View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 15, 2022

Google releases OSV-Scanner to root out vulnerabilities in open source code

Google has released a software tool that scans open source code to expose vulnerabilities to software developers.

By Claudia Glover

Google has launched a free open source scanning tool called the OSV-Scanner to provide vulnerability information to software developers using open-source repositories. It is part of the wider Open Source Vulnerability Schema service designed to improve the security of open source ecosystems.

Google releases OSV-tool
Google releases open source code scanning tool to protect devs from corrupt code

The tool has been designed to protect software developers who want to use open source code. The OSV tool will check for vulnerabilities in the code the user wants to incorporate by automatically matching their code and dependencies against lists of known vulnerabilities. Once done, it will notify the user if patches or updates are required.

Google releases OSV-tool

The tool, announced by Google this week, has been released alongside their Open Source Vulnerability Schema and OSV.dev service. “OSV allows all the different open source ecosystems and vulnerability databases to publish and consume information in one simple, precise and machine-readable format,” reads a Google blog post.

The newest tool release is seen by Google as the front end of this programme, connecting a project’s list of dependencies with the vulnerabilities that affect them. The OSV scanner is written in the Go programming language. 

Open source code libraries are useful for developers who do not want to write all their code from scratch, continues the blog. “Software projects are commonly built on top of a mountain of dependencies – external software libraries you incorporate into a project to add functionalities without developing them from scratch,” it reads. 

There are too many dependencies and versions to keep track of manually, automation is required to scan through to ensure all the dependencies are vulnerability free. 

Google is planning to release an updated management tool in the future that will also minimise the burden of remediating known vulnerabilities, by “further integrating with developer workflows by offering standalone CI actions, allowing for easy set-up and scheduling to keep track of new vulnerabilities,” continues the post. 

How corrupted are open source libraries?

The security of open source code libraries is a growing issue. According to a survey conducted by The Linux Foundation, there is an average of 5.1 outstanding, critical vulnerabilities in an application at any given time. 

Content from our partners
Why the tech sector must embrace faster, smarter talent recruitment
Sherif Tawfik: The Middle East and Africa are ready to lead on the climate
What to look for in a modern ERP system

In fact, the 2021 US Executive Order for Cybersecurity included this type of automation as a requirement for national standards on secure software development. 

Open source libraries are often targeted in a bid to spread malware to users of the apps designed by those using the libraries. Security company Sonatype recently found more than 55,000 of the newly published packages in open source libraries in the last year, to be malicious. This number rose to 95,000 in the past three years. 

“Almost every modern business relies on open source,” explained co-founder and CTO of Sonatype Brian Fox. “Clearly, the use of open source repositories as an entry point for malicious attacks shows no signs of slowing down.”

Read more: Digital Red Cross launched to protect crucial data in the online battlefield

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU