Google has officially launched OSV-Scanner V2.0.0, the latest version of its free vulnerability scanner designed to help open source developers secure their projects. Originally introduced in 2022, OSV-Scanner acts as the front-end to Google’s Open Source Vulnerability (OSV) database, which helps developers identify and fix security issues.
The new version takes a significant leap forward by integrating the capabilities of OSV-SCALIBR — a powerful software composition analysis library released earlier this year. This integration transforms OSV-Scanner into a fully-featured vulnerability detection and remediation tool that supports a wide variety of ecosystems and file formats.
With this update, OSV-Scanner now supports extraction of information from manifest and lockfiles across multiple languages, including:
- .NET (deps.json)
- Python (uv.lock)
- JavaScript (bun.lock)
- Haskell (cabal.project.freeze, stack.yaml.lock)
- And various artifacts such as Node modules, Python wheels, Java uber jars, and Go binaries.
Additionally, the scanner introduces layer-aware container scanning for Alpine, Debian, and Ubuntu images. It provides detailed insights like layer history, commands, base images, and even identifies vulnerabilities that may not impact the container.
OSV-Scanner V2.0.0 also brings a brand-new interactive HTML output, making it easier for developers to visualize scan results, review advisories, filter vulnerabilities by severity, and focus on the most critical issues.
Another highlight is the guided remediation feature for Maven projects, which helps developers automatically fix security issues in both direct and transitive dependencies. Developers can now modify pom.xml files, connect to private registries, and update dependencies more efficiently. Machine-readable remediation outputs have also been introduced, allowing teams to integrate fixes seamlessly into CI/CD pipelines.
Google promises continued improvements, including:
- Expanded ecosystem support
- Enhanced file accounting for container images
- Integrated reachability analysis
- Support for Vulnerability Exploitability eXchange (VEX)
Both OSV-Scanner and OSV-SCALIBR are available on GitHub, with Google encouraging contributions and community feedback.
| References |