Google’s new OSV scanner

Google recently published a security scanner named OSV Scanner, that checks your files for vulnerabilities that hide in your code. It connects and checks for all issues collected on the OSV database. It is a great tool for developers to quickly check their code for vulnerabilities before they are released to the public.

If you have Go installed, it’s a simple one-liner to install the scanner:

1go install github.com/google/osv-scanner/cmd/osv-scanner@v1

Other methods are described on the GitHub page. The scanner is also available as a Docker image.

The check after that is easy:

1osv-scanner -r /path/to/repo

This will scan the repository recursively for vulnerabilities and print plenty of information on the CLI. Example:

1…
2│ https://osv.dev/GHSA-p9pc-299p-vxgp │ npm │ yargs-parser │ 4.2.1 │ node_modules/netlify-cli/node_modules/wipe-webpack-cache/yarn.lock │
3│ https://osv.dev/GHSA-p9pc-299p-vxgp │ npm │ yargs-parser │ 7.0.0 │ node_modules/netlify-cli/node_modules/wipe-webpack-cache/yarn.lock |
4…

This recursive check will be very slow, as it will check all files in the repository and all packages, even those that are dependencies of your dependencies, and so on. You might want to lower the amount of checks and only scan your own lockfiles, for example:

1osv-scanner --lockfile=/path/to/your/package-lock.json

You can ignore errors with a TOML-based configuration file, that contains a list of errors to ignore:

1[[IgnoredVulns]]
2  id = 'GO-2022-0968'
3  reason = 'No ssh servers are connected to or hosted in Go lang'
4[[IgnoredVulns]]
5  id = 'GO-2022-1059'
6  reason = 'No external http servers are written in Go lang.'

1IgnoredVulns:
2- id: GO-2022-0968
3  reason: No ssh servers are connected to or hosted in Go lang
4- id: GO-2022-1059
5  reason: No external http servers are written in Go lang.

 1{
 2   "IgnoredVulns": [
 3      {
 4         "id": "GO-2022-0968",
 5         "reason": "No ssh servers are connected to or hosted in Go lang"
 6      },
 7      {
 8         "id": "GO-2022-1059",
 9         "reason": "No external http servers are written in Go lang."
10      }
11   ]
12}

Why, however, you would wish to ignore a security issue is beyond my understanding :)

Lastly, reports! You can generate a report in JSON format, that can be used for further processing:

1osv-scanner --json  --lockfile=/path/to/your/package-lock.json > /path/to/file.json

which will generate a JSON file with all the information about the vulnerabilities found in your code.

Read on about the tool on the Google Security blog or in the Github README.