View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 15, 2022

Google releases OSV-Scanner to root out vulnerabilities in open source code

Google has released a software tool that scans open source code to expose vulnerabilities to software developers.

By Claudia Glover

Google has launched a free open source scanning tool called the OSV-Scanner to provide vulnerability information to software developers using open-source repositories. It is part of the wider Open Source Vulnerability Schema service designed to improve the security of open source ecosystems.

Google releases OSV-tool
Google releases open source code scanning tool to protect devs from corrupt code

The tool has been designed to protect software developers who want to use open source code. The OSV tool will check for vulnerabilities in the code the user wants to incorporate by automatically matching their code and dependencies against lists of known vulnerabilities. Once done, it will notify the user if patches or updates are required.

Google releases OSV-tool

The tool, announced by Google this week, has been released alongside their Open Source Vulnerability Schema and service. “OSV allows all the different open source ecosystems and vulnerability databases to publish and consume information in one simple, precise and machine-readable format,” reads a Google blog post.

The newest tool release is seen by Google as the front end of this programme, connecting a project’s list of dependencies with the vulnerabilities that affect them. The OSV scanner is written in the Go programming language. 

Open source code libraries are useful for developers who do not want to write all their code from scratch, continues the blog. “Software projects are commonly built on top of a mountain of dependencies – external software libraries you incorporate into a project to add functionalities without developing them from scratch,” it reads. 

There are too many dependencies and versions to keep track of manually, automation is required to scan through to ensure all the dependencies are vulnerability free. 

Google is planning to release an updated management tool in the future that will also minimise the burden of remediating known vulnerabilities, by “further integrating with developer workflows by offering standalone CI actions, allowing for easy set-up and scheduling to keep track of new vulnerabilities,” continues the post. 

Content from our partners
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
Infosecurity Europe 2024: Rethink the power of infosecurity

How corrupted are open source libraries?

The security of open source code libraries is a growing issue. According to a survey conducted by The Linux Foundation, there is an average of 5.1 outstanding, critical vulnerabilities in an application at any given time. 

In fact, the 2021 US Executive Order for Cybersecurity included this type of automation as a requirement for national standards on secure software development. 

Open source libraries are often targeted in a bid to spread malware to users of the apps designed by those using the libraries. Security company Sonatype recently found more than 55,000 of the newly published packages in open source libraries in the last year, to be malicious. This number rose to 95,000 in the past three years. 

“Almost every modern business relies on open source,” explained co-founder and CTO of Sonatype Brian Fox. “Clearly, the use of open source repositories as an entry point for malicious attacks shows no signs of slowing down.”

Read more: Digital Red Cross launched to protect crucial data in the online battlefield

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.