OSV Vulnerability Check is a Visual Studio Code extension that helps you automatically check the vulnerabilities in your project's dependencies. It uses the OSV API to provide vulnerability data for packages defined in package.json, requirements.txt, and pom.xml files. This extension scans your project for vulnerabilities and provides visual feedback directly in the code editor with highlights and diagnostics.
Features
Automatic Vulnerability Scanning:
The extension scans your project's dependencies for vulnerabilities when you open a file, save a file, or load the project.
Project-wide Vulnerability Scan:
Scans your entire project at the time of extension activation to catch any vulnerabilities in dependencies across the project.
Visual Feedback with Decorations:
Highlight vulnerable dependencies directly in your code with color-coded background.
Detailed Diagnostics:
Display detailed diagnostics in the Problems tab for each vulnerable package with information like affected versions and suggested fixes.
Customizable Scan Triggers:
You can configure whether the scans run on file save or open, giving you control over when to check for vulnerabilities.
Supported File Types:
Scans the following files for vulnerabilities:
package.json (Node.js/NPM)
requirements.txt (Python)
pom.xml (Maven)
Usage
Scanning Dependencies
Once installed and activated, the extension will automatically scan your project dependencies for known vulnerabilities. It scans the following events:
On Project Load: The extension scans all relevant files in the project when it is first activated.
On File Open: When you open a supported file (package.json, requirements.txt, pom.xml), the extension scans that file and highlights vulnerabilities.
On File Save: When you save a file, the extension rescans it to ensure vulnerabilities are up-to-date and provides diagnostics.
Viewing Vulnerabilities
Decorations: Vulnerabilities will be highlighted in the editor with background colors (e.g., yellow or orange). Hover over the highlighted code to see detailed information about the vulnerability, including the affected package, CVE, and recommended fixes.
Diagnostics: The vulnerabilities will also be listed in the Problems tab, showing the file, line, and details of the affected packages along with suggestions for upgrading to safe versions.
Example
When a vulnerable package is detected in a file like package.json, the dependency will have an emoji depending on the criticity. You can hover over the code to get more information about the vulnerability, such as:
Vulnerability ID: The CVE or OSV ID.
Vulnerability Summary
Fix Version
Reference: Link to nvd page of the vulnerability.
Acknowledgements
OSV API - The Open Source Vulnerability API used to gather vulnerability data.
