Google has released OSV-Scanner, an open-source front-end interface to the Open Source Vulnerability (OSV) database. The OSV database is a distributed, open-source database that stores vulnerability information in the OSV format. The OSV-Scanner assesses a project's dependencies against the OSV database showing all vulnerabilities relating to the project.
When run on a project, OSV-Scanner first determines all the dependencies that are in use by analyzing manifests, software bill of materials (SBOMs), and commit hashes. This information is used to query the OSV database and discuss any vulnerabilities associated with the project. Vulnerabilities are reported either in tabular format or, optionally, in the JSON-based OSV format.
The OSV format provides a machine-readable JSON schema for presenting vulnerability information. The format is designed to enforce version specification that aligns with the naming and schemes used in the actual open-source package. Oliver Chang, senior staff engineer at Google, and Russ Cox, distinguished engineer at Google, state that this approach "can be used to describe vulnerabilities in any open source ecosystem, while not requiring ecosystem-dependent logic to process them."
"schema_version": "1.3.0",
"id": "GHSA-c3g4-w6cv-6v7h",
"modified": "2022-04-01T13:56:42Z",
"published": "2022-04-01T13:56:42Z",
"aliases": [ "CVE-2022-27651" ],
"summary": "Non-empty default inheritable capabilities for linux container in Buildah",
"details": "A bug was found in Buildah where containers were created ...",
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/containers/buildah"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25.0"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/containers/buildah/commit/..."
},
{
"type": "PACKAGE",
"url": "https://github.com/containers/buildah"
}
]
}
Scanning a directory to find lockfiles, SBOMs, and git directories is done via osv-scanner -r /path/to/your/dir. The optional -r flag enables a recursive scan. Currently, SPDX and CycloneDX SBOMs using Package URLs are supported. A number of lockfiles are currently supported including yarn.lock, composer.lock, go.mod, and Gemfile.lock.
It is also possible to scan the list of installed packages in a Debian image to pull out any vulnerabilities for them: $ osv-scanner --docker image_name:latest. This requires docker to be installed and does not currently scan the filesystem of the Docker container. More details on this preview feature can be found in the GitHub issue.
OSV-Scanner can be configured to ignore vulnerabilities by their ID. This feature also supports optionally providing a date for when the ignore will expire and a reason. Ignored vulnerabilities are specified under the IgnoreVulns key.
[[IgnoredVulns]]
id = "GO-2022-0968"
# ignoreUntil = 2022-11-09
reason = "No ssh servers are connected to or hosted in Go lang"
OSV-Scanner has also been integrated into the OpensSSF Scorecard's Vulnerabilities check. Scorecards is an automated security tool that identifies risky supply chain practices in open-source projects. This extends Scorecards analysis from the project's direct vulnerabilities to also include any vulnerabilities within the project's dependencies.
Rex Pan, software engineer at Google, shared some details on what is next for OSV-Scanner. The team is looking to offer a standalone CI action to enable further integration into workflows. Pan shared that they are looking to improve C and C++ support by "building a high quality database of C/C++ vulnerabilities by adding precise commit level metadata to CVEs."
OSV-Scanner is available via GitHub under the Apache License 2.0. More details on the announcement can be found in the release blog post.