Sign in / up

back to article Google debuts OSV-Scanner – a Go tool for finding security holes in open source

Google this week released OSV-Scanner – an open source vulnerability scanner linked to the OSV.dev database that debuted last year. Written in the Go programming language, OSV-Scanner is designed to scan open source applications to assess the security of any incorporated dependencies – software libraries that get added to …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. m4r35n357 Bronze badge

    Wot, no package manager?

    Unfortunately for Google marketing, c/c++ developers prefer to manage their own dependencies, so maybe not worth the effort doing this ;)

    0 0 Reply
  2. Sekhen
    Alert

    Data harvesting.

    Will all this source code be used to train an AI?

    I'm having a hard time believing Google won't gobble up every single line of code that's analyzed.

    5 0 Reply
  3. captain veg Silver badge

    wrong conclusions

    "this basic single-page "Hello world" app required a total of 1,764 dependencies"

    The canonical K&R "hello world" app was intended as an example of a minimal program. It had no external dependencies whatsoever, unless you include the standard C library.

    "There are simply too many dependencies and versions to keep track of manually, so automation is required."

    Wrong! That is an *insane* number of dependencies and requires massive application of the code-axe. Here:

    <html>Hello, world.</html>

    You're welcome.

    -A.

    8 0 Reply
    1. JohnTill123
      Reply Icon

      Re: wrong conclusions

      Agreed.

      The modern "programming" practice of extracting various code blobs from a massive library and pasting them together is a security nightmare. There's no chance that in 1,764 dependencies there won't be a vulnerability somewhere. So you can pretty well guarantee that every single such app can be abused.

      Anyone who uses this "programming" paradigm in financial or industrial sectors, or other critical sectors like hydro, water, sewer utilities etc, is taking a massive risk.

      Obligatory XKCD: https://xkcd.com/2347/

      4 0 Reply
  4. Falmari Silver badge

    WhiteSource Black Duck

    OSV-Scanner seems to do what WhiteSource and Black Duck do. WhiteSource and Black Duck ain't cheap, so what do Google get from OSV-Scanner as it seems to be free?

    0 0 Reply
  5. Kevin McMurtrie Silver badge

    I just want to do some pruning

    A hassle in the Java world is that some third party library will eventually reference an Apache library for API compatibility. Now 20 years of Internet garbage is going into the build. How many millions of critical vulnerabilities that imported isn't relevant. I want to know the best points to insert a manual dependency exclusion. Doing it manually is trial and error by checking for runtime failures.

    0 0 Reply
  6. Arthur Daily

    IBM SMP/E

    IBM SMP/E at least since 1985 kept track of every module and all dependencies used to build their mainframe OS. Change one module, and you could discover which products contained it. Any/patches/zaps/fixes you knew for sure, which products needed automatic fixing across the board. Looks like people are reinventing the wheel. So said, it was a difficult beast to master.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like