Announcing OSV-Scanner V2: Vulnerability scanner and remediation tool for open source

Posted by Rex Pan and Xueqin Cui, Google Open Source Security TeamIn December 2022, we released the open source OSV-Scanner tool, and earlier this year, we open sourced OSV-SCALIBR. OSV-Scanner and OSV-SCALIBR, together with OSV.dev are components of an open platform for managing vulnerability metadata and enabling simple and accurate matching and remediation of known vulnerabilities. Our goal is to simplify and streamline vulnerability management for developers and security teams alike.Today, we're thrilled to announce the launch of OSV-Scanner V2.0.0, following the announcement of the beta version. This V2 release builds upon the foundation we laid with OSV-SCALIBR and adds significant new capabilities to OSV-Scanner, making it a comprehensive vulnerability scanner and remediation tool with broad support for formats and ecosystems. What’s newEnhanced Dependency Extraction with OSV-SCALIBRThis release represents the first major integration of OSV-SCALIBR features into OSV-Scanner, which is now the official command-line code and container scanning tool for the OSV-SCALIBR library. This integration also expanded our support for the kinds of dependencies we can extract from projects and containers:Source manifests and lockfiles:.NET: deps.jsonPython: uv.lockJavaScript: bun.lockHaskell: cabal.project.freeze, stack.yaml.lockArtifacts:Node modulesPython wheelsJava uber jarsGo binariesLayer and base image-aware container scanningPreviously, OSV-Scanner focused on scanning of source repositories and language package manifests and lockfiles. OSV-Scanner V2 adds support for comprehensive, layer-aware scanning for Debian, Ubuntu, and Alpine container images. OSV-Scanner can now analyze container images to provide:Layers where a package was first introducedLayer history and commandsBase images the image is based on (leveraging a new experimental API provided by deps.dev).OS/Distro the container is running onFiltering of vulnerabilities that are unlikely to impact your container imageThis layer analysis currently supports the following OSes and languages:Distro Support:Alpine OSDebianUbuntuLanguage Artifacts Support:GoJavaNodePythonInteractive HTML outputPresenting vulnerability scan information in a clear and actionable way is difficult, particularly in the context of container scanning. To address this, we built a new interactive local HTML output format. This provides more interactivity and information compared to terminal only outputs, including:Severity breakdownPackage and ID filteringVulnerability importance filteringFull vulnerability advisory entriesAnd additionally for container image scanning:Layer filteringImage layer informationBase image identificationIllustration of HTML output for container image scanningGuided remediation for Maven pom.xmlLast year we released a feature called guided remediation for npm, which streamlines vulnerability management by intelligently suggesting prioritized, targeted upgrades and offering flexible strategies. This ultimately maximizes security improvements while minimizing disruption. We have now expanded this feature to Java through support for Maven pom.xml.With guided remediation support for Maven, you can remediate vulnerabilities in both direct and transitive dependencies through direct version updates or overriding versions through dependency management.We’ve introduced a few new things for our Maven support:A new remediation strategy override.Support for reading and writing pom.xml files, including writing changes to local parent pom files. We leverage OSV-Scalibr for Maven transitive dependency extraction.A private registry can be specified to fetch Maven metadata.A new experimental subcommend to update all your dependencies in pom.xml to the latest version.We also introduced machine readable output for guided remediation that makes it easier to integrate guided remediation into your workflow.What’s next?We have exciting plans for the remainder of the year, including:Continued OSV-SCALIBR Convergence: We will continue to converge OSV-Scanner and OSV-SCALIBR to bring OSV-SCALIBR’s functionality to OSV-Scanner’s CLI interface.Expanded Ecosystem Support: We'll expand the number of ecosystems we support across all the features currently in OSV-Scanner, including more languages for guided remediation, OS advisories for container scanning, and more general lockfile support for source code scanning.Full Filesystem Accountability for Containers: Another goal of osv-scanner is to give you the ability to know and account for every single file on your container image, including sideloaded binaries downloaded from the internet.Reachability Analysis: We're working on integrating reachability analysis to provide deeper insights into the potential impact of vulnerabilities.VEX Support: We're planning to add support for Vulnerability Exchange (VEX) to facilitate better communication and collaboration around vulnerability information.Try OSV-Scanner V2You can try V2.0.0 and contribute to its ongoing development by checking out OSV-Scanner or the OSV-SCALIBR repository. We welcome your feedback and contributions as we continue to improve the platform and make vulnerability management easier for everyone.If you have any questions or if you would like to contribute, don't hesitate to reach out to us at [email protected], or post an issue in our issue tracker.