Google Upgrades Open Source Vulnerability Scanning Tool with SCA Scanning Library

In 2022 Google released a tool to easily scan for vulnerabilities in dependencies named OSV-Scanner. "Together with the open source community, we've continued to build this tool, adding remediation features," according to Google's security blog, "as well as expanding ecosystem support to 11 programming languages and 20 package manager formats... Users looking for an out-of-the-box vulnerability scanning CLI tool should check out OSV-Scanner, which already provides comprehensive language package scanning capabilities..." Thursday they also announced an extensible library for "software composition analysis" scanning (as well as file-system scanning) named OSV-SCALIBR (Open Source Vulnerability — Software Composition Analysis LIBRary). The new library "combines Google's internal vulnerability management expertise into one scanning library with significant new capabilities such as: Software composition analysis for installed packages, standalone binaries, as well as source code OSes package scanning on Linux (COS, Debian, Ubuntu, RHEL, and much more), Windows, and Mac Artifact and lockfile scanning in major language ecosystems (Go, Java, Javascript, Python, Ruby, and much more) Vulnerability scanning tools such as weak credential detectors for Linux, Windows, and Mac Software Bill of Materials (SBOM) generation in SPDX and CycloneDX, the two most popular document formats Optimization for on-host scanning of resource constrained environments where performance and low resource consumption is critical "OSV-SCALIBR is now the primary software composition analysis engine used within Google for live hosts, code repos, and containers. It's been used and tested extensively across many different products and internal tools to help generate SBOMs, find vulnerabilities, and help protect our users' data at Google scale. We offer OSV-SCALIBR primarily as an open source Go library today, and we're working on adding its new capabilities into OSV-Scanner as the primary CLI interface."

Read more of this story at Slashdot.

Source: View source