OSV-Scanner is a command-line open source tool developed by Google Open Source Security Team to enumerate and check open-source dependencies for known vulnerabilities [Link].
It uses an aggregator of vulnerability database of those that adopted the OSV schema, including GitHub Security Advisories, PyPA, RustSec, and Global Security Database [Link].
Some of the 16 currently the available ecosystems are:
- Alpine
- Android
- crates.io
- Debian
- Go
- Linux
- Maven (Java, C#, C++)
- npm (JavaScript)
- NuGet (C#)
- OSS-Fuzz
- Packagist (PHP)
- PyPI (Python)
- RubyGems (Ruby)
INSTALLING ON UBUNTU 22.04
Environment
sudo apt update && sudo apt install golang-go -y && go version
Application:
go install github.com/google/osv-scanner/cmd/osv-scanner@v1
USING THE SCANNER
cd ~/Documents/ git clone https://github.com/nette/nette.git ~/go/bin/osv-scanner -r ~/Documents/nette
The output looks like as follows (I manually added few dependencies to the clean copy of the repository to provide some example):
It can also scan based on SBOM or Lockfiles:
osv-scanner --sbom=sbom.json osv-scanner --lockfile=lock.json osv-scanner --docker image_name:latest