Few days ago Google unveiled a new project open source, which has the name "vanir» which is positioned as aStatic code analyzer designed to identify vulnerabilities in software projects, specifically those that have not yet been fixed by patches.
How Vanir Works It is based on a database of signatures containing information about known vulnerabilities and corresponding patches, which allows comparing the source code with the applied corrections to detect possible security breaches.
By making Vanir open source, we aim to enable the broader security community to contribute to and benefit from this tool, enabling broader adoption and ultimately improving security across multiple ecosystems.
Amongst the Main benefits of Vanir the following stand out:
- Identifying vulnerabilities in forks and third-party code
Vanir makes it easy to detect missing patches in forks, mods, or borrowings from code outside the main project. In the Android ecosystem, this makes it possible to verify whether original device manufacturers have correctly applied the necessary patches to their custom versions of the platform. - Analysis without metadata dependencies
Unlike other tools, Vanir does not require additional information such as version numbers, commit history, or SBOM (Software Bill of Materials) lists. Its approach is based exclusively on static analysis of existing source code. - Automatic generation of signatures
Vanir automates the creation of signatures from publicly available vulnerability information (CVE) and patches published by maintainers. This simplifies updating and maintaining the signature database. - Increased performance and efficiency
By relying on static analysis of source code, Vanir offers significantly superior performance compared to dynamic analysis tools or binary assembly verification. - Self-sufficiency and local implementation
The tool enables organizations to deploy and run infrastructure on their own systems, eliminating the need to rely on external services or third parties. - Updated and reliable database
Vanir uses a signature database backed by the Google Android Security Team, ensuring reliable and up-to-date coverage of critical vulnerabilities. - Integration with CI/CD
Support for integrating with continuous integration and delivery (CI/CD) systems allows automating vulnerability detection in the development cycle, facilitating the implementation of security processes in DevSecOps. - Adaptability and flexibility
Beyond vulnerability detection, Vanir can be adapted for other tasks, such as identifying code cloning, duplication analysis, or using code with specific licenses in other projects.
While Vanir was initially designed for Android, it can be easily adapted to other ecosystems with relatively minor modifications, making it a versatile tool for improving overall software security.
Composition of Vanir
vanir consists of two components Main:
- a signature generator
- a lost patch detector.
El generator creates signatures based on vulnerability descriptions (in OSV format) and links to the corresponding patches, processing code commits to specific repositories such as googlesource.com and git.codelinaro.org, with the possibility of adding support for other services through pull controllers.
How does Vanir work?
The Vanir Detector Analyzes the source code of a repository and checks for fixes of vulnerabilities they are present. This function is performed by using advanced algorithms signature refinement and multiple pattern analysis, Vanir produces a detailed report highlighting unpatched vulnerabilities, providing links to code locations and references to CVE identifiers and applied patches.
As an example to understand Vanir's capacity in terms of performance, this can scan Android source code, with a database covering more than 2000 vulnerabilities, in a time of between 10 and 20 minutes on a modern PC. The false positive rate, based on two years of use within Google, remains low, around 2.72%.
finally if you are interested in knowing more about it, you can check the details in the following link