[ad_1]
In December 2022, we introduced OSV-Scanner, a instrument to allow builders to simply scan for vulnerabilities of their open supply dependencies. Along with the open supply group, we’ve continued to construct this instrument, including remediation options, in addition to increasing ecosystem assist to 11 programming languages and 20 bundle supervisor codecs. Right this moment, we’re excited to launch OSV-SCALIBR (Software program Composition Evaluation LIBRary), an extensible library for SCA and file system scanning. OSV-SCALIBR combines Google’s inside vulnerability administration experience into one scanning library with vital new capabilities akin to:SCA for put in packages, standalone binaries, in addition to supply codeOSes bundle scanning on Linux (COS, Debian, Ubuntu, RHEL, and way more), Home windows, and MacArtifact and lockfile scanning in main language ecosystems (Go, Java, Javascript, Python, Ruby, and way more)Vulnerability scanning instruments akin to weak credential detectors for Linux, Home windows, and MacSBOM era in SPDX and CycloneDX, the 2 hottest doc formatsOptimization for on-host scanning of useful resource constrained environments the place efficiency and low useful resource consumption is criticalOSV-SCALIBR is now the first SCA engine used inside Google for stay hosts, code repos, and containers. It’s been used and examined extensively throughout many alternative merchandise and inside instruments to assist generate SBOMs, discover vulnerabilities, and assist shield our customers’ information at Google scale.We provide OSV-SCALIBR primarily as an open supply Go library immediately, and we’re engaged on including its new capabilities into OSV-Scanner as the first CLI interface.Utilizing OSV-SCALIBR as a libraryAll of OSV-SCALIBR’s capabilities are modularized into plugins for software program extraction and vulnerability detection that are quite simple to develop.You should use OSV-SCALIBR as a library to:1.Generate SBOMs from the construct artifacts and code repos in your stay host:import ( “context” “github.com/google/osv-scalibr” “github.com/google/osv-scalibr/converter” “github.com/google/osv-scalibr/extractor/filesystem/checklist” “github.com/google/osv-scalibr/fs” “github.com/google/osv-scalibr/plugin” spdx “github.com/spdx/tools-golang/spdx/v2/v2_3”)func GenSBOM(ctx context.Context) *spdx.Doc { capab := &plugin.Capabilities{OS: plugin.OSLinux} cfg := &scalibr.ScanConfig{ ScanRoots: fs.RealFSScanRoots(“/”), FilesystemExtractors: checklist.FromCapabilities(capab), Capabilities: capab, } end result := scalibr.New().Scan(ctx, cfg) return converter.ToSPDX23(end result, converter.SPDXConfig{})}2. Scan a git repo for SBOMs:Merely change “/” with the trail to your git repo. Additionally check out the assorted language extractors to allow for code scanning.3. Scan a distant container for SBOMs:Change the scan config from the above code snippet withimport ( … “github.com/google/go-containerregistry/pkg/authn” “github.com/google/go-containerregistry/pkg/v1/distant” “github.com/google/osv-scalibr/artifact/picture” …)…filesys, _ := picture.NewFromRemoteName( “alpine:newest”, distant.WithAuthFromKeychain(authn.DefaultKeychain),)cfg := &scalibr.ScanConfig{ ScanRoots: []*fs.ScanRoot{{FS: filesys}}, …}4. Discover vulnerabilities in your filesystem or a distant container:Extract the PURLs from the SCALIBR stock outcomes from the earlier steps:import ( … “github.com/google/osv-scalibr/converter” …)…end result := scalibr.New().Scan(ctx, cfg)for _, i := vary end result.Inventories { fmt.Println(converter.ToPURL(i))}And ship them to osv.dev, e.g.$ curl -d ‘{“bundle”: {“purl”: “pkg:npm/dojo@1.2.3”}}’ “https://api.osv.dev/v1/question”See the utilization docs for extra particulars.OSV-Scanner + OSV-SCALIBRUsers on the lookout for an out-of-the-box vulnerability scanning CLI instrument ought to try OSV-Scanner, which already supplies complete language bundle scanning capabilities utilizing a lot of the identical extraction as OSV-SCALIBR. A few of OSV-SCALIBR’s capabilities usually are not but obtainable in OSV-Scanner, however we’re at the moment engaged on integrating OSV-SCALIBR extra deeply into OSV-Scanner. This can make increasingly of OSV-SCALIBR’s capabilities obtainable in OSV-Scanner within the subsequent few months, together with put in bundle extraction, weak credentials scanning, SBOM era, and extra.Look out quickly for an announcement of OSV-Scanner V2 with many of those new options obtainable. OSV-Scanner will turn into the first frontend to the OSV-SCALIBR library for customers who require a CLI interface. Present customers of OSV-Scanner can proceed to make use of the instrument the identical means, with backwards compatibility maintained for all current use instances. For set up and utilization directions, take a look at OSV-Scanner’s documentation right here.What’s nextIn addition to creating all of OSV-SCALIBR’s options obtainable in OSV-Scanner, we’re additionally engaged on extra new capabilities. This is a few of the issues you’ll be able to anticipate:Help for extra OS and language ecosystems, each for normal extraction and for Guided RemediationLayer attribution and base picture identification for container scanningReachability evaluation to scale back false optimistic vulnerability matchesMore vulnerability and misconfiguration detectors for WindowsMore weak credentials detectorsWe hope that this library helps builders and organizations to safe their software program and encourages the open supply group to contribute again by sharing new plugins on high of OSV-SCALIBR.When you have any questions or if you want to contribute, do not hesitate to succeed in out to us at osv-discuss@google.com or by posting a problem in our concern tracker.
[ad_2]