In December 2022, we launched the open supply OSV-Scanner device, and earlier this 12 months, we open sourced OSV-SCALIBR. OSV-Scanner and OSV-SCALIBR, along with OSV.dev are elements of an open platform for managing vulnerability metadata and enabling easy and correct matching and remediation of recognized vulnerabilities. Our objective is to simplify and streamline vulnerability administration for builders and safety groups alike.
Today, we’re thrilled to announce the launch of OSV-Scanner V2.0.0, following the announcement of the beta model. This V2 launch builds upon the muse we laid with OSV-SCALIBR and provides important new capabilities to OSV-Scanner, making it a complete vulnerability scanner and remediation device with broad help for codecs and ecosystems.
What’s new
Enhanced Dependency Extraction with OSV-SCALIBR
This launch represents the primary main integration of OSV-SCALIBR options into OSV-Scanner, which is now the official command-line code and container scanning device for the OSV-SCALIBR library. This integration additionally expanded our help for the sorts of dependencies we will extract from initiatives and containers:
Source manifests and lockfiles:
Artifacts:
-
Node modules
-
Python wheels
-
Java uber jars
-
Go binaries
Layer and base image-aware container scanning
Previously, OSV-Scanner targeted on scanning of supply repositories and language package deal manifests and lockfiles. OSV-Scanner V2 provides help for complete, layer-aware scanning for Debian, Ubuntu, and Alpine container photos. OSV-Scanner can now analyze container photos to supply:
-
Layers the place a package deal was first launched
-
Layer historical past and instructions
-
Base photos the picture relies on (leveraging a new experimental API supplied by deps.dev).
-
OS/Distro the container is working on
-
Filtering of vulnerabilities which might be unlikely to affect your container picture
This layer evaluation at the moment helps the next OSes and languages:
Distro Support:
Language Artifacts Support:
Interactive HTML output
Presenting vulnerability scan data in a transparent and actionable manner is tough, significantly within the context of container scanning. To tackle this, we constructed a brand new interactive native HTML output format. This offers extra interactivity and data in comparison with terminal solely outputs, together with:
And moreover for container picture scanning:
Illustration of HTML output for container picture scanning
Guided remediation for Maven pom.xml
Last 12 months we launched a characteristic known as guided remediation for npm, which streamlines vulnerability administration by intelligently suggesting prioritized, focused upgrades and providing versatile methods. This in the end maximizes safety enhancements whereas minimizing disruption. We have now expanded this characteristic to Java by help for Maven pom.xml.
With guided remediation help for Maven, you possibly can remediate vulnerabilities in each direct and transitive dependencies by direct model updates or overriding variations by dependency administration.
We’ve launched just a few new issues for our Maven help:
-
A brand new remediation technique override.
-
Support for studying and writing pom.xml recordsdata, together with writing modifications to native guardian pom recordsdata. We leverage OSV-Scalibr for Maven transitive dependency extraction.
-
A non-public registry might be specified to fetch Maven metadata.
-
A brand new experimental subcommend to replace all of your dependencies in pom.xml to the most recent model.
We additionally launched machine readable output for guided remediation that makes it simpler to combine guided remediation into your workflow.
What’s subsequent?
We have thrilling plans for the rest of the 12 months, together with:
-
Continued OSV-SCALIBR Convergence: We will proceed to converge OSV-Scanner and OSV-SCALIBR to convey OSV-SCALIBR’s performance to OSV-Scanner’s CLI interface.
-
Expanded Ecosystem Support: We’ll develop the variety of ecosystems we help throughout all of the options at the moment in OSV-Scanner, together with extra languages for guided remediation, OS advisories for container scanning, and extra normal lockfile help for supply code scanning.
-
Full Filesystem Accountability for Containers: Another objective of osv-scanner is to provide the potential to know and account for each single file in your container picture, together with sideloaded binaries downloaded from the web.
-
Reachability Analysis: We’re engaged on integrating reachability evaluation to supply deeper insights into the potential affect of vulnerabilities.
-
VEX Support: We’re planning so as to add help for Vulnerability Exchange (VEX) to facilitate higher communication and collaboration round vulnerability data.
Try OSV-Scanner V2
You can strive V2.0.0 and contribute to its ongoing improvement by trying out OSV-Scanner or the OSV-SCALIBR repository. We welcome your suggestions and contributions as we proceed to enhance the platform and make vulnerability administration simpler for everybody.
If you may have any questions or if you need to contribute, do not hesitate to succeed in out to us at osv-discuss@google.com, or put up a problem in our concern tracker.