Google has launched a free open source scanning tool called the OSV-Scanner to provide vulnerability information to software developers using open-source repositories. It is part of the wider Open Source Vulnerability Schema service designed to improve the security of open source ecosystems.
The tool has been designed to protect software developers who want to use open source code. The OSV tool will check for vulnerabilities in the code the user wants to incorporate by automatically matching their code and dependencies against lists of known vulnerabilities. Once done, it will notify the user if patches or updates are required.
Google releases OSV-tool
The tool, announced by Google this week, has been released alongside their Open Source Vulnerability Schema and OSV.dev service. “OSV allows all the different open source ecosystems and vulnerability databases to publish and consume information in one simple, precise and machine-readable format,” reads a Google blog post.
The newest tool release is seen by Google as the front end of this programme, connecting a project’s list of dependencies with the vulnerabilities that affect them. The OSV scanner is written in the Go programming language.
Open source code libraries are useful for developers who do not want to write all their code from scratch, continues the blog. “Software projects are commonly built on top of a mountain of dependencies – external software libraries you incorporate into a project to add functionalities without developing them from scratch,” it reads.
There are too many dependencies and versions to keep track of manually, automation is required to scan through to ensure all the dependencies are vulnerability free.
Google is planning to release an updated management tool in the future that will also minimise the burden of remediating known vulnerabilities, by “further integrating with developer workflows by offering standalone CI actions, allowing for easy set-up and scheduling to keep track of new vulnerabilities,” continues the post.
How corrupted are open source libraries?
The security of open source code libraries is a growing issue. According to a survey conducted by The Linux Foundation, there is an average of 5.1 outstanding, critical vulnerabilities in an application at any given time.
In fact, the 2021 US Executive Order for Cybersecurity included this type of automation as a requirement for national standards on secure software development.
Open source libraries are often targeted in a bid to spread malware to users of the apps designed by those using the libraries. Security company Sonatype recently found more than 55,000 of the newly published packages in open source libraries in the last year, to be malicious. This number rose to 95,000 in the past three years.
“Almost every modern business relies on open source,” explained co-founder and CTO of Sonatype Brian Fox. “Clearly, the use of open source repositories as an entry point for malicious attacks shows no signs of slowing down.”