3 min Applications

Google open sources software composition analysis library

Google open sources software composition analysis library

Software composition analysis (SCA) is a process undertaken to identify and track application code dependencies and also track security and compliance factors. Given the importance of this practice in modern enterprise IT stack environments when building software bill of materials (SBOM) inventories, software engineering teams can now consider Google’s open sourced OSV-SCALIBR (Software Composition Analysis LIBRary). With open source vulnerability (OSV) issues always in the spotlight, this could be a welcome development.

Google says that OSV-SCALIBR is now the “primary SCA engine” used within Google for live hosts, code repositories and containers. It has been used and tested extensively across many different products and internal Google tools to help generate SBOMs, find vulnerabilities and help protect users’ data at what Google calls ‘Google scale’ i.e. quite big. 

Primary product positioning

The cloud and search giant offers OSV-SCALIBR primarily as an open source Go library today, but is working on adding its new capabilities into OSV-Scanner as the primary command line interface (CLI)

“Software projects are commonly built on top of a mountain of dependencies – external software libraries [developers] incorporate into a project to add functionalities without developing them from scratch. Each dependency potentially contains existing known vulnerabilities or new vulnerabilities that could be discovered at any time. There are simply too many dependencies and versions to keep track of manually, so automation is required,” explained Rex Pan, software engineer, Google Open Source Security Team, on the Google blog pages.

Pan says that scanners provide automated capabilities by matching a developer’s code and dependencies against lists of known vulnerabilities and notifying if patches or updates are needed. Scanners are gaining credibility it seems i.e. the 2021 U.S. Executive Order for Cybersecurity included this type of automation as a requirement for national standards on secure software development.

OSV-SCALIBR can be used to scan OS packages on Linux, Windows and Apple Mac OS-X. It supports artefact and lockfile scanning in several programming languages.

What are transitive software dependencies?

Running OSV-Scanner on a development team’s codebase will first find all the transitive dependencies that are being used by analyzing manifests, SBOMs and commit hashes. The scanner then connects this information with the OSV database and displays the vulnerabilities relevant to your project.

To define and explain this term in full, as detailed by sciencedirect.com, “A transitive dependency in computer science refers to a functional dependency pattern where the value of one attribute is determined by another attribute, which in turn is determined by a third attribute. This creates a chain of dependencies, similar to the transitive property in mathematics. To eliminate transitive dependencies, the relation should be divided into smaller relations, each with one of the determinants as its primary key, ensuring the relation is in third normal form.

The OSV project has made progress since first introduced last year and the OSV schema has seen adoption from vulnerability databases such as GitHub Security Advisories and Android Security Bulletins. 

Flourishing ecosystems

Altogether says Google, OSV.dev now supports 16 ecosystems, including all major language ecosystems, Linux distributions (Debian and Alpine), as well as Android, Linux Kernel and OSS-Fuzz. This means the OSV.dev database is now the biggest open source vulnerability database of its kind, with a total of over 38,000 advisories from 15,000 advisories a year ago.

Developers can download OSV-Scanner by following the instructions on osv.dev.

Free image use: Wikipedia Commons