Stop managing vulnerabilities and start managing scanner assumptions

Run two industry-standard scanners on the same container image and you will get two entirely different answers.
livedoor ニュース

Google、オープンソースプロジェクト向けに脆弱性スキャナ「OSV ...

Googleは12月13日(米国時間)、「Google Online Security Blog: Announcing OSV-Scanner: Vulnerability Scanner for Open Source」において、オープンソースプロジェクトのための脆弱性スキャナ「OSV-Scanner」を発表した。これは、オープンソース開発者が、自身のプロジェクトに関連する ...
heise online

Google's vulnerability scanner checks container layers and Maven projects

Google has released the second version of its vulnerability scanner for open-source projects, which now performs in-depth analyses in complex projects and containers. It also supports Java projects ...
techzine

TeamPCP compromises Python libraries via supply chain attack

The hacker group TeamPCP uploaded two malicious versions of the popular Python library LiteLLM to PyPI. Using a previously compromised version of the vulnerability scanner Trivy, the attackers stole ...