Google launches OSV-Scanner, a new open-source vulnerability database
Google has launched a new open-source tool designed to give open-source developers access to information that could help them stay on top of potential vulnerabilities that could affect their projects. The OSV-Scanner builds on top of a tool Google developed in 2021 called the OSV.dev service.
The OSV.dev service is an open-source distributed vulnerability database that conglomerates the different open-source ecosystems and vulnerabilities into a single location and in a machine-readable format. The move marked an important step as unifying open-source vulnerabilities and databases in this way had proven challenging with each using their own format. Describing the move in June last year, Google said:
“With this schema we hope to define a format that all vulnerability databases can export. A unified format means that vulnerability databases, open-source users, and security researchers can easily share tooling and consume vulnerabilities across all of open-source. This means a more complete view of vulnerabilities in open source for everyone, as well as faster detection and remediation times resulting from easier automation.”
The news OSV-Scanner tool marks the next step in this journey as it offers what Google is calling an “officially supported front end to the OSV database”. As mentioned above, the huge numbers and varieties of formats were a challenge to compile together but they are also a challenge to keep track of. This necessitates the automation of the task, which is where this new scanner tool comes in:
“The OSV-Scanner generates reliable, high-quality vulnerability information that closes the gap between a developer’s list of packages and the information in vulnerability databases.”
According to the Google blog post announcing the new OSV-scanner, the OSV.dev database is now the biggest open-source vulnerability database of its kind, containing over 38,000 advisories. This has jumped up from 15,000 advisories just a year ago.
