OSV-SCALIBR: A library for Software Composition Analysis

Google has released OSV-SCALIBR, an extensible library for software composition analysis and file system scanning. This library combines Google's internal vulnerability management expertise and offers significant new capabilities such as SCA for installed packages, standalone binaries, and source code. It also supports OS package scanning on Linux, Windows, and Mac, as well as artifact and lockfile scanning in major language ecosystems. OSV-SCALIBR can generate SBOMs in SPDX and CycloneDX formats and is optimized for on-host scanning of resource-constrained environments. The library is now the primary SCA engine used within Google for live hosts, code repos, and containers. It has been used and tested extensively across many different products and internal tools to help generate SBOMs, find vulnerabilities, and protect user data. OSV-SCALIBR is offered primarily as an open-source Go library, and its capabilities are modularized into plugins for software extraction and vulnerability detection. Developers can use OSV-SCALIBR as a library to generate SBOMs from build artifacts and code repos on live hosts, scan a git repo for SBOMs, and scan a remote container for SBOMs. The library can also be used to find vulnerabilities on a filesystem or a remote container. Google is working on integrating OSV-SCALIBR more deeply into OSV-Scanner, which will make more of OSV-SCALIBR's capabilities available in the next few months. OSV-Scanner will become the primary frontend to the OSV-SCALIBR library for users who require a CLI interface. Existing users of OSV-Scanner can continue to use the tool with backwards compatibility maintained for all existing use cases. Google is also working on additional new capabilities, including support for more OS and language ecosystems, layer attribution, and reachability analysis.