iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
🐰

OSS Security Risks: Can OSV-Scanner V2.0.0 Ensure Your Safety?

に公開
Security
コンテナ
OSS
脆弱性
osv
tech

OSS Vulnerability Countermeasures Even a Rabbit Can Understand - OSV-Scanner V2.0.0

Introduction

In modern software development, the use of open-source software (OSS) has become a matter of course. Many companies are actively utilizing OSS from the perspective of improving development efficiency and reducing costs. According to a 2021 study by Red Hat, 90% of 1,250 IT leaders worldwide responded that they "use OSS."

However, along with the expansion of OSS usage, security risks are also increasing. Particularly in recent years, supply chain attacks targeting OSS have surged, with reports indicating a 650% increase in 2021 compared to the previous year.

In this context, Google released the latest version, "V2.0.0," of its open-source vulnerability scanner "OSV-Scanner" in March 2025. In this article, I will explain the security risks in OSS usage and the features of OSV-Scanner V2.0.0 in a way that even a rabbit can understand.

"Pyon! It's about time we get serious about security measures, right?"

On the Dangers of OSS

In recent years, security incidents related to OSS have been on the rise. The Log4Shell vulnerability, which occurred in 2021, was a severe vulnerability in the Java logging library "Log4j" that affected many corporate systems.

Furthermore, according to a survey by Anchore, 64% of organizations reported being impacted by software supply chain attacks in 2021.

Current Status and Examples of Supply Chain Attacks

A supply chain attack is a method of attacking a final target by exploiting weaknesses in the product or service supply chain. In software, by exploiting vulnerabilities in dependent OSS, it is possible to launch attacks on many systems at once.

As a practical example, there is a 2017 case where the US FDA investigated a remote monitoring system for heart pacemakers. In this instance, a vulnerability was discovered, and there was a risk that an attacker could execute unauthorized commands to interfere with the pacemaker's functions. Fortunately, no actual health damage occurred because the manufacturer took preventive measures, but it demonstrated that risks due to OSS vulnerabilities exist even in critical systems like medical devices.

General Risks of Using OSS

General risks of using OSS include the following:

  1. Complexity of Dependencies: A single project may use hundreds or even over a thousand OSS components, making it difficult to keep track of all dependencies.

  2. Inadequate Updates and Management: If OSS update management is not handled properly, versions with known vulnerabilities may continue to be used for a long time.

  3. Typosquatting: An attack that aims for developers to accidentally use a malicious package published with a name similar to a famous package.

  4. Malicious Code Insertion: Attackers may insert malicious code into OSS that is not being maintained.

Risk diagram of the OSS supply chain

"Pyon! The dependencies are so complex, I might not even know what I'm using..."

Introducing OSV-Scanner V2.0.0

Basic Overview and Purpose of OSV-Scanner

OSV-Scanner (Open Source Vulnerability Scanner) is an open-source vulnerability scanner developed by Google. It identifies vulnerabilities in the OSS being used by scanning project dependencies and matching them against known vulnerabilities registered in the "OSV.dev" open-source vulnerability database.

The primary goal of OSV-Scanner is to make it easy for developers to discover and address vulnerabilities in the OSS used within their projects. By leveraging an open database, it aims to provide highly accurate vulnerability information and reduce false positives.

New Features and Improvements in OSV-Scanner V2.0.0

Released on March 17, 2025, OSV-Scanner V2.0.0 added many new features and improvements. Key enhancements include:

  1. OSV-SCALIBR Integration: Integrated the capabilities of "OSV-SCALIBR" (Software Composition Analysis Support Library), which was open-sourced in January 2025, to enhance dependency extraction capabilities.

  2. Enhanced Container Scanning: It is now possible to analyze and identify vulnerabilities at the layer level of container images. It supports major Linux distributions such as Debian, Ubuntu, and Alpine.

  3. Interactive HTML Reports: It can now generate interactive HTML reports that allow filtering of information such as defect advisories, severity breakdowns, packages, IDs, and vulnerability importance.

  4. Guided Remediation Support for Maven: In Java Maven projects, a guided remediation feature has been added to update pom.xml dependencies to the latest versions.

  5. Expanded Multilingual Support: Supports over 11 language ecosystems and 19+ lockfile types, including Go, Java, Node.js, and Python, enabling dependency extraction and vulnerability checking.

About the Integration of OSV-SCALIBR Features

OSV-SCALIBR (Software Composition Analysis LIBRary) is an extensible file system scanner that extracts software inventory information. By integrating OSV-SCALIBR features, OSV-Scanner V2.0.0 has evolved into a more comprehensive vulnerability scanner supporting a wide range of formats and ecosystems.

Specifically, the following features have been enhanced:

  • Expanded ecosystem support
  • Support for accounting all files within container images
  • Integration of reachability analysis
  • Support for Vulnerability Exchange (VEX)

Operating overview of OSV-Scanner V2.0.0

"Pyon! Could it be that even my image has vulnerabilities... thump-thump."

How to Use OSV-Scanner V2.0.0

Installation Method

OSV-Scanner V2.0.0 can be installed in various ways. Here, we introduce some typical installation methods.

Homebrew (macOS/Linux)

brew install osv-scanner

Scoop (Windows)

scoop install osv-scanner

WinGet (Windows)

winget install Google.OSVScanner

Installation via Go

go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest

Direct Download

You can also download binaries directly for your OS from the GitHub Releases page.

Basic Usage

Basic usage of OSV-Scanner V2.0.0 is as follows.

Scanning Source Directories

Scans the project source directory recursively, detects supported package files (such as package.json, go.mod, pom.xml, etc.), and checks for vulnerabilities.

osv-scanner scan source -r /path/to/your/dir

Scanning Specific Lockfiles

osv-scanner scan lockfile /path/to/package-lock.json

Scanning Container Images

Scans a container image to identify vulnerabilities in the base image and included packages.

osv-scanner scan image my-image-name:tag

Usage of Various Scanning Functions

License Scan

Check the licenses of dependencies using data from deps.dev.

# Simple license list
osv-scanner --licenses path/to/repository

# Check against a list of allowed licenses
osv-scanner --licenses="MIT,Apache-2.0" path/to/directory

Offline Mode

An offline mode is also provided for scanning projects without a network connection.

# Download offline databases
osv-scanner --offline --download-offline-databases ./path/to/your/dir

# Run offline scan
osv-scanner --offline scan source -r ./path/to/your/dir

Guided Remediation (Experimental Feature)

When vulnerabilities are found, you can receive suggestions for package version upgrades.

# For npm
osv-scanner fix \
    --max-depth=3 \
    --min-severity=5 \
    --ignore-dev  \
    --strategy=in-place \
    -L path/to/package-lock.json

# Interactive mode
osv-scanner fix \
    -M path/to/package.json \
    -L path/to/package-lock.json

Actual Usage Examples and Sample Code

Here are some examples of using OSV-Scanner V2.0.0 in an actual project.

Node.js Project Scanning Example

Suppose you have a Node.js project like the following:

my-nodejs-project/
├── package.json
├── package-lock.json
└── src/
    └── index.js

To scan this project, run the following command:

cd my-nodejs-project
osv-scanner scan source -r .

The scan results will be displayed as follows:

Scanning file(s) from the file system...

Scanned file(s) via [path/to/my-nodejs-project]

Found 3 vulnerabilities in 2 packages
┌────────────────────┬──────────────┬───────────────────┬──────────────────────────────────────────────────────────┐
│ Package            │ Version      │ ID                │ Fixed version                                            │
├────────────────────┼──────────────┼───────────────────┼──────────────────────────────────────────────────────────┤
│ express            │ 4.16.0       │ GHSA-29mw-wpgm-hmr9 │ 4.16.1+                                               │
│                    │              │ CVE-2022-24999    │                                                          │
├────────────────────┼──────────────┼───────────────────┼──────────────────────────────────────────────────────────┤
│ lodash             │ 4.17.15      │ GHSA-p6mc-m468-83gw │ 4.17.21+                                              │
└────────────────────┴──────────────┴───────────────────┴──────────────────────────────────────────────────────────┘

Container Image Scanning Example

Example of scanning a container image:

osv-scanner scan image node:16-alpine

The scan results will display the vulnerabilities of each container layer and the included packages.

"Pyon! It's so easy to scan, even a rabbit could use it!"

Pros and Cons of OSV-Scanner V2.0.0

Comparison with Other Security Tools

Let's compare OSV-Scanner V2.0.0 with other security tools that have similar functions (such as Grype and Trivy).

Tool Name Strengths Weaknesses
OSV-Scanner ・Uses an open database (OSV.dev)
・Multilingual support
・Layer-level analysis of container images
・Guided remediation features		 ・As a relatively new tool, features are still evolving
・Some experimental features lack stability
Grype ・Seamless integration with Syft
・Output and utilization of SBOM files
・Abundant data sources		 ・Fewer language supports compared to OSV-Scanner
・No GUI
Trivy ・High-speed scanning
・Supports various targets such as container images, file systems, and GitHub repositories
・Easy integration with CI/CD		 ・Less detailed remediation guidance

Strengths of OSV-Scanner V2.0.0

The main strengths of OSV-Scanner V2.0.0 are as follows:

  1. Open Database: By utilizing the open-source vulnerability database (OSV.dev), it maintains high transparency, and quality improves through community feedback.

  2. Multilingual Support: Supports over 11 language ecosystems and 19+ lockfile types, including Go, Java, Node.js, and Python.

  3. Container Scanning Capability: Allows for analysis at the layer level of container images, making it possible to identify which layer introduced a vulnerability.

  4. Guided Remediation: When a vulnerability is found, you can receive suggestions for package version upgrades, streamlining remediation work.

  5. HTML Reports: Interactive HTML reports allow you to visually check vulnerability information and apply filtering.

Weaknesses of OSV-Scanner V2.0.0

On the other hand, there are some weaknesses in OSV-Scanner V2.0.0:

  1. Relatively New Tool: Since the first version was only released in 2023, some features and stability aspects are still under development.

  2. Stability of Experimental Features: Some features, such as guided remediation, are experimental, and full stability is not guaranteed.

  3. Database Scope: While the OSV.dev database covers a wide range, it does not necessarily encompass every single vulnerability.

  4. Performance: When scanning large-scale projects or container images, processing time may be longer compared to other tools.

"Pyon! Every tool has its pros and cons. It might be important to choose one that fits the project!"

Summary

The Importance of Understanding the Dangers of OSS

In modern software development, the use of OSS is indispensable. However, it is crucial to understand that security risks such as supply chain attacks lurk behind its convenience and to take appropriate measures.

Effectiveness of Security Measures Using OSV-Scanner V2.0.0

As a vulnerability scanner leveraging an open database, OSV-Scanner V2.0.0 provides many useful features, including multilingual support, container scanning, and guided remediation.

By utilizing these features, it becomes possible to discover and address vulnerabilities in the OSS used in projects at an early stage. Especially in today's landscape where container technology and microservices architectures are prevalent, adopting a tool like OSV-Scanner V2.0.0 will significantly contribute to strengthening security measures.

Future Outlook

OSV-Scanner is expected to continue expanding its functionality. In particular, it will likely become an even more user-friendly and effective tool as experimental features stabilize, support for more languages and frameworks increases, and integration with CI/CD pipelines is further enhanced.

Furthermore, with the cooperation of the open-source community, the quality and quantity of the OSV.dev database are also expected to improve.

To strengthen the security of your own projects and services, it is essential to actively utilize tools like OSV-Scanner V2.0.0 and perform continuous monitoring and countermeasures against OSS vulnerability risks.

"Pyon! OSS vulnerability countermeasures—hop, step, and jump with OSV-Scanner!"

Discussion