Hello Stackers, It’s quite fun when google launched this thing.. but yeah we just look into it..
OSV-Scanner provides an officially supported frontend to the OSV database that connects a project’s list of dependencies with the vulnerabilities that affect them. Since the OSV.dev database is open source and distributed, it has several benefits in comparison with closed source advisory databases and scanners:
- Each advisory comes from an open and authoritative source (e.g. the RustSec Advisory Database)
- Anyone can suggest improvements to advisories, resulting in a very high quality database
- The OSV format unambiguously stores information about affected versions in a machine-readable format that precisely maps onto a developer’s list of packages
QuickStart
install this thing :
go install github.com/google/osv-scanner/cmd/osv-scanner@v1
usage :
osv-scanner -r /path/to/your/dirScan a directory
Walks through a list of directories to find:
- Lockfiles
- SBOMs
- git directories for the latest commit hash
which is used to build the list of dependencies to be matched against OSV vulnerabilities.
Can be configured to recursively walk through subdirectories with the --recursive / -r flag.
That’s All, for the full docs please refer on here.. cyaaa..
