In December 2022, we introduced OSV-Scanner, a device to allow builders to simply scan for vulnerabilities of their open supply dependencies. Together with the open supply neighborhood, we’ve continued to construct this device, including remediation options, in addition to increasing ecosystem assist to 11 programming languages and 20 package deal supervisor codecs.
Today, we’re excited to launch OSV-SCALIBR (Software Composition Analysis LIBRary), an extensible library for SCA and file system scanning. OSV-SCALIBR combines Google’s inside vulnerability administration experience into one scanning library with important new capabilities corresponding to:
-
SCA for put in packages, standalone binaries, in addition to supply code
-
OSes package deal scanning on Linux (COS, Debian, Ubuntu, RHEL, and way more), Windows, and Mac
-
Artifact and lockfile scanning in main language ecosystems (Go, Java, Javascript, Python, Ruby, and way more)
-
Vulnerability scanning instruments corresponding to weak credential detectors for Linux, Windows, and Mac
-
SBOM technology in SPDX and CycloneDX, the 2 hottest doc codecs
-
Optimization for on-host scanning of useful resource constrained environments the place efficiency and low useful resource consumption is crucial
OSV-SCALIBR is now the first SCA engine used inside Google for stay hosts, code repos, and containers. It’s been used and examined extensively throughout many various merchandise and inside instruments to assist generate SBOMs, discover vulnerabilities, and assist defend our customers’ knowledge at Google scale.
We provide OSV-SCALIBR primarily as an open supply Go library right this moment, and we’re engaged on including its new capabilities into OSV-Scanner as the first CLI interface.
Using OSV-SCALIBR as a library
All of OSV-SCALIBR’s capabilities are modularized into plugins for software program extraction and vulnerability detection that are quite simple to develop.You can use OSV-SCALIBR as a library to:
1.Generate SBOMs from the construct artifacts and code repos in your stay host:
2. Scan a git repo for SBOMs:
Simply exchange “/” with the trail to your git repo. Also check out the numerous language extractors to allow for code scanning.
3. Scan a distant container for SBOMs:
Replace the scan config from the above code snippet with
4. Find vulnerabilities in your filesystem or a distant container:
Extract the PURLs from the SCALIBR stock outcomes from the earlier steps:
And ship them to osv.dev, e.g.
See the utilization docs for extra particulars.
OSV-Scanner + OSV-SCALIBR
Users on the lookout for an out-of-the-box vulnerability scanning CLI device ought to take a look at OSV-Scanner, which already offers complete language package deal scanning capabilities utilizing a lot of the identical extraction as OSV-SCALIBR.
Some of OSV-SCALIBR’s capabilities aren’t but obtainable in OSV-Scanner, however we’re at the moment engaged on integrating OSV-SCALIBR extra deeply into OSV-Scanner. This will make increasingly of OSV-SCALIBR’s capabilities obtainable in OSV-Scanner within the subsequent few months, together with put in package deal extraction, weak credentials scanning, SBOM technology, and extra.
Look out quickly for an announcement of OSV-Scanner V2 with many of those new options obtainable. OSV-Scanner will turn into the first frontend to the OSV-SCALIBR library for customers who require a CLI interface. Existing customers of OSV-Scanner can proceed to make use of the device the identical manner, with backwards compatibility maintained for all present use instances.
For set up and utilization directions, take a look at OSV-Scanner’s documentation right here.
What’s subsequent
In addition to creating all of OSV-SCALIBR’s options obtainable in OSV-Scanner, we’re additionally engaged on further new capabilities. Here’s among the issues you may anticipate:
-
Support for extra OS and language ecosystems, each for normal extraction and for Guided Remediation
-
Layer attribution and base picture identification for container scanning
-
Reachability evaluation to cut back false constructive vulnerability matches
-
More vulnerability and misconfiguration detectors for Windows
-
More weak credentials detectors
We hope that this library helps builders and organizations to safe their software program and encourages the open supply neighborhood to contribute again by sharing new plugins on high of OSV-SCALIBR.
If you’ve got any questions or if you need to contribute, do not hesitate to achieve out to us at osv-discuss@google.com or by posting a difficulty in our difficulty tracker.