Google has released a new free tool which it hopes will radically improve the security of code compiled from open source dependencies – a growing source of risk for organizations.
The new tool allows developers to scan their dependencies and code for bugs listed in the database and receive instant feedback on whether patches or updates are needed, Google software engineer, Rex Pan explained.
Crucially, the tool begins by finding all of a project’s transitive dependencies, by analyzing manifests, software bills of materials (SBOMs), documents and commit hashes.
A report out this week claimed that transitive or indirect dependencies account for around 95% of all open source vulnerabilities. Yet they’re often missed due to the complexity of relationships between components and a lack of visibility into these ecosystems.
Pan suggested several advantages the Google tool has over closed source databases and scanners:
- Each advisory comes from an “open and authoritative source” (e.g. the RustSec Advisory Database)
- The OSV.dev database is the biggest of its kind, supporting 16 open source ecosystems and serving up over 38,000 advisories
- Anyone can suggest improvements to advisories, enhancing the quality of the database
- The OSV format stores info on affected versions in a machine-readable format that maps onto a developer’s list of packages
- Developers get fewer, more actionable vulnerability notifications, reducing the time needed to resolve them, due to these features
The next step will be to convince the developer community to make use of the tool.
A Sonatype report from October revealed that 68% of organizations felt confident that their applications are not using vulnerable libraries. Yet a random sample of enterprise applications showed that 68% contained known vulnerabilities.
Editorial credit icon image: TY Lim / Shutterstock.com