Google has introduced the OSV-Scanner tool, a crucial addition to the open-source security ecosystem. Alongside it, Google also released OSV-SCALIBR, a library designed to streamline vulnerability management across multiple software ecosystems.
Together, these solutions, in combination with OSV.dev, form an integrated platform for managing vulnerability metadata, offering developers and security teams a seamless way to identify and remediate known vulnerabilities.
Building on the success of its previous releases, Google is now excited to announce the launch of OSV-Scanner V2.0.0, an enhanced version of the original vulnerability scanner and remediation solution. The new version adds multiple features and improvements, reinforcing OSV-Scanner’s role as an essential resource for developers striving to manage vulnerabilities in open-source projects.
New Features in OSV-Scanner Tool V2
Enhanced Dependency Extraction with OSV-SCALIBR
A major update in OSV-Scanner V2 is the integration of OSV-SCALIBR features, making OSV-Scanner the official command-line tool for scanning code and containers with OSV-SCALIBR’s capabilities. This release expands the types of dependencies OSV-Scanner can detect and extract, improving its ability to analyze a variety of project structures and container images.
With this update, OSV-Scanner now supports a wider array of source manifests and lockfiles, including:
- .NET: deps.json
- Python: uv.lock
- JavaScript: bun.lock
- Haskell: cabal.project.freeze, stack.yaml.lock
In addition, OSV-Scanner now detects a broad range of artifacts, including:
- Node modules
- Python wheels
- Java uber jars
- Go binaries
This extended dependency detection enhances the utility across different programming languages and environments.
Comprehensive Container Scanning with Layer and Base Image Support
Another upgrade in OSV-Scanner V2 is its expanded support for container scanning. Previously, OSV-Scanner was primarily focused on scanning source repositories and package manifests. The latest version introduces layer-aware scanning for Debian, Ubuntu, and Alpine container images. This enhancement enables OSV-Scanner to provide valuable insights into the following aspects:
- Layer introduction: Identifies which layers in a container image introduce specific packages.
- Layer history: Tracks the history of layers and their respective commands.
- Base images: Analyzes base images to uncover dependencies, leveraging a new experimental API provided by deps.dev.
- OS/Distro: Determines the underlying OS or distribution used in the container.
This layer analysis feature adds another layer of precision when identifying vulnerabilities in containerized environments, making OSV-Scanner an even more powerful solution for developers working with container images.
Interactive HTML Output for Enhanced Usability
One of the biggest challenges in vulnerability scanning is presenting the findings in a way that is both actionable and understandable. OSV-Scanner V2 addresses this issue by introducing a new interactive HTML output format. This local output is more user-friendly and informative than previous terminal-only outputs, providing:
- Severity breakdown of detected vulnerabilities
- Package and ID filtering to streamline analysis
- Vulnerability importance filtering to focus on the most critical issues
- Detailed vulnerability advisory entries for in-depth analysis
- Layer and base image information for container scans
This new format makes it easier for security teams to understand the scope and impact of vulnerabilities, empowering them to take prompt, effective action.
Guided Remediation for Maven pom.xml Files
OSV-Scanner’s guided remediation capabilities were previously available for npm packages, helping developers prioritize updates and minimize disruptions. Now, OSV-Scanner extends this feature to Maven pom.xml files, offering similar targeted suggestions for vulnerabilities in both direct and transitive dependencies. New features for Maven support include:
- Override remediation strategy: Allows for more flexible remediation options.
- pom.xml file integration: Supports reading, writing, and updating local Maven files.
- Private registry support: Allows users to fetch Maven metadata from a private registry.
- Experimental subcommand: Enables the updating of all dependencies to the latest version.
This expansion of guided remediation solution ensures that developers using Java and Maven can now access the same efficient vulnerability management options available for other ecosystems.
Conclusion
Google’s roadmap for OSV-Scanner V2 includes updates like better OSV-SCALIBR integration, expanded ecosystem support, and enhanced container filesystem accountability. Future features such as reachability analysis and VEX support will further improve vulnerability management. As the open-source landscape evolves, OSV-Scanner V2 provides a powerful and user-friendly solution for developers to manage vulnerabilities, with Google encouraging ongoing feedback and contributions to improve the platform.
