Saturday, February 15, 2025
HomeCyber SecurityA library for Software program Composition Evaluation

A library for Software program Composition Evaluation


In December 2022, we introduced OSV-Scanner, a device to allow builders to simply scan for vulnerabilities of their open supply dependencies. Along with the open supply neighborhood, we’ve continued to construct this device, including remediation options, in addition to increasing ecosystem help to 11 programming languages and 20 bundle supervisor codecs. 

As we speak, we’re excited to launch OSV-SCALIBR (Software program Composition Evaluation LIBRary), an extensible library for SCA and file system scanning. OSV-SCALIBR combines Google’s inner vulnerability administration experience into one scanning library with important new capabilities similar to:

  • SCA for put in packages, standalone binaries, in addition to supply code

  • OSes bundle scanning on Linux (COS, Debian, Ubuntu, RHEL, and way more), Home windows, and Mac

  • Artifact and lockfile scanning in main language ecosystems (Go, Java, Javascript, Python, Ruby, and way more)

  • Vulnerability scanning instruments similar to weak credential detectors for Linux, Home windows, and Mac

  • SBOM technology in SPDX and CycloneDX, the 2 hottest doc codecs

  • Optimization for on-host scanning of useful resource constrained environments the place efficiency and low useful resource consumption is important

OSV-SCALIBR is now the first SCA engine used inside Google for stay hosts, code repos, and containers. It’s been used and examined extensively throughout many alternative merchandise and inner instruments to assist generate SBOMs, discover vulnerabilities, and assist shield our customers’ information at Google scale.

We provide OSV-SCALIBR primarily as an open supply Go library at present, and we’re engaged on including its new capabilities into OSV-Scanner as the first CLI interface.

Utilizing OSV-SCALIBR as a library

All of OSV-SCALIBR’s capabilities are modularized into plugins for software program extraction and vulnerability detection that are quite simple to broaden.You need to use OSV-SCALIBR as a library to:

1.Generate SBOMs from the construct artifacts and code repos in your stay host:

import (

 “context”

 “github.com/google/osv-scalibr”

 “github.com/google/osv-scalibr/converter”

 “github.com/google/osv-scalibr/extractor/filesystem/record”

 “github.com/google/osv-scalibr/fs”

 “github.com/google/osv-scalibr/plugin”

 spdx “github.com/spdx/tools-golang/spdx/v2/v2_3”

)

func GenSBOM(ctx context.Context) *spdx.Doc {

 capab := &plugin.Capabilities{OS: plugin.OSLinux}

 cfg := &scalibr.ScanConfig{

   ScanRoots: fs.RealFSScanRoots(“/”),

   FilesystemExtractors: record.FromCapabilities(capab),

   Capabilities: capab,

 }

 outcome := scalibr.New().Scan(ctx, cfg)

 return converter.ToSPDX23(outcome, converter.SPDXConfig{})

}

2. Scan a git repo for SBOMs:

Merely change “/” with the trail to your git repo. Additionally check out the numerous language extractors to allow for code scanning.

3. Scan a distant container for SBOMs:

Substitute the scan config from the above code snippet with

import (

 …

 “github.com/google/go-containerregistry/pkg/authn”

 “github.com/google/go-containerregistry/pkg/v1/distant”

 “github.com/google/osv-scalibr/artifact/picture”

 …

)

filesys, _ := picture.NewFromRemoteName(

 “alpine:newest”,

 distant.WithAuthFromKeychain(authn.DefaultKeychain),

)

cfg := &scalibr.ScanConfig{

 ScanRoots: []*fs.ScanRoot{{FS: filesys}},

 

}

4. Discover vulnerabilities in your filesystem or a distant container:

Extract the PURLs from the SCALIBR stock outcomes from the earlier steps:

import (

 …

 “github.com/google/osv-scalibr/converter”

 

)

outcome := scalibr.New().Scan(ctx, cfg)

for _, i := vary outcome.Inventories {

 fmt.Println(converter.ToPURL(i))

}

And ship them to osv.dev, e.g.

$ curl -d ‘{“bundle”: {“purl”: “pkg:npm/[email protected]”}}’ “https://api.osv.dev/v1/question”

See the utilization docs for extra particulars.

OSV-Scanner + OSV-SCALIBR

Customers on the lookout for an out-of-the-box vulnerability scanning CLI device ought to try OSV-Scanner, which already offers complete language bundle scanning capabilities utilizing a lot of the identical extraction as OSV-SCALIBR. 

A few of OSV-SCALIBR’s capabilities should not but out there in OSV-Scanner, however we’re at present engaged on integrating OSV-SCALIBR extra deeply into OSV-Scanner. This can make increasingly more of OSV-SCALIBR’s capabilities out there in OSV-Scanner within the subsequent few months, together with put in bundle extraction, weak credentials scanning, SBOM technology, and extra.

Look out quickly for an announcement of OSV-Scanner V2 with many of those new options out there. OSV-Scanner will grow to be the first frontend to the OSV-SCALIBR library for customers who require a CLI interface. Present customers of OSV-Scanner can proceed to make use of the device the identical approach, with backwards compatibility maintained for all current use instances. 

For set up and utilization directions, take a look at OSV-Scanner’s documentation right here.


What’s subsequent

Along with making all of OSV-SCALIBR’s options out there in OSV-Scanner, we’re additionally engaged on further new capabilities. Here is a few of the issues you possibly can count on:

  • Help for extra OS and language ecosystems, each for normal extraction and for Guided Remediation

  • Layer attribution and base picture identification for container scanning

  • Reachability evaluation to scale back false optimistic vulnerability matches

  • Extra vulnerability and misconfiguration detectors for Home windows

  • Extra weak credentials detectors

We hope that this library helps builders and organizations to safe their software program and encourages the open supply neighborhood to contribute again by sharing new plugins on prime of OSV-SCALIBR.

When you’ve got any questions or if you need to contribute, do not hesitate to achieve out to us at [email protected] or by posting a problem in our difficulty tracker.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments