on MAC

2.2. Install from source

3. Usage

3.1. Output Formats

3.2. Table Format

3.3. json format

4. Conclusion

OSV-Scanner

On 13th December 2022, Google has launched a Open Source Vulnerability Scanner, that utilizes the OSV database to scan for known vulnerabilities in your open-source dependencies. It is an open-source software.

Google OSV-Scanner is a powerful tool that helps organizations identify and address vulnerabilities in their open-source software. This scanner scans through the entire codebase of a software project and detects any potential security issues, such as outdated libraries or known vulnerabilities. It then generates a detailed report outlining the issues found and provides recommendations for how to fix them. This helps organizations ensure that their software is secure and reduces the risk of data breaches or other security incidents. Additionally, the OSV-Scanner is integrated into Google’s Cloud Platform, making it easy for developers to use and integrate into their workflow.

Overall, the Google OSV-Scanner is an essential tool for any organization that uses open-source software, helping them to keep their software secure and protect their customers’ data.

Install OSV-Scanner

Installing the Google OSV-Scanner is a simple process that can be completed in just a few steps.

Install on MAC

If you’re a Homebrew user, you can install osv-scanner using the below command:

brew install osv-scanner

Install from source

Alternatively, you can install this from source by running:

go install github.com/google/osv-scanner/cmd/osv-scanner@v1

This requires Go 1.18+ to be installed.

You can install osv-scanner on your system in several ways. Please visit the official documentation for more details: https://github.com/google/osv-scanner

Usage

The OSV-Scanner utilizes an extensive database, accessed via the OSV.dev API, to gather and compile a comprehensive list of dependencies and corresponding versions utilized within a given project. This list is then matched against the OSV database for verification and analysis. The process of building this list of dependencies can be achieved by directing the OSV-Scanner towards the project directory or by manually inputting the path to specific manifest files.

The functionality of recursive directory traversal can be enabled by utilizing the –recursive or -r flag.

osv-scanner -r /code_path

Output Formats

The scanner offers a variety of output formats, which can be specified using the –json flag. These formats include:

Table Format

The standard format, which presents the results in a table that is easily comprehensible to individuals.

Sample output:

json format

The program generates the results in a JSON format and outputs them to standard output, while redirecting all other output to standard error. This approach ensures that the JSON output can be safely redirected to a file using the command “osv-scanner –json > output.json” .

Sample output:

{
"results": [
{
"packageSource": {
"path": "/absolute/path/to/go.mod",
// One of: lockfile, sbom, git, docker
"type": "lockfile"
},
"packages": [
{
"package": {
"name": "github.com/gogo/protobuf",
"version": "1.3.1",
"ecosystem": "Go"
},
"vulnerabilities": [
{
"id": "GHSA-c3h9-896r-86jm",
"aliases": [
"CVE-2021-3121"
],
// ... Full OSV
},
{
"id": "GO-2021-0053",
"aliases": [
"CVE-2021-3121",
"GHSA-c3h9-896r-86jm"
],
// ... Full OSV
}
],
// Grouping based on aliases, if two vulnerability share the same alias, or alias each other,
// they are considered the same vulnerability, and is grouped here under the id field.
"groups": [
{
"ids": [
"GHSA-c3h9-896r-86jm",
"GO-2021-0053"
]
}
]
}
]
},
{
"packageSource": {
"path": "/absolute/path/to/Cargo.lock",
"type": "lockfile"
},
"packages": [
{
"package": {
"name": "regex",
"version": "1.5.1",
"ecosystem": "crates.io"
},
"vulnerabilities": [
{
"id": "GHSA-m5pq-gvj9-9vr8",
"aliases": [
"CVE-2022-24713"
],
// ... Full OSV
},
{
"id": "RUSTSEC-2022-0013",
"aliases": [
"CVE-2022-24713"
],
// ... Full OSV
}
],
"groups": [
{
"ids": [
"GHSA-m5pq-gvj9-9vr8",
"RUSTSEC-2022-0013"
]
}
]
}
]
}
]
}

Conclusion

In conclusion, the Google OSV-Scanner is a powerful tool that helps organizations identify and address vulnerabilities in their open-source software. It utilizes the OSV database to scan for known vulnerabilities and generates a detailed report outlining the issues found and provides recommendations for how to fix them. The scanner is open-source and can be easily integrated into Google’s Cloud Platform, making it easy for developers to use and integrate into their workflow. Additionally, installing and using the scanner is a simple process. Overall, the OSV-Scanner is an essential tool for any organization that uses open-source software, helping them to keep their software secure and protect their customers’ data.