Finally, Google has released the OSV-scanner as a free tool that gives opensource developers access to vulnerability information which may relevant to their projects.
With the new launching OSV.dev service, it allows all the different opensource ecosystems and vulnerability databases to publish and consume information in one simple, precise, and machine readable format (JSON).
OSV-scanner is an effort to provide supported fronted to the OSV database (OSV.dev) that connects a project's list of dependencies with vulnerabilities that affect them.
There are a few ways to use OSV:
So, let's get start running the OSV-scanner on your project to find all the dependencies that are being used by analyzing manifests, SBOMs, and commit hashes. The scanner hen connects this information with the centralized OSV database and displays the vulnerabilities relevant to your project.
Links: