The OSV (Open Source Vulnerabilities) initiative has launched OSV-Scanner V2.0.0, marking a significant leap in open-source vulnerability management.
This release integrates OSV-SCALIBR’s capabilities into OSV-Scanner, creating a unified tool for code and container scanning, dependency analysis, and guided remediation across diverse ecosystems
Enhanced Dependency Extraction
The V2 release introduces expanded dependency extraction via OSV-SCALIBR integration, supporting:
- Source manifests/lockfiles:
- .NET (
deps.json) - Python (
uv.lock) - JavaScript (
bun.lock) - Haskell (
cabal.project.freeze,stack.yaml.lock)
- .NET (
- Artifact analysis:
- Node modules
- Python wheels
- Java uber jars
- Go binaries
This broadens vulnerability detection in compiled binaries and third-party packages, which is critical for modern CI/CD pipelines.
Container Scanning Advancements
OSV-Scanner now supports layer-aware container image scanning for Debian, Ubuntu, and Alpine Linux, providing:
- Layer origin tracking for vulnerable packages
- Base image identification via deps.dev’s experimental API
- OS/distro detection (Alpine, Debian, Ubuntu)
- Language-specific artifact scanning (Go, Java, Node.js, Python)
A new filtering mechanism excludes vulnerabilities unlikely to impact specific container configurations, reducing false positives.
Interactive Reporting & Remediation
The HTML output interface revolutionizes vulnerability triage with:
| Feature | Description |
|---|---|
| Severity breakdown | Visualize CVSS scores and ecosystem impacts |
| Layer filtering | Isolate vulnerabilities by container layer |
| Full advisory display | View CVE details without external lookups |
| Base image analysis | Identify upstream risks in parent images |
For remediation, guided Maven support now complements existing npm capabilities, offering:
- Transitive dependency resolution via OSV-SCALIBR
pom.xmlmodification with version overrides- Experimental bulk dependency updates (
--update-all) - Private registry authentication support
Roadmap: 2024 Priorities
The OSV team outlined ambitious plans:
- Ecosystem expansion: Broaden language support for guided remediation and OS advisories
- Container accountability: Track every filesystem artifact, including sideloaded binaries
- Reachability analysis: Contextualize vulnerability exploit the potential
- VEX integration: Streamline vulnerability disclosure workflows
Getting Started
Developers can immediately leverage V2.0.0 via:
bashgo install github.com/google/osv-scanner/cmd/osv-scanner@latest
The tool’s machine-readable output (--format json) enables seamless CI/CD integration, while the interactive HTML reporter accelerates human analysis.
This release solidifies OSV-Scanner as a cornerstone of open-source supply chain security, bridging the gap between vulnerability databases and actionable remediation.
Unifying scanning capabilities across codebases and containers empowers teams to systematically address risks from development to deployment.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This release integrates OSV-SCALIBR’s capabilities into OSV-Scanner, creating a unified tool for code and container scanning.){kind=link}