In the ever-evolving landscape of cybersecurity, contribution to open source projects can lead to partnership and collaboration. Ackama partnered with Google to significantly improve the Open Source Vulnerabilities (OSV) Scanner, a critical developer tool in the fight against software vulnerabilities.

Our OSV-Scanner project in partnership with Google initiated in December 2022 and aimed to create a universal tool for identifying security vulnerabilities in open-source projects. With over 38,000 advisories in the OSV database, including hundreds of critical vulnerabilities, the need for an efficient, versatile scanner was paramount.

The primary challenge was to develop a scanner that could function offline for use in restricted environments, operate within containerised applications, possess a robust integration test suite, and adapt to various technological formats. The goal was to create a tool that could be deployed across any technology stack to help developers identify security vulnerabilities relevant to their projects.

Ackama’s involvement in this project didn’t begin with Google. It started with an internal challenge: managing the influx of security vulnerability alerts across multiple programming languages and ecosystems for our teams and their many projects. To help with this Ackama developed a bespoke internal app called bundle-auditor which would do daily scans of production codebases for known vulnerabilities in dependencies. Initially built around the “bundler-audit” gem for Ruby apps, the auditor was expanded to support PHP, Python, and NPM ecosystems using native tooling for each. GitHub’s open-sourcing of their advisory database presented an opportunity to replace the multiple tools with a single, unified scanner, leading to the exploration of the OSV spec and database. This innovative work significantly reduces the manual effort required to manage security alerts, allowing timely identification and prioritisation of critical vulnerabilities across diverse development environments.

Ackama’s company culture is one that provides the freedom and flexibility for staff to work on their own projects of interest during ‘investment time’, and it’s a culture that retains top talent and gives that talent space to thrive and innovate. The company’s CodeCare team, co-led by technologist Gareth Jones, spearheaded the expansion of the in-house bundle-auditor.

“We grew the bundle-auditor from just Ruby to multiple languages, saving us time but generating more friction due to inconsistencies in the tools we were using for each ecosystem. When GitHub open-sourced their advisory database, we saw this as a good opportunity to experiment and see further existing solutions that were in the databases.” explains Gareth Jones, Ackama’s Head of Operations.

This internal tool caught the attention of the open-source community, particularly on GitHub, where Ackama’s team regularly contributed. These contributions eventually led to the Google OSV team reaching out to request collaboration, paving the way for Ackama and Google to partner on the required customisation to the open-source tool.

Recognising the parallels between their goals and Ackama’s expertise, Google engaged Ackama to advance the OSV-Scanner. The collaboration focused on four key areas:

1. Offline Functionality: Ackama developed the capability for OSV-Scanner to work offline, elevating its usability in various environments, including those with restricted internet access.
2. Container Compatibility: The team developed a prototype for the scanner to work efficiently inside containers, which when implemented by another open-source contributor significantly expanded its deployment options, creating alignment with modern DevOps practices.
3. Improved Testing: Ackama improved and extended the integration test suite, ensuring the scanner’s reliability across different scenarios and use cases.
4. Ongoing Support: Beyond initial development, Ackama committed to providing ongoing maintenance and support services, ensuring the tool’s continued evolution and effectiveness against emerging threats.

The collaboration between Ackama and Google has generated significant improvements to the OSV-Scanner:

• Increased Security: The refined scanner now provides developers with more reliable and actionable vulnerability information, reducing security risks in open-source projects.
• Operational Efficiency: The new offline and containerised functionalities have made the scanner more versatile and accessible, fitting appropriately into various development environments.
• Advanced Testing: A more robust integration test suite allows for the scanner’s performance to remain consistent and trustworthy, contributing to overall project security.

Ackama’s Head of Operations speaks to the project’s impact: “We are excited to be able to make significant contributions and collaborate with Google in furthering the OSV-Scanner development. As long-time specialists in cloud platforms, open-source software, and as accredited suppliers to the New Zealand and Australian Governments, Ackama is invested in top-level security practices.”

This collaboration aligns with broader industry trends and government mandates, such as the 2021 U.S. Executive Order for Cybersecurity, which emphasises the importance of automated security tools in software development.

The partnership between Ackama and Google on the OSV-Scanner project demonstrates the power of combining specialised expertise with large-scale initiatives. It showcases how internal innovation, when shared with the broader community, can lead to significant advancements in technology and security.

As open-source software continues to play a crucial role in the technology ecosystem, collaborations like this one between Ackama and Google set a precedent for how companies can work together to create more secure, efficient, and universal tools for the benefit of the entire developer community.

As the collaboration continues to evolve in frontend design updates and CodeCare maintenance, it promises to further advance and expand the capabilities of the OSV-Scanner, contributing to a more secure digital future.