Skip to main content
A hacker hacking away doing mischievous stuff.

Google’s new OSV scanner

Google recently published a security scanner named OSV Scanner, that checks your files for vulnerabilities that hide in your code. It connects and checks for all issues collected on the OSV database. It is a great tool for developers to quickly check their code for vulnerabilities before they are released to the public.

If you have Go installed, it’s a simple one-liner to install the scanner:

1go install github.com/google/osv-scanner/cmd/osv-scanner@v1

Other methods are described on the GitHub page. The scanner is also available as a Docker image.

The check after that is easy:

1osv-scanner -r /path/to/repo

This will scan the repository recursively for vulnerabilities and print plenty of information on the CLI. Example:

12│ https://osv.dev/GHSA-p9pc-299p-vxgp │ npm │ yargs-parser │ 4.2.1 │ node_modules/netlify-cli/node_modules/wipe-webpack-cache/yarn.lock │
3│ https://osv.dev/GHSA-p9pc-299p-vxgp │ npm │ yargs-parser │ 7.0.0 │ node_modules/netlify-cli/node_modules/wipe-webpack-cache/yarn.lock |
4

This recursive check will be very slow, as it will check all files in the repository and all packages, even those that are dependencies of your dependencies, and so on. You might want to lower the amount of checks and only scan your own lockfiles, for example:

1osv-scanner --lockfile=/path/to/your/package-lock.json

You can ignore errors with a TOML-based configuration file, that contains a list of errors to ignore:

1[[IgnoredVulns]]
2  id = 'GO-2022-0968'
3  reason = 'No ssh servers are connected to or hosted in Go lang'
4[[IgnoredVulns]]
5  id = 'GO-2022-1059'
6  reason = 'No external http servers are written in Go lang.'

1IgnoredVulns:
2- id: GO-2022-0968
3  reason: No ssh servers are connected to or hosted in Go lang
4- id: GO-2022-1059
5  reason: No external http servers are written in Go lang.

 1{
 2   "IgnoredVulns": [
 3      {
 4         "id": "GO-2022-0968",
 5         "reason": "No ssh servers are connected to or hosted in Go lang"
 6      },
 7      {
 8         "id": "GO-2022-1059",
 9         "reason": "No external http servers are written in Go lang."
10      }
11   ]
12}

Why, however, you would wish to ignore a security issue is beyond my understanding :)

Lastly, reports! You can generate a report in JSON format, that can be used for further processing:

1osv-scanner --json  --lockfile=/path/to/your/package-lock.json > /path/to/file.json

which will generate a JSON file with all the information about the vulnerabilities found in your code.

Read on about the tool on the Google Security blog or in the Github README.

Published: Fri, Apr 12, 2024 at 9:09pm (Last Modified: Fri, Apr 12, 2024 at 9:09pm)
Git: 31db11b6d8 / History / Blame Suggest edits on GitHub
Tags:
Share: LinkedIn Facebook

Recent Posts

Photo by April Pethybridge via Unsplash

Mastodon and Me

When Twitter was sold and bought (after plenty of pretending and peacocking) a couple of weeks by the worlds leading vapor ware promoter many complained about “their Twitter” being opened up to misogyny and hate speech. Let’s not talk about that ;) I myself never found a “home” in Twitter and use(d) it more or less to add my own noise to the already existing noises only.

Read Article
Photo by Mila Tovar via Unsplash

Fixing Double Ci Runs When Pushing to Gitlab Branches

A while back I realized, that every time I pushed some commits to a branch on GitLab two separate CI pipelines started. That soon took up lots of free CI-minutes and became a problem. After some research I found out that this is, while it’s to be expected due to the design of the system, avoidable with a specific configuration addition.

Read Article
Photo by Stefan Steinbauer via Unsplash

Protected .dotfile files with Keybase

For reasons I don’t want to go too deep into (I once again violated my rule to NOT install Ubuntu versions without a LTS in their name and ended up without eyes or ears) I had to reinstall my workstations and computers last week.

Read Article
The problem with VSCode, quote by Geoffrey Huntley

The problem with VSCode

Geoffrey Huntley writes an extensive explanation on how “Visual Studio Code is designed to fracture” and unburies some (well, expected) shadyness on the part of Microsoft. The long story short version is summarised at the end: In short, this is what Microsoft did:

Read Article
The 1967 Rolling Stone logo, drawn by Rick Griffin.

The evolution of the Rolling Stone logo

The Rolling Stone Magazine has a new logo, which one might have overlooked due to its references to its history. XYZ Type, the designer(s) behind the rework give a little insight into the illustrious history of the logo through the decades and the reasoning behind their updates.

Read Article

Read All Posts

Back to top
Back Forward