OSV-Scanner Tool launched by Google to identify any open source vulnerability
Recently, Google announced the open source availability of OSV Scanner. OSV- scanner is a scanner designed to provide easy access to vulnerable data for various projects. The Go-based tool is been powered by an open-source vulnerability (OSV) database designed to link a project's list of dependencies to the vulnerabilities that affect them.
The OSV scanner produces reliable and high-quality vulnerability information, bridging the gap between a developer's package list and information in vulnerability databases. The main reason behind this project is to identify all transitive dependencies of the project and highlight relevant vulnerabilities using information taken from the OSV.dev database.
Google further announced that the open source platform supports 16 ecosystems which includes all major languages, Linux distributions (Debian and Alpine), Android, the Linux kernel and OSS-Fuzz. As a result of this extension, OSV.dev is the repository for more than 38,000 notifications, compared to 15,000 security alerts a year ago, Linux (27%), Debian (23.2%), PyPI (9.5 %), Alpine (7). , 9%) ) and npm (7.1%) take the top five spots.
Next Step for Google
As for next steps, the Internet giant said it aims to support the bug by building a high-quality database, which includes adding accurate delivery metadata to CVEs.
The OSV scanner is expected to arrive two months after Google released GUAC (Graph for Understanding Artefact Composition) to complement the supply chain layers of software artefacts as its a trivial part of its efforts to improve the software supply chain security.
Google further released "Security Perspectives" report last week, urging organisations to develop and implement a unified SLSA framework to prevent breaches, improve integrity, and protect packages from potential threats. Several recommendations of the company include further commitments to open source and a more holistic approach to combating the risks posed by the vulnerability of Log and the SolarWinds incident in recent years.
Software supply chain attacks typically require strong technical expertise and long-term commitment. Well sophisticated cyber attackers are more likely to have both the intent and the ability to carry out these types of attacks.
Conclusively, most organisations are vulnerable to software supply chain attacks because attackers take the time to target third-party service providers who have trusted connections to their customers' networks. They then use that trust to penetrate the networks of their end targets.