BACK TO NEWS
ResearchLow

Google Launches OSV-Scanner V2: Advanced Open-Source Vulnerability Management Tool

2 min readSource: Google Security Blog
OSV-Scanner V2 HTML output interface showing container vulnerability analysis with severity filters and layer details

Google releases OSV-Scanner V2, integrating OSV-SCALIBR for enhanced dependency extraction, container scanning, and guided remediation across multiple ecosystems.

Google Open Source Security Team Unveils OSV-Scanner V2.0.0

Rex Pan and Xueqin Cui of Google's Open Source Security Team have announced the general availability of OSV-Scanner V2.0.0, a major upgrade to the open-source vulnerability management platform. This release integrates OSV-SCALIBR capabilities, expanding support for dependency extraction, container scanning, and remediation workflows across multiple ecosystems.

Key Enhancements in OSV-Scanner V2

OSV-Scanner V2 builds on the foundation established by its predecessor (launched in December 2022) and OSV-SCALIBR (open-sourced earlier this year), delivering a unified tool for vulnerability detection and remediation. The update introduces three core advancements:

1. Enhanced Dependency Extraction with OSV-SCALIBR

OSV-Scanner now serves as the official CLI for the OSV-SCALIBR library, extending support for:

  • Source manifests and lockfiles:
    • .NET (deps.json)
    • Python (uv.lock)
    • JavaScript (bun.lock)
    • Haskell (cabal.project.freeze, stack.yaml.lock)
  • Artifacts:
    • Node modules, Python wheels, Java uber JARs, and Go binaries

2. Layer-Aware Container Scanning

The tool now provides comprehensive, layer-aware scanning for Debian, Ubuntu, and Alpine container images, offering:

  • Identification of layers where packages were introduced
  • Layer history and command tracking
  • Base image detection (via deps.dev API)
  • OS/distro fingerprinting
  • Filtering of non-impactful vulnerabilities

Supported ecosystems:

  • Distros: Alpine, Debian, Ubuntu
  • Languages: Go, Java, Node.js, Python

3. Interactive HTML Output and Guided Remediation

  • HTML reports now include:
    • Severity breakdowns and filtering
    • Package/ID-based vulnerability isolation
    • Layer-specific insights for containers
  • Guided remediation (previously available for npm) now supports Maven pom.xml, enabling:
    • Direct and transitive dependency updates
    • Dependency management overrides
    • Private registry integration
    • Machine-readable output for workflow automation

Roadmap and Future Developments

Google outlined several upcoming initiatives:

  • OSV-SCALIBR convergence: Full integration of OSV-SCALIBR features into OSV-Scanner’s CLI
  • Expanded ecosystem support: Additional languages for guided remediation and broader lockfile compatibility
  • Full filesystem accountability: Tracking of sideloaded binaries in container images
  • Reachability analysis: Deeper vulnerability impact assessment
  • VEX support: Adoption of Vulnerability Exchange (VEX) standards for improved collaboration

Getting Started

OSV-Scanner V2 is available for download via GitHub. The tool remains part of Google’s broader open-source security ecosystem, which includes the OSV.dev vulnerability database.

For security teams, the update addresses longstanding challenges in container security and transitive dependency management, while the HTML output format improves actionability for developers and auditors alike.

Share

TwitterLinkedIn