OSV Project – Your ally for detecting and collecting vulnerabilities

Whether you’re a security researcher or a developer, you probably know how important it is to keep your code and dependencies up to date in order to avoid vulnerabilities as much as possible. However, it’s a big hassle, especially when the project uses a lot of external libraries.

In short, to help you, there is OSV for Open Source Vulnerabilities. This is a project that will allow you to easily manipulate and find all the known vulnerabilities hiding in your open source dependencies.

The project consists of services such as this website, an API, or analysis tools capable of aggregating and indexing data about vulnerabilities. It also includes an open database using a vulnerability data format.

This OSV schema is super easy to integrate and use, thus solving many problems related to vulnerabilities in open source software. So, you may not know it, but vulnerability databases like GitHub Security Advisories, PyPA, RustSec, etc., use this OSV schema.

If you want to see a real-world example of this JSON format, click here:

{
  "schema_version": "1.3.0",
  "id": "GHSA-c3g4-w6cv-6v7h",
  "modified": "2022-04-01T13:56:42Z",
  "published": "2022-04-01T13:56:42Z",
  "aliases": [ "CVE-2022-27651" ],
  "summary": "Non-empty default inheritable capabilities for linux container in Buildah",
  "details": "A bug was found in Buildah where containers were created ...",
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/buildah"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/containers/buildah/commit/..."
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/containers/buildah"
    }
  ]
}

To install the OSV vulnerability scanner, open a terminal and run the following GB install command:

go install github.com/google/osv-scanner/cmd/osv-scanner@v1

After scanning the code, run the tool like this:

osv-scanner -r /repertoire

You can read more about the scanner on Github here.

See also  How data brokers retrieve data from your car

In short, it’s a super useful project, whether it’s to scan your own projects, do analysis, or simply create your own database of homemade vulnerabilities without having to reinvent the wheel. By making your database available in OSV format, you will allow others to use it, contribute, or share the data.

5/5 - (1 vote)

Mohamed SAKHRI

I am Mohamed SAKHRI, the creator and editor-in-chief of Tech To Geek, where I've demonstrated my passion for technology through extensive blogging. My expertise spans various operating systems, including Windows, Linux, macOS, and Android, with a focus on providing practical and valuable guides. Additionally, I delve into WordPress-related subjects. You can find more about me on my Linkedin!, Twitter!, Reddit

Leave a Comment