Google Releases OSV-Scanner V2.0.0: Enhanced Open Source Vulnerability Management Tool

Google has officially released OSV-Scanner V2.0.0, a significant upgrade to their open-source vulnerability scanning tool. This new version integrates advanced features that simplify vulnerability management and helps developers identify and remediate security issues more effectively.

Key Enhancements in OSV-Scanner V2.0.0

The latest release introduces multiple improvements that expand the tool’s capabilities beyond its predecessor, making it more powerful and user-friendly for security teams and developers alike.

Integration with OSV-SCALIBR

One of the most significant updates is the integration of OSV-SCALIBR, Google’s software composition analysis library, into OSV-Scanner. This merger enables broader analysis capabilities for dependency files across multiple programming languages including:

• .NET
• Python
• JavaScript
• Haskell

Additionally, the scanner now supports various artifacts including:

• Node.js modules
• Python wheels
• Java Uber JARs
• Go binaries

Expanded Container Image Analysis

While previous versions primarily focused on scanning source code repositories and package management files, OSV-Scanner V2.0.0 now offers comprehensive analysis for Linux distribution container images including:

• Debian
• Ubuntu
• Alpine

The tool can now identify:

• Which layer introduced specific packages
• Base image identification
• New vulnerability filtering options

Enhanced Visualization of Scan Results

Vulnerability scanning output has been dramatically improved with new interactive HTML output features that allow users to:

• Categorize vulnerabilities by severity
• Filter results by package
• Visualize layer information

This makes the scan results more intuitive and actionable for security teams.

Guided Remediation Expansion

The “Guided Remediation” feature, previously available for npm, now extends support to Maven for Java projects. This functionality:

• Analyzes Maven pom.xml files
• Identifies direct and indirect dependency vulnerabilities
• Recommends appropriate updates for remediation
• Supports reading and writing pom.xml files, including modifications to local parent pom files

Future Development Roadmap

Google has outlined several planned enhancements for upcoming versions:

Further Integration with OSV-SCALIBR

• Continuing integration between OSV-Scanner and OSV-SCALIBR
• Introducing OSV-SCALIBR functionality into OSV-Scanner’s CLI interface

Expanded Ecosystem Support

• Adding more programming languages
• Enhancing container scanning with OS advisories
• Improving source code lock file analysis

Complete File System Analysis for Containers

• Enabling identification of all files within containers
• Including sideloaded binaries downloaded from the internet

Reachability Analysis

• Providing more detailed analysis of vulnerability impact scope

VEX (Vulnerability Exchange) Support

• Adding support for VEX to improve vulnerability information sharing and collaboration

Availability and Community Contribution

OSV-Scanner V2.0.0 is publicly available on GitHub through both the OSV-Scanner and OSV-SCALIBR repositories. The tool is open for anyone to use and contribute to its development. Google welcomes user feedback as they continue their efforts to enhance vulnerability management convenience.

About OSV-Scanner

OSV-Scanner is an open-source tool designed to simplify vulnerability management for developers and security teams. By providing accurate identification of known vulnerabilities and streamlined remediation processes, it helps organizations maintain more secure software throughout the development lifecycle. The tool is part of Google’s broader commitment to improving open-source security and providing developers with effective tools to address security challenges.