In December 2022, we launched the open supply OSV-Scanner software, and earlier this 12 months, we open sourced OSV-SCALIBR. OSV-Scanner and OSV-SCALIBR, along with OSV.dev are elements of an open platform for managing vulnerability metadata and enabling easy and correct matching and remediation of identified vulnerabilities. Our aim is to simplify and streamline vulnerability administration for builders and safety groups alike.
In the present day, we’re thrilled to announce the launch of OSV-Scanner V2.0.0, following the announcement of the beta model. This V2 launch builds upon the muse we laid with OSV-SCALIBR and provides vital new capabilities to OSV-Scanner, making it a complete vulnerability scanner and remediation software with broad assist for codecs and ecosystems.
What’s new
Enhanced Dependency Extraction with OSV-SCALIBR
This launch represents the primary main integration of OSV-SCALIBR options into OSV-Scanner, which is now the official command-line code and container scanning software for the OSV-SCALIBR library. This integration additionally expanded our assist for the sorts of dependencies we will extract from tasks and containers:
Supply manifests and lockfiles:
Artifacts:
-
Node modules
-
Python wheels
-
Java uber jars
-
Go binaries
Layer and base image-aware container scanning
Beforehand, OSV-Scanner centered on scanning of supply repositories and language package deal manifests and lockfiles. OSV-Scanner V2 provides assist for complete, layer-aware scanning for Debian, Ubuntu, and Alpine container photographs. OSV-Scanner can now analyze container photographs to offer:
-
Layers the place a package deal was first launched
-
Layer historical past and instructions
-
Base photographs the picture relies on (leveraging a new experimental API offered by deps.dev).
-
OS/Distro the container is working on
-
Filtering of vulnerabilities which can be unlikely to impression your container picture
This layer evaluation presently helps the next OSes and languages:
Distro Help:
Language Artifacts Help:
Interactive HTML output
Presenting vulnerability scan info in a transparent and actionable approach is tough, significantly within the context of container scanning. To deal with this, we constructed a brand new interactive native HTML output format. This gives extra interactivity and data in comparison with terminal solely outputs, together with:
And moreover for container picture scanning:
Illustration of HTML output for container picture scanning
Guided remediation for Maven pom.xml
Final 12 months we launched a function referred to as guided remediation for npm, which streamlines vulnerability administration by intelligently suggesting prioritized, focused upgrades and providing versatile methods. This finally maximizes safety enhancements whereas minimizing disruption. We have now now expanded this function to Java by way of assist for Maven pom.xml.
With guided remediation assist for Maven, you’ll be able to remediate vulnerabilities in each direct and transitive dependencies by way of direct model updates or overriding variations by way of dependency administration.
We’ve launched a couple of new issues for our Maven assist:
-
A brand new remediation technique override.
-
Help for studying and writing pom.xml information, together with writing adjustments to native dad or mum pom information. We leverage OSV-Scalibr for Maven transitive dependency extraction.
-
A personal registry might be specified to fetch Maven metadata.
-
A brand new experimental subcommend to replace all of your dependencies in pom.xml to the most recent model.
We additionally launched machine readable output for guided remediation that makes it simpler to combine guided remediation into your workflow.
What’s subsequent?
We have now thrilling plans for the rest of the 12 months, together with:
-
Continued OSV-SCALIBR Convergence: We’ll proceed to converge OSV-Scanner and OSV-SCALIBR to convey OSV-SCALIBR’s performance to OSV-Scanner’s CLI interface.
-
Expanded Ecosystem Help: We’ll increase the variety of ecosystems we assist throughout all of the options presently in OSV-Scanner, together with extra languages for guided remediation, OS advisories for container scanning, and extra common lockfile assist for supply code scanning.
-
Full Filesystem Accountability for Containers: One other aim of osv-scanner is to provide the means to know and account for each single file in your container picture, together with sideloaded binaries downloaded from the web.
-
Reachability Evaluation: We’re engaged on integrating reachability evaluation to offer deeper insights into the potential impression of vulnerabilities.
-
VEX Help: We’re planning so as to add assist for Vulnerability Trade (VEX) to facilitate higher communication and collaboration round vulnerability info.
Attempt OSV-Scanner V2
You’ll be able to attempt V2.0.0 and contribute to its ongoing improvement by testing OSV-Scanner or the OSV-SCALIBR repository. We welcome your suggestions and contributions as we proceed to enhance the platform and make vulnerability administration simpler for everybody.
In case you have any questions or if you want to contribute, do not hesitate to achieve out to us at osv-discuss@google.com, or publish a problem in our difficulty tracker.
