Google has launched an updated version of its open-source vulnerability scanner designed to conduct in-depth analyses of complex projects and containers. This new iteration not only supports Java projects through Maven but also outputs results in an interactive, filterable HTML format.

The latest version integrates Google's previously released command-line tool, the Open-Source Vulnerability Scanner (OSV-Scanner), with the OSV-Scalibr library, which specializes in analyzing project dependencies and repository structures. The scanner is now capable of examining container image layers, allowing users to identify the specific layer where a package is added, the nature of the base image, executed commands, and the underlying operating system. It intelligently filters out vulnerabilities that are unlikely to affect the image's functionality. Compatibility is established with images from Alpine OS, Debian, and Ubuntu, as well as code from programming environments such as Go, Java, Node.js, and Python.

The command to initiate a scan is as follows:

osv-scanner scan image :

Additionally, the scanner can now identify vulnerabilities across various project and container dependency formats, including Node modules, Python wheels, Java uber-jars, and Go binaries, as well as lock and manifest files like .NET deps.json, Python uv.lock, JavaScript bun.lock, and Haskell cabal.project.freeze and stack.yaml.lock.

In terms of Java and Maven support, the scanner now provides guided remediation, which examines dependencies in manifest and lock files. This capability has been extended to Java projects, utilizing Maven's pom.xml files. The OSV-Scanner not only investigates these dependencies but also makes updates directly to local pom.xml files. An experimental command is available to automatically update all dependent packages. However, this functionality is currently non-interactive, and users are advised to create backups before proceeding. The command is:

osv-scanner fix --non-interactive --strategy=override -M path/to/pom.xml

The new HTML format for scan results offers users interactive filtering options, allowing them to sort findings by severity, container layer, or package IDs. Additionally, detailed guidance for resolving identified issues is readily accessible.

The suite of open-source security tools from Google includes three components: OSV-Scanner, OSV-Scalibr, and OSV.dev, the latter serving as the vulnerability database from which the other tools draw metadata. Previously, the scanner and library functioned separately, but this latest release positions the scanner as the official interface for the library, albeit with some functionalities still in development, such as the secrets scan feature.

Future updates from the Google team aim to further enhance the tool's capabilities, including the ability to analyze the complete filesystem structure of container layers and support for additional formats and programming languages.