Google has published the second version of its weakness scanner for open source projects, which now makes a deep analysis in complex projects and containers. He also supports Java projects through Maven and throws the results as an interactive filterable HTML.
With this version, the Google 2022 console tool tool open-source scanner (OSV scanner) associates with the Analysis Library OSV SCALIBR (Software Composition Analysis Analysis Analysis Library), which examines the project and dependence structures in repository and containers.
Scanner analyzes So that the level of container images can make and narrate which layer a package is added, how the original image is designed, which commands have been made and which operating system is based. It filters weak points that probably do not affect the image. The layer analysis works with code, Java, Node.JS and Python in the atmosphere of voice along with images of Alpine OS, Debian and Ubuntu. Scan command is:
osv-scanner scan image
In addition, the scanner is now searching for weaknesses in further formats of projects and containers: node modules, python wheels, java-ubar-jaars and go-biory as well as lock- and manifest files such as .NET Deps.json, Python Uv.Lock, Javascript bun.lock and haskelll Cabal.Project stack.yaml.lock.
Java and Maven
One Directed cleaning (directed reconsideration)The dependence in manifesto and lock files is available for NPM packages since April 2024 and now by supporting Mavence Pom. AxML files for Java. The OSV scanner not only examines dependence, but also writes changes in local and local parents- pom.xml (overrideA command is still experimentally updating all dependent packages automatically. Maven’s cleaning currently works only non-transparently, so users should create a backup. Command is:
osv-scanner fix --non-interactive --strategy=override -M path/to/pom.xml
Intellectual results
On the other hand, the new HTML format for interactive, scan results, which only offers accessible filter options, is shown, for example severity, after container layer or package ID. Detailed information is also in hand to clean the problems.
Microsoft buried the typescript – and reinforces it: Why?
The OSV scanner shows the severity of a safety difference and more information in the next tab.
(Image: Google)
Google’s Open Source Security Tool consists of three components OSV scanner, OSV scalb And Osv.devThe latter is a weak position database, of which two other equipment moves to Matadata. The scanner and the library have been separated so far. For example, mystery scan is missing,
However, the Google team is planning for the next versions. In addition, the device should analyze the full file system structure of container layers in the future. Other formats and languages ​​are also supported.
(Who)
Microsoft buried the typescript – and reinforces it: Why?
