osv-scanner v1.5 releases: find existing vulnerabilities affecting your project’s dependencies
OSV-Scanner
Use OSV-Scanner to find existing vulnerabilities affecting your project’s dependencies.
OSV-Scanner provides an officially supported frontend to the OSV database that connects a project’s list of dependencies with the vulnerabilities that affect them. Since the OSV.dev database is open source and distributed, it has several benefits in comparison with closed-source advisory databases and scanners:
- Each advisory comes from an open and authoritative source (e.g. the RustSec Advisory Database)
- Anyone can suggest improvements to advisories, resulting in a very high-quality database
- The OSV format unambiguously stores information about affected versions in a machine-readable format that precisely maps onto a developer’s list of packages
The above all results in fewer, more actionable vulnerability notifications, which reduces the time needed to resolve them.
Usage
OSV-Scanner collects a list of dependencies and versions that are used in your project, before matching this list against the OSV database via the OSV.dev API. To build the list of dependencies, you can point OSV-Scanner at your project directory, or manually pass in the path to individual manifest files.
Scan a directory
Walks through a list of directories to find:
- Lockfiles
- SBOMs
- git directories for the latest commit hash
which is used to build the list of dependencies to be matched against OSV vulnerabilities.
Can be configured to recursively walk through subdirectories with the –recursive / -r flag.
Searching for git commit hash is intended to work with projects that use git submodules or a similar mechanism where dependencies are checked out as real git repositories.
Example
$ go run ./cmd/osv-scanner -r /path/to/your/dir
Input an SBOM
SPDX and CycloneDX SBOMs using Package URLs are supported. The format is auto-detected based on the input file contents.
Example
$ go run ./cmd/osv-scanner –sbom=/path/to/your/sbom.json
Input a lockfile
A wide range of lockfiles are supported by utilizing this lockfile package. This is the current list of supported lockfiles:
- Cargo.lock
- package-lock.json
- yarn.lock
- pnpm-lock.yaml
- composer.lock
- Gemfile.lock
- go.mod
- mix.lock
- poetry.lock
- pubspec.lock
- pom.xml*
- requirements.txt*
Example
$ go run ./cmd/osv-scanner –lockfile=/path/to/your/package-lock.json -L /path/to/another/Cargo.lock
Scanning a Debian-based docker image packages
This tool will scrape the list of installed packages in a Debian image and query for vulnerabilities on them.
Currently, only Debian-based docker image scanning is supported.
Requires docker to be installed and the tool to have permission calling it.
Example
$ go run ./cmd/osv-scanner –docker image_name:latest
Changelog v1.5
Features
- Feature #501 Add experimental license scanning support! See https://osv.dev/blog/posts/introducing-license-scanning-with-osv-scanner/ for more information!
- Feature #642 Support scanning
renvfiles for the R language ecosystem. - Feature #513 Stabilize call analysis for Go! The experimental
--experimental-call-analysisflag has now been updated to:--call-analysis=<language/all> --no-call-analysis=<language/all>with call analysis for Go enabled by default. See https://google.github.io/osv-scanner/usage/#scanning-with-call-analysis for the documentation!
- Feature #676 Simplify return codes:
- Return 0 if there are no findings or errors.
- Return 1 if there are any findings (license violations or vulnerabilities).
- Return 128 if no packages are found.
- Feature #651 CVSS v4.0 support.
- Feature #60 Pre-commit hook support.
Fixes
- Bug #639 We now filter local packages from scans, and report the filtering of those packages.
- Bug #645 Properly handle file/url paths on Windows.
- Bug #660 Remove noise from failed lockfile parsing.
- Bug #649 No longer include vendored libraries in C/C++ package analysis.
- Bug #634 Fix filtering of aliases to also include non OSV aliases
Install
Copyright (C) 2022 Google
