Google has officially launched OSV-Scanner V2.0.0, a major upgrade to its open-source vulnerability scanning tool.
Released on March 17, 2025, this new version represents a significant evolution in helping developers identify and fix security vulnerabilities in their software dependencies.
The V2 release builds upon the foundation laid with OSV-SCALIBR and introduces substantial new features that transform OSV-Scanner into a comprehensive vulnerability detection and remediation platform.
Originally launched in December 2022, OSV-Scanner has become an essential tool for open-source security, providing developers with easy access to vulnerability information relevant to their projects.
“This V2 release builds upon the foundation we laid with OSV-SCALIBR and adds significant new capabilities to OSV-Scanner, making it a comprehensive vulnerability scanner and remediation tool with broad support for formats and ecosystems,” notes the Google Open Source Security Team
Key Innovations in V2
The most notable advancements in OSV-Scanner V2 include:
Enhanced Dependency Extraction with OSV-SCALIBR:
The release represents the first major integration of OSV-SCALIBR features into OSV-Scanner, significantly expanding support for various dependencies.
New supported formats include:
- .NET: deps.json
- Python: uv.lock
- JavaScript: bun.lock
- Haskell: cabal.project.freeze, stack.yaml.lock
- Multiple artifacts including Node modules, Python wheels, Java uber jars, and Go binaries
Layer-Aware Container Scanning
OSV-Scanner V2 introduces comprehensive scanning for Debian, Ubuntu, and Alpine container images, providing:
This feature offers layer analysis showing where packages were introduced, layer history, base image identification, and vulnerability filtering specific to container environments.
Interactive HTML Output
The new HTML report format provides enhanced visualization capabilities, including severity breakdown, filtering options, and detailed vulnerability information.
For container images, it adds layer filtering and base image identification features, available through the command:
This makes vulnerability information more accessible and actionable.
Guided Remediation for Maven: Building on the guided remediation feature for npm packages, V2 now extends this capability to Java through Maven pom.xml support:
This allows developers to remediate direct and transitive dependency vulnerabilities through direct version updates or dependency management overrides.
While incorporating numerous improvements, OSV-Scanner V2 includes breaking changes aimed at future-proofing the tool. The release includes a comprehensive migration guide to ensure a smooth upgrade process for existing users.
Some notable changes include guided remediation defaulting to non-interactive mode, experimental flags being removed, and merged license flags.
The OSV-Scanner tool provides significant benefits compared to closed-source alternatives.
As an open-source, distributed vulnerability database, OSV offers high-quality advisories that can be improved by community contributions, resulting in precise, machine-readable vulnerability information that maps accurately to package dependencies.
Developers across various programming languages can now utilize OSV-Scanner V2 to enhance their security posture and efficiently manage vulnerability remediation in their open-source dependencies.
OSV-Scanner is available for immediate download from the official GitHub repository.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
