Tuesday, March 18, 2025
HomeCyber Security NewsGoogle Launches Open-Source OSV-Scanner for Detecting Security Vulnerabilities

Google Launches Open-Source OSV-Scanner for Detecting Security Vulnerabilities

Published on

SIEM as a Service

Follow Us on Google News

Google has announced the launch of OSV-Scanner V2, an open-source tool designed to enhance vulnerability scanning and remediation across various software ecosystems.

This update follows the recent release of OSV-SCALIBR, another powerful tool in the OSV suite, which together form a comprehensive platform for managing vulnerability metadata and streamlining vulnerability detection and management.

Illustration of HTML output for container image scanning
Illustration of HTML output for container image scanning

Key Features of OSV-Scanner V2

  1. Enhanced Dependency Extraction with OSV-SCALIBR:
    • Expanded Formats: Supports source manifests and lockfiles such as .NET (deps.json), Python (poetry.lock, not uv.lock), JavaScript (bun.lock), and Haskell (cabal.project.freeze, stack.yaml.lock).
    • Artifact Support: Includes analysis of Node modules, Python wheels, Java uber jars, and Go binaries.
  2. Layer and Base Image-Aware Container Scanning:
    • Support for Container Images: Now capable of scanning Debian, Ubuntu, and Alpine container images to provide layer history, base image identification, and filtering of unlikely vulnerabilities.
    • Language Support: Currently supports artifacts from Go, Java, Node, and Python.
  3. Interactive HTML Output:
    • Offers an interactive way to present vulnerability scans with features like severity breakdowns, filtering capabilities, and full vulnerability advisory entries.
    • Enhances container scanning with layer information and base image identification.
  4. Guided Remediation for Maven pom.xml:
    • Extends guided remediation to Java, allowing intelligent upgrades and strategies to minimize disruptions while maximizing security improvements.
    • Supports reading and writing pom.xml files, including updates to local parent pom files and integrating with private Maven registries.

Future Developments and Collaborations

Google has outlined several plans for future developments:

  • Continued OSV-SCALIBR Convergence: Integrating more of OSV-SCALIBR’s features into the OSV-Scanner interface.
  • Expanded Ecosystem Support: Increasing support for languages, OS advisories, and more general lockfile formats.
  • Full Filesystem Accountability for Containers: Enhancing tracking and managing all files within container images.
  • Reachability Analysis: Introducing deeper vulnerability impact insights.
  • VEX Support: Adding support for Vulnerability Exchange to facilitate vulnerability communication.

Users can engage with OSV-Scanner V2 by visiting the OSV-Scanner or OSV-SCALIBR repositories.

 Google encourages contributions via these repositories and invites feedback through the OSV discussion list at osv-discuss@google.com.

This initiative marks a significant step towards open collaboration in cybersecurity, making it easier for developers and security teams to identify and manage vulnerabilities efficiently.

As the technology landscape continues to evolve, tools like OSV-Scanner V2 are crucial for maintaining the integrity of software systems and fostering a more secure digital environment.

With its robust features and collaborative development approach, OSV-Scanner is poised to become an essential tool in the fight against cyber threats.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

New BitM Attack Enables Hackers to Hijack User Sessions in Seconds

A recent threat intelligence report highlights the emergence of a sophisticated cyberattack technique known...

Hackers Exploit Hard Disk Image Files to Deploy VenomRAT

In a recent cybersecurity threat, hackers have been using virtual hard disk image files...

Bybit Hack: Details of Sophisticated Multi-Stage Attack Uncovered

The Bybit hack, which occurred on February 21, 2025, has been extensively analyzed by...

Hackers Use DLL Side-Loading to Deploy Malicious Python Code

A recent discovery by Xavier Mertens, a senior handler at the Internet Storm Center,...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

New BitM Attack Enables Hackers to Hijack User Sessions in Seconds

A recent threat intelligence report highlights the emergence of a sophisticated cyberattack technique known...

Hackers Exploit Hard Disk Image Files to Deploy VenomRAT

In a recent cybersecurity threat, hackers have been using virtual hard disk image files...

Bybit Hack: Details of Sophisticated Multi-Stage Attack Uncovered

The Bybit hack, which occurred on February 21, 2025, has been extensively analyzed by...