Google has introduced OSV-SCALIBR, an open-source software composition analysis (SCA) library designed to assist with software inventory management and vulnerability detection. This library, built using the Go programming language, acts as an extensible file system scanner capable of extracting key data on software components. OSV-SCALIBR can be deployed as a standalone binary or integrated into Go projects as a library. It supports SCA for various software formats including packages, binaries, and source code, with compatibility across Linux, Windows, and macOS.
One of the tool’s standout features is its ability to scan artifacts and lockfiles in multiple programming languages. Additionally, it provides vulnerability scanning capabilities and can generate software bills of materials (SBOMs) in SPDX and CycloneDX formats. Google reports that OSV-SCALIBR is now central to their internal operations, used extensively across their products and tools to generate SBOMs, identify vulnerabilities, and ensure data protection at scale. The library’s integration into Google’s existing systems reflects its ability to handle large-scale software security needs effectively.
The library’s functionality is divided into plugins that manage software extraction and vulnerability detection. The standalone binary automatically runs a set of internal plugins, and users can enable these plugins by importing them when using the library within Go projects. Custom plugins can also be created to suit specific scanning needs, offering flexibility and adaptability to users. As Google continues to expand OSV-SCALIBR’s capabilities, it is working towards deeper integration with OSV-Scanner, its vulnerability scanner for open-source dependencies.
Google plans to incorporate additional features into OSV-SCALIBR over the coming months, including installed package extraction, SBOM generation, and weak credentials scanning. OSV-Scanner, which was released in 2022, will serve as the primary interface for users who prefer a CLI tool, with future updates enabling the use of OSV-SCALIBR functionalities. Google assures existing users of OSV-Scanner that backward compatibility will be maintained, ensuring a seamless transition as new features are added to both the scanner and the OSV-SCALIBR library.
