Google on Tuesday introduced the open supply availability of OSV-Scanner, a scanner that goals to supply easy accessibility to vulnerability details about varied initiatives.
The Go-based software, powered by the Open Supply Vulnerabilities (OSV) database, is designed to attach “a undertaking’s checklist of dependencies with the vulnerabilities that have an effect on them,” Google software program engineer Rex Pan in a put up shared with The Hacker Information.
“The OSV-Scanner generates dependable, high-quality vulnerability data that closes the hole between a developer’s checklist of packages and the knowledge in vulnerability databases,” Pan added.
The thought is to establish all of the transitive dependencies of a undertaking and spotlight related vulnerabilities utilizing knowledge pulled from OSV.dev database.
Google additional acknowledged that the open supply platform helps 16 ecosystems, counting all main languages, Linux distributions (Debian and Alpine), in addition to Android, Linux Kernel, and OSS-Fuzz.
The results of this enlargement is that OSV.dev is a repository to greater than 38,000 advisories, up from 15,000 safety alerts a 12 months in the past, with Linux (27.4%), Debian (23.2%), PyPI (9.5%), Alpine (7.9%), and npm (7.1%) taking on the highest 5 slots.
As for the following steps, the web large famous it is working to include assist for C/C++ flaws by constructing a “prime quality database” that includes including “exact commit stage metadata to CVEs.”
OSV-Scanner arrives almost two months after Google launched GUAC – brief for Graph for Understanding Artifact Composition – to enhance Provide chain Ranges for Software program Artifacts (SLSA or “salsa”) as a part of its efforts to harden software program provide chain safety.
Final week, Google additionally printed a brand new “Views on Safety” report calling on organizations to develop and deploy a standard SLSA framework to stop tampering, enhance integrity, and safe packages in opposition to potential threats.
Different suggestions laid out by the corporate embody taking over further open supply safety tasks and adopting a extra holistic method to addressing dangers akin to these introduced by the Log4j vulnerability and the SolarWinds incident in recent times.
“Software program provide chain assaults sometimes require robust technical aptitude and long-term dedication to drag off,” the corporate mentioned. “Subtle actors usually tend to have each the intent and functionality to conduct all these assaults.”
“Most organizations are weak to software program provide chain assaults as a result of attackers take the time to focus on third-party suppliers with trusted connections to their prospects’ networks. They then use that belief to burrow deeper into the networks of their final targets.”
