Google's vulnerability scanner checks container layers and Maven projects
The new version of Google's open source Vulnerability Scanner examines dependencies in container image layers and Maven projects.
(Image: Andrii Yalanskyi/Shutterstock.com)
Google has released the second version of its vulnerability scanner for open-source projects, which now performs in-depth analyses in complex projects and containers. It also supports Java projects via Maven and outputs the results as interactively filterable HTML.
With this version, Google combines the Open-Source Vulnerability Scanner (OSV Scanner) console tool introduced in 2022 with the OSV-Scalibr (Software Composition Analysis LIBRary) analysis library, which examines branched project and dependency structures in repositories and containers.
The scanner now analyzes the layers of container images and can make statements about the layer in which a package was added, how the base image is designed, which commands were executed and which operating system it is based on. It filters out vulnerabilities that are unlikely to affect the image. The layer analysis works with images of Alpine OS, Debian, and Ubuntu as well as code in the Go, Java, Node.js and Python language environments. The scan command is:
osv-scanner scan image <image-name>:<tag>
The scanner now also detects vulnerabilities in other formats of project and container dependencies: Node modules, Python wheels, Java Uber jars and Go binaries as well as lock and manifest files such as .NET deps.json, Python uv.lock, JavaScript bun.lock and Haskell cabal.project.freeze and stack.yaml.lock.
Java and Maven
Guided remediation, which examines dependencies in manifest and lock files, has been available for npm packages since April 2024 and now also for Java thanks to support for Maven's pom.xml files. OSV-Scanner not only checks the dependencies, but also writes changes to the local and local parent pom.xml (override). A command to automatically update all dependent packages is still experimental. The Maven cleanup currently only works non-interactively, so users should create a backup. The command is
osv-scanner fix --non-interactive --strategy=override -M path/to/pom.xml
Interactive results
The new HTML format for the scan results, on the other hand, is interactive and offers easily accessible filter options, for example by severity, container layer or package IDs. Detailed instructions for cleaning up the problems are also available here.
(Image: Google)
Google's open-source security tools comprise the three components OSV-Scanner, OSV-Scalibr and OSV.dev. The latter is the vulnerability database, from which the other two tools obtain their metadata. The scanner and library were previously separate; with the current version, the scanner becomes the official tool interface of the library, but does not yet include all functions, for example the secrets scan is missing.
However, the Google team is planning this for the next versions. The tool will also analyze the complete file system structure of container layers in the future. It will also support additional formats and languages.
(who)
