Using OSV-Scanner to find existing vulnerabilities affecting your Rails application dependencies
Recently, Google released the open source vulnerability scanner OSV-Scanner. OSV-Scanner is an officially supported front-end tool for the open source OSV database, written in Go, designed to scan open source applications to assess the security of any merged dependencies.
You can use OSV-Scanner to find vulnerabilities in Rails application dependencies, including Gemfile.lock, package-lock.json, yarn.lock, etc., the latest commit records in .git directories, and Debian-based mirrors.
There are some ways to install OSV-Scanner
The latest released binary version can be downloaded from Releases · google/osv-scanner - https://github.com/google/osv-scanner/releases .
Or install via package manager Windows Scoop, Homwbrew.
For more information on Scoop, see Scoop - https://scoop.sh/.
For more information on Homebrew, see The Missing Package Manager for macOS (or Linux) — Homebrew - https://brew.sh/.
Alternatively, you can install from source by running:
go install github.com/google/osv-scanner/cmd/[email protected]
This requires Go 1.18+.
OSV-Scanner collects a list of dependencies and versions used in a project, then matches this list with the OSV database via the OSV.dev API. You can have OSV-Scanner scan your application directory, import a version dependency lock file, scan Debian-based Docker images (preview feature), or scan SBOM software bill of materials files.
Traverse the directory listing to find:
Version dependent lock files (such as Gemfile.lock, package-lock.json, yarn.lock, etc.)
SBOM Software Bill of Materials
the latest commit record of the .git directory
Can be configured to traverse subdirectories recursively using the --recursive / -r flag.
osv-scanner -r .
Input a lock file
Use the lockfile package to support a wide range of lockfiles. Here is a list of currently supported lock files:
Scan Debian-based docker images (Preview)
This tool will grab the list of installed packages in a Debian image and query them for vulnerabilities.
Currently only Debian-based Docker image scanning is supported.
Requires Docker to be installed and the tool to have permissions to invoke it.
Filesystems of Docker containers are not currently scanned, and have various other limitations. Please follow this issue - https://github.com/google/osv-scanner/issues/64 for updates on container scanning !
osv-scanner --docker image_name:latest
image_nameis your Debian-based Rails application image.
To configure scanning, place the
osv-scanner.toml file in the directory where the scan files are located. To override this file, pass the
Currently, there is only 1 configuration option:
To ignore a vulnerability, enter the ID under the IgnoreVulns key. (Optional) Add an expiration date or reason.
By default, osv-scanner outputs a human-readable table. To have osv-scanner output JSON, pass the
--json flag when calling osv-scanner.
When using the
--json flag, only JSON output will be printed to stdout, all other output will be directed to stderr. So, to only save the json output to a file, you can use
osv-scanner --json ... > /path/to/file.json to redirect the output.