Google announced the release of OSV-Scanner on Tuesday, a scanner designed to provide quick access to vulnerability information for various open-source projects.

Google's New OSV-Scanner

The Open Source Vulnerabilities (OSV) database powers the Go-based tool, which Google says is intended to “address many of the shortcomings of dealing with vulnerabilities in open source software using existing solutions.”

The goal is to discover a project’s transitive dependencies and flag pertinent vulnerabilities using data from the OSV.dev database.

By precisely identifying the list of vulnerable versions and changes, OSV seeks to streamline the vulnerability reporting procedure for an open-source package maintainer.

FREE Cybersecurity Status Self-Assessment

Google also announced that the open-source platform supports 16 ecosystems, including all major languages, Linux distributions (Debian and Alpine), Android, the Linux Kernel, and OSS-Fuzz.

As a consequence of this growth, OSV.dev now has over 39,000 advisories, up from 15,000 a year earlier, with Linux (11,154), Debian (8,892) and PyPI (3,638) holding the top spots.

In terms of further measures, the internet giant said it aims to expand support for C/C++ weaknesses by creating a high-quality database that includes exact commit-level information to CVEs.

Google's New OSV-Scanner

OSV-Scanner came two months after Google introduced GUAC (Graph for Understanding Artifact Composition) to supplement Supply Chain Levels for Software Artifacts (SLSA) as part of its attempts to enhance software supply chain security.

This week, the released “Perspectives on Security” study urges enterprises to create and implement a standard SLSA architecture to prevent tampering, increase integrity, and protect packages from possible risks.

Other suggestions made by the firm include taking on extra open source security obligations and taking a more holistic approach to tackling current vulnerabilities such as the Log4j vulnerability and the SolarWinds issues.

The firm states that “software supply chain attacks typically require strong technical aptitude and long-term commitment to pull off.”

Furthermore, “sophisticated actors are more likely to have both the intent and capability to conduct these types of attacks,” Google explains.

The fact is that attackers take the time to target third-party suppliers with reliable connections to their client’s networks. And the majority of enterprises are susceptible to software supply chain assaults.

They then take advantage of that trust to delve further into the networks of their intended victims. We need a stronger, scalable approach to safeguard susceptible systems if defenders are to have any hope of stopping these bad actors.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center