In December 2022, we launched the open supply OSV-Scanner instrument, and earlier this yr, we open sourced OSV-SCALIBR. OSV-Scanner and OSV-SCALIBR, along with OSV.dev are elements of an open platform for managing vulnerability metadata and enabling easy and correct matching and remediation of identified vulnerabilities. Our purpose is to simplify and streamline vulnerability administration for builders and safety groups alike.As we speak, we’re thrilled to announce the launch of OSV-Scanner V2.0.0, following the announcement of the beta model. This V2 launch builds upon the inspiration we laid with OSV-SCALIBR and provides vital new capabilities to OSV-Scanner, making it a complete vulnerability scanner and remediation instrument with broad help for codecs and ecosystems. What’s newEnhanced Dependency Extraction with OSV-SCALIBRThis launch represents the primary main integration of OSV-SCALIBR options into OSV-Scanner, which is now the official command-line code and container scanning instrument for the OSV-SCALIBR library. This integration additionally expanded our help for the sorts of dependencies we will extract from tasks and containers:Supply manifests and lockfiles:Artifacts:Node modulesPython wheelsJava uber jarsGo binariesLayer and base image-aware container scanningPreviously, OSV-Scanner targeted on scanning of supply repositories and language bundle manifests and lockfiles. OSV-Scanner V2 provides help for complete, layer-aware scanning for Debian, Ubuntu, and Alpine container pictures. OSV-Scanner can now analyze container pictures to supply:Layers the place a bundle was first introducedLayer historical past and commandsBase pictures the picture is predicated on (leveraging a brand new experimental API offered by deps.dev).OS/Distro the container is operating onFiltering of vulnerabilities which can be unlikely to impression your container imageThis layer evaluation at the moment helps the next OSes and languages:Distro Assist:Language Artifacts Assist:Interactive HTML outputPresenting vulnerability scan data in a transparent and actionable approach is troublesome, notably within the context of container scanning. To handle this, we constructed a brand new interactive native HTML output format. This gives extra interactivity and knowledge in comparison with terminal solely outputs, together with:And moreover for container picture scanning:Illustration of HTML output for container picture scanningGuided remediation for Maven pom.xmlLast yr we launched a characteristic referred to as guided remediation for npm, which streamlines vulnerability administration by intelligently suggesting prioritized, focused upgrades and providing versatile methods. This in the end maximizes safety enhancements whereas minimizing disruption. We now have now expanded this characteristic to Java by way of help for Maven pom.xml.With guided remediation help for Maven, you’ll be able to remediate vulnerabilities in each direct and transitive dependencies by way of direct model updates or overriding variations by way of dependency administration.We’ve launched a couple of new issues for our Maven help:A brand new remediation technique override.Assist for studying and writing pom.xml recordsdata, together with writing adjustments to native mother or father pom recordsdata. We leverage OSV-Scalibr for Maven transitive dependency extraction.A non-public registry will be specified to fetch Maven metadata.A brand new experimental subcommend to replace all of your dependencies in pom.xml to the most recent model.We additionally launched machine readable output for guided remediation that makes it simpler to combine guided remediation into your workflow.What’s subsequent?We now have thrilling plans for the rest of the yr, together with:Continued OSV-SCALIBR Convergence: We are going to proceed to converge OSV-Scanner and OSV-SCALIBR to carry OSV-SCALIBR’s performance to OSV-Scanner’s CLI interface.Expanded Ecosystem Assist: We’ll develop the variety of ecosystems we help throughout all of the options at the moment in OSV-Scanner, together with extra languages for guided remediation, OS advisories for container scanning, and extra normal lockfile help for supply code scanning.Full Filesystem Accountability for Containers: One other purpose of osv-scanner is to provide the capacity to know and account for each single file in your container picture, together with sideloaded binaries downloaded from the web.Reachability Evaluation: We’re engaged on integrating reachability evaluation to supply deeper insights into the potential impression of vulnerabilities.VEX Assist: We’re planning so as to add help for Vulnerability Trade (VEX) to facilitate higher communication and collaboration round vulnerability data.Strive OSV-Scanner V2You can attempt V2.0.0 and contribute to its ongoing growth by trying out OSV-Scanner or the OSV-SCALIBR repository. We welcome your suggestions and contributions as we proceed to enhance the platform and make vulnerability administration simpler for everybody.You probably have any questions or if you need to contribute, do not hesitate to achieve out to us at osv-discuss@google.com, or publish a problem in our concern tracker.