Tuesday, March 18, 2025
HomeCyber Security NewsGoogle Launches Open-Source OSV-Scanner for Detecting Security Vulnerabilities

Google Launches Open-Source OSV-Scanner for Detecting Security Vulnerabilities

Published on

SIEM as a Service

Follow Us on Google News

Google has announced the launch of OSV-Scanner V2, an open-source tool designed to enhance vulnerability scanning and remediation across various software ecosystems.

This update follows the recent release of OSV-SCALIBR, another powerful tool in the OSV suite, which together form a comprehensive platform for managing vulnerability metadata and streamlining vulnerability detection and management.

Illustration of HTML output for container image scanning
Illustration of HTML output for container image scanning

Key Features of OSV-Scanner V2

  1. Enhanced Dependency Extraction with OSV-SCALIBR:
    • Expanded Formats: Supports source manifests and lockfiles such as .NET (deps.json), Python (poetry.lock, not uv.lock), JavaScript (bun.lock), and Haskell (cabal.project.freeze, stack.yaml.lock).
    • Artifact Support: Includes analysis of Node modules, Python wheels, Java uber jars, and Go binaries.
  2. Layer and Base Image-Aware Container Scanning:
    • Support for Container Images: Now capable of scanning Debian, Ubuntu, and Alpine container images to provide layer history, base image identification, and filtering of unlikely vulnerabilities.
    • Language Support: Currently supports artifacts from Go, Java, Node, and Python.
  3. Interactive HTML Output:
    • Offers an interactive way to present vulnerability scans with features like severity breakdowns, filtering capabilities, and full vulnerability advisory entries.
    • Enhances container scanning with layer information and base image identification.
  4. Guided Remediation for Maven pom.xml:
    • Extends guided remediation to Java, allowing intelligent upgrades and strategies to minimize disruptions while maximizing security improvements.
    • Supports reading and writing pom.xml files, including updates to local parent pom files and integrating with private Maven registries.

Future Developments and Collaborations

Google has outlined several plans for future developments:

  • Continued OSV-SCALIBR Convergence: Integrating more of OSV-SCALIBR’s features into the OSV-Scanner interface.
  • Expanded Ecosystem Support: Increasing support for languages, OS advisories, and more general lockfile formats.
  • Full Filesystem Accountability for Containers: Enhancing tracking and managing all files within container images.
  • Reachability Analysis: Introducing deeper vulnerability impact insights.
  • VEX Support: Adding support for Vulnerability Exchange to facilitate vulnerability communication.

Users can engage with OSV-Scanner V2 by visiting the OSV-Scanner or OSV-SCALIBR repositories.

 Google encourages contributions via these repositories and invites feedback through the OSV discussion list at osv-discuss@google.com.

This initiative marks a significant step towards open collaboration in cybersecurity, making it easier for developers and security teams to identify and manage vulnerabilities efficiently.

As the technology landscape continues to evolve, tools like OSV-Scanner V2 are crucial for maintaining the integrity of software systems and fostering a more secure digital environment.

With its robust features and collaborative development approach, OSV-Scanner is poised to become an essential tool in the fight against cyber threats.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Microsoft Warns of StilachiRAT Stealing Remote Desktop Protocol Session Data

Microsoft has recently issued a warning about a novel remote access trojan (RAT) known...

Sophisticated Phishing Attack Leverages Microsoft 365 Infrastructure to Target Users

A highly sophisticated phishing campaign has been uncovered exploiting Microsoft 365's trusted infrastructure to...

Amazon Ends Local Voice Processing, Transitions Fully to Cloud

Amazon announced that it will discontinue the local voice processing feature for its AI...

Google’s Parent Alphabet in Talks to Acquire Cybersecurity Firm Wiz for $30 Billion

Alphabet, the parent company of Google, is reportedly in discussions to acquire Wiz, a...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Microsoft Warns of StilachiRAT Stealing Remote Desktop Protocol Session Data

Microsoft has recently issued a warning about a novel remote access trojan (RAT) known...

Sophisticated Phishing Attack Leverages Microsoft 365 Infrastructure to Target Users

A highly sophisticated phishing campaign has been uncovered exploiting Microsoft 365's trusted infrastructure to...

Amazon Ends Local Voice Processing, Transitions Fully to Cloud

Amazon announced that it will discontinue the local voice processing feature for its AI...