Securing the software program provide chain is an more and more advanced and time-consuming problem for enterprises. To assist builders discover vulnerability knowledge for open supply elements, Google launched OSV-Scanner on Tuesday.
Trendy software program growth requires managing a number of dependencies – software program libraries and elements that add performance to the applying with out having to develop them from scratch. Builders want to concentrate on vulnerabilities which can exist within the elements, however the job is difficult by the truth that every dependency probably incorporates different dependencies.
A brand new report from the Station 9 analysis workforce at Endor Labs discovered that 95% of all vulnerabilities in open supply software program are present in transitive dependencies – code packages which are not directly pulled into initiatives by different dependencies. Builders want to have the ability to handle vulnerabilities within the dependencies they chose in addition to in these transitive dependencies. To complicate issues much more, the identical analysis report discovered that even the newest model of a bundle may nonetheless have recognized vulnerabilities.
Final yr, Google launched the OSV.dev service, a distributed open supply vulnerability database, to assist builders with vulnerability administration. OSV.dev encompasses 16 completely different open supply ecosystems and vulnerability databases, with a complete of 38,000 advisories. The concept is to make use of the service for vulnerability monitoring, triage, and patch automation. Google’s Rex Pan calls OSV-Scanner, which connects a mission’s listing of dependencies with the vulnerabilities that have an effect on them, the “subsequent step” in managing open supply vulnerabilities.
With OSV-Scanner, builders can match code and dependencies towards a listing of recognized vulnerabilities and establish any obtainable patches or newer variations of the software program element. The scanner identifies all of the transitive dependencies being utilized by the mission by analyzing software program manifests, software program invoice of supplies, and commit hashes. The scanner then connects to OSV.dev to show the recognized vulnerabilities within the mission.
The knowledge generated by the scanner “closes the hole between a developer’s listing of packages and the data in vulnerability databases,” Pan wrote within the weblog publish saying the brand new instrument. Options reminiscent of the power to make the most of particular operate stage vulnerability data automated remediation will probably be obtainable sooner or later, Pan wrote.
OSV-Scanner automates the invention and patching of vulnerabilities within the software program provide chain. The 2021 United States Govt Order for Cybersecurity particularly included automated instruments “that examine for recognized and potential vulnerabilities and remediate them” as a requirement for nationwide requirements on safe software program growth.
Builders can obtain and check out OSV-Scanner from the osv.dev web site or use OpenSSF Scorecard’s Vulnerabilities examine to robotically run the scanner on a GitHub mission, Google says.
