OSV Scanner

[Furkan Sayım]

Hello,

I have just discovered the OSV project and I would like to thank everyone who helped develop it.

I have two questions.
- I checked the OSV.DEV list and there are few packages that contain malware. However, in the "GitHub Advisory Database" the number is quite high. When I scan my project with OSV, will it detect if the package with malware is not in the OSV.DEV list but in the "Github Advisory Database"?
- How can I use OSV to detect only packages that contain malware?

[Rex Pan]

Hello!

Thanks for your interest!

> - I checked the OSV.DEV list and there are few packages that contain malware. However, in the "GitHub Advisory Database" the number is quite high. 

We pull the malware data from the Github Advisory Database, so should cover all of the entries from the GA database. Currently there's over 15000 advisories for malicious packages.

> When I scan my project with OSV, will it detect if the package with malware is not in the OSV.DEV list but in the "Github Advisory Database"?

OSV-Scanner will only show results from the OSV.dev list, but that list should contain all of the GA database so you are not missing anything.

> - How can I use OSV to detect only packages that contain malware?

This is not currently an option, but could be implemented in the future. I created this issue to track this feature request: https://github.com/google/osv-scanner/issues/623.

--
You received this message because you are subscribed to the Google Groups "osv-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to osv-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/osv-discuss/e0ede6fb-0f41-49bb-b199-374dd944d8cfn%40googlegroups.com.