InfoSecBulletin Cybersecurity for mankind
Google has announced Vanir, an open-source tool for detecting and fixing security vulnerabilities, publicly available for developers.
Vanir is a source code-based static analysis tool that automatically identifies the list of missing security patches in the target system. By default, Vanir pulls up-to-date CVEs from Open Source Vulnerabilities (OSV) together with their corresponding signatures so that users can transparently scan missing patches for an up-to-date list of CVEs.
CVSS 10.0 Flaw
Critical flaw in Siemens OZW Web Servers Enable Unauthenticated RCE
Microsoft Patch Tuesday May 2025: 72 flaws, 5 Actively Exploited Zero-Day
OTP glitch disrupted NID services across the country
Google to pay Texas $1.4 billion for location tracking practices
YouTube geo-blocks at least 4 Bangladeshi TV channels in India
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Critical (CVSS 10) Flaw in Cisco IOS XE WLCs Allows RRA
Vanir, originally designed for Android, provides an effective way to manage security patches for various devices and software versions. As Google’s blog states, “This strengthens the security of the Android ecosystem, helping to keep Android users around the world safe.”
What sets Vanir apart?
Source-Code-Based Static Analysis: Instead of using potentially inaccurate metadata, Vanir examines the source code directly, offering a more precise and thorough analysis.
Automated Patch Identification: Vanir automates the time-consuming task of finding missing patches, saving both time and resources.
Versatility: Although made for Android, Vanir can easily be used in other systems, making it a valuable asset across the software development landscape.
“A main focus of Vanir is to automate the time consuming and costly process of identifying missing security patches in the open source software ecosystem,” Google emphasizes in their blog.
Early Success and Future Potential:
Early use of Vanir has shown great results. Google states that one engineer generated signatures for over 150 vulnerabilities and verified missing security patches in just five days using Vanir.
Vanir’s open-source nature encourages teamwork and innovation in security. “By open-sourcing Vanir, we aim to empower the broader security community to contribute to and benefit from this tool, enabling wider adoption and ultimately improving security across various ecosystems,” says Google.
