New Google Tool Helps Devs Root Out Open Source Bugs


Google has released a new free tool which it hopes will radically improve the security of code compiled from open source dependencies – a growing source of risk for organizations.

OSV-Scanner is effectively the front-end to Google’s OSV (Open Source Vulnerability) database, which is designed to collect bug data from all the different open source ecosystems in one place.

The new tool allows developers to scan their dependencies and code for bugs listed in the database and receive instant feedback on whether patches or updates are needed, Google software engineer, Rex Pan explained.

Crucially, the tool begins by finding all of a project’s transitive dependencies, by analyzing manifests, software bills of materials (SBOMs), documents and commit hashes.

A report out this week claimed that transitive or indirect dependencies account for around 95% of all open source vulnerabilities. Yet they’re often missed due to the complexity of relationships between components and a lack of visibility into these ecosystems.

Pan suggested several advantages the Google tool has over closed source databases and scanners:

  • Each advisory comes from an “open and authoritative source” (e.g. the RustSec Advisory Database)
  • The database is the biggest of its kind, supporting 16 open source ecosystems and serving up over 38,000 advisories
  • Anyone can suggest improvements to advisories, enhancing the quality of the database
  • The OSV format stores info on affected versions in a machine-readable format that maps onto a developer’s list of packages
  • Developers get fewer, more actionable vulnerability notifications, reducing the time needed to resolve them, due to these features

The next step will be to convince the developer community to make use of the tool.

A Sonatype report from October revealed that 68% of organizations felt confident that their applications are not using vulnerable libraries. Yet a random sample of enterprise applications showed that 68% contained known vulnerabilities.

Editorial credit icon image: TY Lim /

Products You May Like

Articles You May Like

Hackers Exploit EU Agenda in Spear Phishing Campaigns
All eyes on AI | Unlocked 403: A cybersecurity podcast
CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability
Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor
New Migo Malware Targeting Redis Servers for Cryptocurrency Mining

Leave a Reply

Your email address will not be published. Required fields are marked *