December 13, 2022Rabbi Lakshmananopen source / vulnerability database

Google announced the availability of open source on Tuesday OSV scannera scanner intended to provide easy access to vulnerability information on various projects.

of Go-based toolsopen source vulnerabilities (OSVs.

“OSV-Scanner produces reliable, high-quality vulnerability information, bridging the gap between the developer’s package list and the information in the vulnerability database,” Pan added.

cyber security

The idea is to identify all transitive dependencies of your project and highlight the related vulnerabilities using data pulled from the database.

Google further states that the open source platform supports 16 ecosystems, including all major languages, Linux distributions (Debian and Alpine), Android, the Linux kernel, and OSS-Fuzz.

As a result of this expansion, has gone from 15,000 security alerts a year ago to 38,000 using Linux (27.4%), Debian (23.2%), PyPI (9.5%) and Alpine (7.9%). This is the repository for the above advisories. %), with npm (7.1%) occupying the top 5 slots.

As a next step, the internet giant will build in support for C/C++ flaws by building a “high-quality database” that includes “adding accurate commit-level metadata to CVEs.” said it was working.


OSV-Scanner arrives almost two months after Google launched GUAC (short for Graph for Understanding Artifact Composition) to complement the supply chain level of software artifacts (SLSA or “salsa”) was part of an effort to strengthen the security of the software supply chain.

Last week, Google announced a new “Security PerspectiveIt reports calling on organizations to develop and deploy a common SLSA framework to prevent tampering. improve completenessto protect your packages from potential threats.

Other recommendations provided by the company include taking additional open source security responsibilities and adopting a more holistic approach to address risks such as those posed by the Log4j vulnerability and the recent SolarWinds incident. will be

“Attacks on the software supply chain typically require strong technical aptitude and a long-term commitment to success,” the company said. “Sophisticated attackers are more likely to have both the intent and the ability to carry out this type of attack.”

“Most organizations are vulnerable to software supply chain attacks. Attackers take the time to target third-party providers that have trusted connections to customer networks. , deep into the network of the ultimate target.”

Did you find this article interesting?Please follow us twitter When LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog