Google Launches Open-source Vulnerability Scanner with Community-editable Database

Highlights:

• Google announced the debut of OSV-Scanner, a free vulnerability scanner aimed to enable developers with access to vulnerability information regarding open-source projects.

In the past two years, open-source security has been one of the hottest issues in business security. Securing the software supply chain has been a high priority since the SolarWinds supply chain attack, President Biden’s Executive Order on Improving the Nation’s Cybersecurity, and the Log4j fiasco.

Google recently announced the debut of OSV-Scanner, a free vulnerability scanner aimed to enable developers with access to vulnerability information regarding open-source projects. According to Google, OSV-Scanner is the most extensive community-editable database for open-source vulnerabilities.

OSV-Scanner allows developers to automatically match code and dependencies against lists of known vulnerabilities and determine if patches or upgrades are available.

Effectively, it provides security teams with a tool for automating the detection and patching of vulnerabilities across the software supply chain, allowing them to eliminate possible entry points before hackers can use them.

Google’s entry into the market for vulnerability management

The release follows the introduction of Google’s Open-source Vulnerability (OSV) schema and OSV.dev vulnerability database service the previous year. And at a time when more firms are battling to manage vulnerabilities, with critical risk vulnerabilities requiring an average of 60 days to fix.

Researchers predict that the vulnerability management industry will reach a value of USD 18.7 billion by 2026. Google’s effort is not simply about giving a generic vulnerability scanner but a definite solution to control the market.

Rex Pan, a Google software engineer, said, “Our plan for OSV-Scanner is not just to build a simple vulnerability scanner; we want to build the best vulnerability management tool — something that will also minimize the burden of remediating known vulnerabilities.”

The company intends to broaden the service as a result, providing better integration with developer workflows via separate CI activities to schedule and track new vulnerabilities, as well as developing a larger database of C/C vulnerabilities.

What differentiates OSV-Scanner?

With OSV-Scanner, Google competes with a variety of established proprietary providers in the market, such as Tenable, which raised a revenue of USD 541 million last year with Nessus, their vulnerability solutions. Another example is Rapid7, which raised a revenue of USD 535 million last year and offers an analytics-driven vulnerability automation platform, InsightVM.

Using configurable reports and ongoing vulnerability scanning capabilities, these solutions give customers a precise picture of potential vulnerabilities throughout the attack surface.

Pan argues that, unlike closed-source advisory databases or vulnerability scanners, OSV-Scanner depends on advisories from open sources such as the RustSec Advisory Database.

This implies that a larger community of users may recommend enhancements to the advisory and enhance the quality and breadth of the database over time, allowing for the detection of a wider variety of vulnerabilities.