OSV-Scanner

The Open-Source Vulnerability database or, in short, OSV, is an initiative that delivers vulnerability information for the open-source community in OSV format. Aiming to make it easier for developers to find vulnerabilities that might affect their projects, Google created OSV-Scanner, which works as a front-end for the OSV database.

Released under an open-source license itself, OSV-Scanner delivers a powerful console application that can analyze manifest files, commits and software bill of materials (SBOMs) to match any dependencies in the project against the OSV database. This software tool can find the identified vulnerabilities in the distributed OSV database that are related to any of the project files. Needless to say, finding vulnerabilities results in fewer error notifications and a significant reduction in the time needed to address them.

There is no need to install OSV-Scanner, as it is ready for use via the Windows terminal. You can use the “--help” command to see a list of all the actions and details about each.

You can scan docker images, package lockfiles (yarn.lock, composer.lock, Gemfile.lock, go.mod, mix.lock, poetry.lock, requirements.txt, and more) , as well as software bill of materials (SBOMs) files (SPDX and CycloneDX are supported) with OSV-Scanner. When analyzing a project, this small utility can detect all the dependencies that are in use and then query the OSV database to determine any vulnerability associated with the development project. Git repositories can be optionally excluded from the analysis. In recursive mode, OSV-Scanner also scans sub-directories, not just main folders.

About the output, the list of vulnerabilities is shown in tabular format by default, which is human readable. However, you can also configure OSV-Scanner to generate a JSON file containing all the data, as the JSON schema is versatile and machine readable.

Google’s OSV-Scanner can be used by developers who need to interrogate the OSV database to find vulnerabilities that affect their projects. An easy-to-use API is also available for interrogating the database, but a command-line tool such as OSV-Scanner is more convenient to use for scanning SBOM, lockfiles or directories recursively.