Full Report
Google has introduced the OSV-Scanner tool, a crucial addition to the open-source security ecosystem. Alongside it, Google also released OSV-SCALIBR, a library designed to streamline vulnerability management across multiple software ecosystems. Together, these solutions, in combination with OSV.dev, form an integrated platform for managing vulnerability metadata, offering developers and security teams a seamless way to identify and remediate known vulnerabilities. Building on the success of its previous releases, Google is now excited to announce the launch of OSV-Scanner V2.0.0, an enhanced version of the original vulnerability scanner and remediation solution. The new version adds multiple features and improvements, reinforcing OSV-Scanner’s role as an essential resource for developers striving to manage vulnerabilities in open-source projects. New Features in OSV-Scanner Tool V2 [caption id="attachment_101455" align="alignnone" width="519"] Illustration of HTML output for container image scanning (Source: Google)[/caption] Enhanced Dependency Extraction with OSV-SCALIBR A major update in OSV-Scanner V2 is the integration of OSV-SCALIBR features, making OSV-Scanner the official command-line tool for scanning code and containers with OSV-SCALIBR’s capabilities. This release expands the types of dependencies OSV-Scanner can detect and extract, improving its ability to analyze a variety of project structures and container images. With this update, OSV-Scanner now supports a wider array of source manifests and lockfiles, including: .NET: deps.json Python: uv.lock JavaScript: bun.lock Haskell: cabal.project.freeze, stack.yaml.lock In addition, OSV-Scanner now detects a broad range of artifacts, including: Node modules Python wheels Java uber jars Go binaries This extended dependency detection enhances the utility across different programming languages and environments. Comprehensive Container Scanning with Layer and Base Image Support Another upgrade in OSV-Scanner V2 is its expanded support for container scanning. Previously, OSV-Scanner was primarily focused on scanning source repositories and package manifests. The latest version introduces layer-aware scanning for Debian, Ubuntu, and Alpine container images. This enhancement enables OSV-Scanner to provide valuable insights into the following aspects: Layer introduction: Identifies which layers in a container image introduce specific packages. Layer history: Tracks the history of layers and their respective commands. Base images: Analyzes base images to uncover dependencies, leveraging a new experimental API provided by deps.dev. OS/Distro: Determines the underlying OS or distribution used in the container. This layer analysis feature adds another layer of precision when identifying vulnerabilities in containerized environments, making OSV-Scanner an even more powerful solution for developers working with container images. Interactive HTML Output for Enhanced Usability One of the biggest challenges in vulnerability scanning is presenting the findings in a way that is both actionable and understandable. OSV-Scanner V2 addresses this issue by introducing a new interactive HTML output format. This local output is more user-friendly and informative than previous terminal-only outputs, providing: Severity breakdown of detected vulnerabilities Package and ID filtering to streamline analysis Vulnerability importance filtering to focus on the most critical issues Detailed vulnerability advisory entries for in-depth analysis Layer and base image information for container scans This new format makes it easier for security teams to understand the scope and impact of vulnerabilities, empowering them to take prompt, effective action. Guided Remediation for Maven pom.xml Files OSV-Scanner’s guided remediation capabilities were previously available for npm packages, helping developers prioritize updates and minimize disruptions. Now, OSV-Scanner extends this feature to Maven pom.xml files, offering similar targeted suggestions for vulnerabilities in both direct and transitive dependencies. New features for Maven support include: Override remediation strategy: Allows for more flexible remediation options. pom.xml file integration: Supports reading, writing, and updating local Maven files. Private registry support: Allows users to fetch Maven metadata from a private registry. Experimental subcommand: Enables the updating of all dependencies to the latest version. This expansion of guided remediation solution ensures that developers using Java and Maven can now access the same efficient vulnerability management options available for other ecosystems. Conclusion Google's roadmap for OSV-Scanner V2 includes updates like better OSV-SCALIBR integration, expanded ecosystem support, and enhanced container filesystem accountability. Future features such as reachability analysis and VEX support will further improve vulnerability management. As the open-source landscape evolves, OSV-Scanner V2 provides a powerful and user-friendly solution for developers to manage vulnerabilities, with Google encouraging ongoing feedback and contributions to improve the platform.
Analysis Summary
# Tool/Technique: OSV-Scanner V2
## Overview
OSV-Scanner is a tool developed by Google designed to scan for known vulnerabilities in open-source dependencies used in software projects, providing developers with actionable intelligence for remediation. The V2 iteration introduces significant feature enhancements, particularly around guided remediation for Java/Maven ecosystems.
## Technical Details
- Type: Tool
- Platform: Software dependency analysis (Implies support for ecosystems like npm and Maven)
- Capabilities: Vulnerability scanning, guided remediation, dependency management, ecosystem support expansion.
- First Seen: Information not explicitly detailed in the provided text, but the context suggests recent enhancements in March 2025.
## MITRE ATT&CK Mapping
(Note: OSV-Scanner is a defensive tool for vulnerability management, not typically associated with offensive TTPs. However, the *vulnerabilities it spots* map to certain areas.)
- **TA0001 - Initial Access** (If vulnerabilities found allow initial access)
- T1190 - Exploit Public-Facing Application
- **TA0006 - Defense Evasion** (If vulnerabilities relate to component weaknesses)
- T1578 - Modify Existing Process or Thread
## Functionality
### Core Capabilities
- **Vulnerability Scanning:** Checks dependencies against the Open Source Vulnerabilities (OSV) database.
- **Guided Remediation:** Provides prioritized suggestions on how to fix vulnerabilities.
- **Ecosystem Support:** Previously supporting npm, it now extends guided remediation to Maven `pom.xml` files.
- **Dependency Management:** Supports basic dependency updating (experimental subcommand to update all dependencies to the latest version).
### Advanced Features
- **Maven `pom.xml` Integration:** Ability to read, write, and update local Maven files for remediation suggestions.
- **Override Remediation Strategy:** Allows for more flexible remediation choices when applying fixes.
- **Private Registry Support (Maven):** Can fetch necessary metadata from private repositories, improving utility in enterprise environments.
- **Future Roadmap (V2):** Planned features include OSV-SCALIBR integration, enhanced reachability analysis, and VEX (Vulnerability Exploitability eXchange) support.
## Indicators of Compromise
- File Hashes: N/A (Tool metadata)
- File Names: N/A (Tool metadata)
- Registry Keys: N/A
- Network Indicators: N/A (The tool interacts with vulnerability databases and potentially private registries when fetching metadata, but specific C2/malicious indicators are not applicable to this scanning tool itself.)
- Behavioral Indicators: N/A (Tool behavior is focused on scanning manifest files and interacting with dependency sources.)
## Associated Threat Actors
- N/A (This is a security/development tool provided by Google, not associated with threat actors.)
## Detection Methods
- **Signature-based detection:** N/A (Focus is on detecting vulnerabilities *within* code, not detecting the tool's execution unless used maliciously.)
- **Behavioral detection:** Monitoring for unexpected execution of dependency scanning tools in sensitive build environments, especially if configured to interact with non-standard private registries.
- **YARA rules:** N/A
## Mitigation Strategies
- **Prevention Measures:** Integrate OSV-Scanner into CI/CD pipelines to block builds containing known critical vulnerabilities.
- **Hardening Recommendations:** Utilize the guided remediation features to prioritize dependency updates based on recommendations for npm and Maven. Ensure OSV-Scanner is authorized to access necessary dependency metadata, including private registries, securely.
## Related Tools/Techniques
- Dependency Analyzers (e.g., Snyk, Dependabot)
- Software Composition Analysis (SCA) tools
- OSV-SCALIBR (Future integration target)