Google launches scanner to spot open-source vulnerabilities

15 Dec 2022

Image: © JHVEPhoto/Stock.adobe.com

Google’s OSV-Scanner connects to a vulnerability database, showing developers the code and dependencies that need to be patched.

Google has launched a free tool to help open-source developers find security flaws within their projects.

The Open Source Vulnerability (OSV) Scanner lets users match their code and dependencies to a list of known vulnerabilities. The automated scanner then tells the developer if any patches or updates are needed.

The company said in a blogpost that software projects are typically built on a “mountain of dependencies” and that automation is required to keep track of them all.

“Each dependency potentially contains existing known vulnerabilities or new vulnerabilities that could be discovered at any time,” it added.

The new scanner connects directly to the OSV database, which lets different open-source ecosystems and vulnerability databases publish information in a single format.

The free tool is Google’s latest step to boost open-source security. Cybersecurity threats such as the Log4Shell flaw that emerged last year sparked interest in initiatives to secure the open-source supply chain.

At a White House summit in January, Google met with other major US tech companies active in the open-source space to discuss ways to boost security in light of recent vulnerabilities.

In May, Google Cloud launched the Assured Open Source Software Initiative to provide enterprises and governments with vetted open-source software.

Google also launched an open-source bug bounty earlier this year, offering up to $31,337 for vulnerabilities found in its own open-source projects and third-party dependencies.

The company plans to add new features to OSV-Scanner, such as the ability to automatically fix vulnerabilities and utilise “specific function-level vulnerability information” by doing call graph analysis.

Josep Prat, open-source engineering developer at software company Aiven, said Google’s latest tool is a “sign of the times” as companies take a greater interest in the open-source ecosystem.

“This year, we’ve seen big tech and hyperscalers become more active participants in open-source, realising the benefits of agility and scalability it offers,” Prat added. “It’s great to see these organisations use their resources for the benefit of the whole open-source ecosystem.

“It’s time other organisations follow in their footsteps, giving back to open source and being stewards of the community.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com