Google reportedly launches a new open-source security scanning tool. The OSV scanner tool may now provide convenient access to a great database of vulnerabilities according to Google.
Google Reportedly Launches a New Open-Source Security Scanning Tool
Just recently, Google launched a new tool known as OSV-Scanner which is a free open-source tool that it says gives developers quite an easy access to vulnerability information that is relevant to their project.
Google back in 2021 launched the OSV.dev service which is a distributed open-source vulnerability database thus enabling a host of open-source ecosystems and vulnerability databases in a bid to publish and consume information in one machine-readable format.
The OSV-Scanner according to Google now provides an officially supported frontend to this OSV database which hen connects a list of dependencies of a project with the vulnerabilities that affect them.
OSV-Scanner Is Integrated into Openssf’s Scorecard Vulnerabilities Check
OSV-Scanner is integrated into OpenSSF’s Scorecard Vulnerabilities check apparently, which simply means that it will be able to extend the analysis from just a direct vulnerability of a project to also include vulnerabilities in all its dependencies.
And since software projects at most times involve many third-party dependencies stemming from outside software libraries, with way too many different versions to manually keep track of, automation will be very much useful for making sure of security according to Google.
Each Vulnerability Advisory Comes From an Open and Authoritative Source
Each vulnerability advisory in addition comes from an “open and authoritative source”, for instance, the RustSec Advisory Database. Google has stated that anyone can suggest improvements to advisories thus resulting in a very high-quality database.
In the event that you are interested in trying out OSV-Scanner, you can now head to the website and follow up with the on-screen instructions. Or you can instead read the GitHub guide.
Google Is Looking To Pour Resources into Open-Source Security
It is not surprising that Google at the moment is now looking to pour resources into Open Source Security, as open-source vulnerabilities remain an important endpoint for hackers to find their way into systems.
A report from cybersecurity company Snyk in conjunction with the Linux foundation, in fact, has found out that two in five companies are not confident in the security of their own open-source code.
This very lack of trust is crippling the adoption of the technology in many cases, as the number of companies that are willing to deploy open-source software within their production environments fell through to 5% which is from 95% in 2021 to 90% this very year.