One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 8294656 |
| Date de publication | 2022-12-13 13:00:47 (vue: 2022-12-25 07:07:17) |
| Titre | Announcing OSV-Scanner: Vulnerability Scanner for Open Source |
| Texte | Posted by Rex Pan, software engineer, Google Open Source Security TeamToday, we're launching the OSV-Scanner, a free tool that gives open source developers easy access to vulnerability information relevant to their project. Last year, we undertook an effort to improve vulnerability triage for developers and consumers of open source software. This involved publishing the Open Source Vulnerability (OSV) schema and launching the OSV.dev service, the first distributed open source vulnerability database. OSV allows all the different open source ecosystems and vulnerability databases to publish and consume information in one simple, precise, and machine readable format. The OSV-Scanner is the next step in this effort, providing an officially supported frontend to the OSV database that connects a project's list of dependencies with the vulnerabilities that affect them. OSV-Scanner Software projects are commonly built on top of a mountain of dependencies-external software libraries you incorporate into a project to add functionalities without developing them from scratch. Each dependency potentially contains existing known vulnerabilities or new vulnerabilities that could be discovered at any time. There are simply too many dependencies and versions to keep track of manually, so automation is required. Scanners provide this automated capability by matching your code and dependencies against lists of known vulnerabilities and notifying you if patches or updates are needed. Scanners bring incredible benefits to project security, which is why the 2021 U.S. Executive Order for Cybersecurity included this type of automation as a requirement for national standards on secure software development.The OSV-Scanner generates reliable, high-quality vulnerability information that closes the gap between a developer's list of packages and the information in vulnerability databases. Since the OSV.dev database is open source and distributed, it has several benefits in comparison with closed source advisory databases and scanners: Each advisory comes from an open and authoritative source (e.g. the RustSec Advisory Database) Anyone can suggest improvements to advisories, resulting in a very high quality database The OSV format unambiguously stores information about affected versions in a machine-readable format that precisely maps onto a developer's list of packages The above all results in fewer, more actionable vulnerability notifications, which reduces the time needed to resolve them Running OSV-Scanner on your project will first find all the transitive dependencies that are being used by analyzing manifests, SBOMs, and commit hashes. The scanner then connects this information with the OSV database and displays the vulnerabilities relevant to your project. |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | 000 2021 ability able about above access achieving actionable actions add adding adoption advisories advisory affect affected against ago all allowing allows alpine also alternatively altogether analysis analyzing android announcing any anyone are authoritative automated automatically automation being benefits best better between biggest bring build building built bulletins bumps burden c/c++ call can canonical capability check closed closes code comes commit commonly comparison complete comprehensive connects consume consumers contains could cves cybersecurity database databases debian dependencies dependency dependencytrack dev developer developers developing development different direct discovered displays distributed distributions doing download due each easy ecosystems effort either else engineer evaluated example executive existing extend external features feedback feel fewer filling find first flutter following format free from frontend function functionalities further fuzz gap generates generating github give gives google graph had has hashes have here high ideas identify impact improve improvements include included including incorporate incredible information instructions integrated integrating involved issue its june just keep kernel kind know known lack language last launching let level libraries like linux list lists looking lot lots machine made mailing major management manager manifests manually many maps matching maximal means measure metadata minimal minimize more mountain national needed new next not notifications notifying now offering officially one onto open opening openssf order oss osv out over overhaul package packages pan patches plan please post posted potentially precise precisely progress project projects prominent provide provides providing publish publishing quality readable reduces regularly relevant reliable rely remediate remediating required requirement resolve resulting results rex run running rustsec sboms scanner scanner: scanner; scanners scanners: scheduling schema scorecard scratch secure security seen service setup several significant simple simply since software some something source specific standalone standards started statements step stores such suggest suggesting support: supported supports teamtoday them then there think this: through time today too tool top total toughest track transitive triage try type unambiguously undertook unique updates used using utilize version versions very vex vulnerabilities vulnerability want website well what which why will without workflows year your |
| Tags | Tool Vulnerability |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.