Google on Thursday announced the release of OSV-SCALIBR (Software Composition Analysis LIBRary), an open source library for software composition analysis.

Released as an open source Go library, the tool is an extensible file system scanner designed to extract information on software inventory and identify vulnerabilities.

OSV-SCALIBR can either be used as a standalone binary (a wrapper around the library), or can be imported into Go projects as a library.

The tool supports software composition analysis (SCA) for packages, binaries, and source code. It can be used to scan OS packages on Linux, Windows, and macOS, and supports artifact and lockfile scanning in several programming languages.

Furthermore, it provides vulnerability scanning capabilities and can be used to generate software bills of materials (SBOMs) in SPDX and CycloneDX.

“OSV-SCALIBR is now the primary SCA engine used within Google for live hosts, code repos, and containers. It’s been used and tested extensively across many different products and internal tools to help generate SBOMs, find vulnerabilities, and help protect our users’ data at Google scale,” the internet giant says.

The tool’s capabilities have been grouped into plugins for software extraction and vulnerability detection, with a set of recommended internal plugins running by default when the standalone binary is executed.

OSV-SCALIBR stores the built-in plugin modules in its definition files. When the tool is used as a library, these plugins can be enabled by importing them and adding them to the scan config. Custom plugins can also be run when SCALIBR is used as a library.

OSV-SCALIBR is primarily available as an open source Go library now, but Google is working on integrating it more deeply into OSV-Scanner, the vulnerability scanner for open source dependencies released in 2022.

Some of OSV-SCALIBR’s capabilities are available in the scanner and more will be integrated over the next months, including installed package extraction, SBOM generation, and weak credentials scanning.

“Look out soon for an announcement of OSV-Scanner V2 with many of these new features available. OSV-Scanner will become the primary frontend to the OSV-SCALIBR library for users who require a CLI interface. Existing users of OSV-Scanner can continue to use the tool the same way, with backwards compatibility maintained for all existing use cases,” Google says.

Related: Cyber Insights 2025: Open Source and Software Supply Chain Security

Related: New Google Initiative to Foster AI in Cybersecurity

Related: UK’s NCSC Pushes NMAP Scanner Scripts to Fill Defender Gap

Related: The VC View: The AppSec Evolution