Hacker News new | past | comments | ask | show | jobs | submit login
Vulnerability scanner written in Go that uses osv.dev data (github.com/google)
162 points by GavCo on Dec 18, 2022 | hide | past | favorite | 14 comments



Great to see a developer-friendly tool around OSV! Packj [1] uses OSV APIs to report vulnerable PyPI/NPM/Rubygems packages. Disclaimer: I built it.

1. https://github.com/ossillate-inc/packj flags malicious/risky packages.


Blog post: https://security.googleblog.com/2022/12/announcing-osv-scann...


This type of friendly tooling is exactly what was missing from OSV! I look forward to OSV making it easier to manage and deal with vulnerabilities.


How would you use this with a C/C++ codebase, where you build your dependencies yourself and don't get them from a package manager? All vulnerability databases seem to refer to package repos. Is there anything that works with only library name + version?


OSV lead here.

This isn't available yet, but we're working on exactly this in two ways:

1. Extending our API to detect vendored C/C++ code by building an file hash index 2. Building a high quality C/C++ vulnerability database.

You can follow the two linked issues here: https://github.com/google/osv-scanner/issues/82 for updates!


We've an open-source project that does this: https://github.com/osssanitizer/maloss I'm working on creating a CLI/web interface for this. Happy to chat (email in profile).


This is really helpful to diversify the current oss tools.

Does anyone know good sources for creating a SBOM?


Depends exactly what you're trying to create it for. I advocate for doing it during the build process rather than as a step after.

We open sourced a few tools that do it automatically for containers:

https://github.com/chainguard-dev/apko

https://github.com/chainguard-dev/melange


I've used the cyclonedx maven plugin, cyclonedx-bom on pypi, cdxgen for js, and cyclonedx-cli for various utilities (e.g. merging). All have worked great.


I like trivy[1] a lot. Nice to see more alternatives like this.

1. https://github.com/aquasecurity/trivy


I wasn’t aware that Gradle has «gradle.lockfile» that describes the dependencies tree. Is it used in the Java/Kotlin world?


I use Gradle regularly and have never come across it. Looks like it might be opt-in: https://docs.gradle.org/current/userguide/dependency_locking...

That said, all the Gradle projects I've used have pinned to specific versions rather than ranges.


What was the reason for choosing Go? Java is far more widely supported in the world.


Not for CLI tools.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: