Whether you’re a security researcher or a developer, you probably know how important it is to keep your code and dependencies up to date in order to avoid vulnerabilities as much as possible. However, it’s a big hassle, especially when the project uses a lot of external libraries.
In short, to help you, there is OSV for Open Source Vulnerabilities. This is a project that will allow you to easily manipulate and find all the known vulnerabilities hiding in your open source dependencies.
The project consists of services such as this website, an API, or analysis tools capable of aggregating and indexing data about vulnerabilities. It also includes an open database using a vulnerability data format.
This OSV schema is super easy to integrate and use, thus solving many problems related to vulnerabilities in open source software. So, you may not know it, but vulnerability databases like GitHub Security Advisories, PyPA, RustSec, etc., use this OSV schema.
If you want to see a real-world example of this JSON format, click here:
{
"schema_version": "1.3.0",
"id": "GHSA-c3g4-w6cv-6v7h",
"modified": "2022-04-01T13:56:42Z",
"published": "2022-04-01T13:56:42Z",
"aliases": [ "CVE-2022-27651" ],
"summary": "Non-empty default inheritable capabilities for linux container in Buildah",
"details": "A bug was found in Buildah where containers were created ...",
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/containers/buildah"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25.0"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/containers/buildah/commit/..."
},
{
"type": "PACKAGE",
"url": "https://github.com/containers/buildah"
}
]
}
To install the OSV vulnerability scanner, open a terminal and run the following GB install command:
go install github.com/google/osv-scanner/cmd/osv-scanner@v1
After scanning the code, run the tool like this:
osv-scanner -r /repertoire
You can read more about the scanner on Github here.
In short, it’s a super useful project, whether it’s to scan your own projects, do analysis, or simply create your own database of homemade vulnerabilities without having to reinvent the wheel. By making your database available in OSV format, you will allow others to use it, contribute, or share the data.