Google introduced the OSV-Scanner toolkit for checking for unpatched vulnerabilities in code and applications, working taking into account the entire chain of dependencies associated with the code. OSV-Scanner allows you to detect situations when an application becomes vulnerable due to problems in one of the libraries used as a dependency. In this case, the vulnerable library can be used indirectly, i.e. called through another dependency. The project code is written in Go and distributed under the Apache 2.0 license.
OSV-Scanner can automatically recursively scan a directory tree, identifying projects and applications by the presence of git directories (information about vulnerabilities is determined through analysis of commit hashes), SBOM files (Software Bill Of Material in SPDX and CycloneDX formats), manifests or lock files package managers such as Yarn, NPM, GEM, PIP and Cargo. It also supports scanning the stuffing of docker container images built based on packages from Debian repositories.
Information about vulnerabilities is taken from the OSV (Open Source Vulnerabilities) database, covering information about security issues in the Π‘rates.io (Rust), Go, Maven, NPM (JavaScript), NuGet (C#), Packagist (PHP), PyPI ( Python), RubyGems, Android, Debian, and Alpine, as well as Linux kernel vulnerabilities and project vulnerability reports hosted on GitHub. The OSV database reflects the fix status of the issue, the commits with the appearance and fix of the vulnerability, the range of versions affected by the vulnerability, links to the project repository with the code, and the notification of the problem. The provided API allows you to track the manifestation of a vulnerability at the level of commits and tags and analyze the exposure to the problem of derivative products and dependencies.
Source: opennet.ru