In 2022 Google released a tool to easily scan for vulnerabilities in dependencies named OSV-Scanner. "Together with the open source community, we've continued to build this tool, adding remediation features," according to Google's security blog, "as well as expanding ecosystem support to 11 programming languages and 20 package manager formats... Users looking for an out-of-the-box vulnerability scanning CLI tool should check out OSV-Scanner, which already provides comprehensive language package scanning capabilities..." Thursday they also announced an extensible library for "software composition analysis" scanning (as well as file-system scanning) named OSV-SCALIBR (Open Source Vulnerability — Software Composition Analysis LIBRary). The new library "combines Google's internal vulnerability management expertise into one scanning library with significant new capabilities such as: Software composition analysis for installed packages, standalone binaries, as well as source code OSes package scanning on Linux (COS, Debian, Ubuntu, RHEL, and much more), Windows, and Mac Artifact and lockfile scanning in major language ecosystems (Go, Java, Javascript, Python, Ruby, and much more) Vulnerability scanning tools such as weak credential detectors for Linux, Windows, and Mac Software Bill of Materials (SBOM) generation in SPDX and CycloneDX, the two most popular document formats Optimization for on-host scanning of resource constrained environments where performance and low resource consumption is critical "OSV-SCALIBR is now the primary software composition analysis engine used within Google for live hosts, code repos, and containers. It's been used and tested extensively across many different products and internal tools to help generate SBOMs, find vulnerabilities, and help protect our users' data at Google scale. We offer OSV-SCALIBR primarily as an open source Go library today, and we're working on adding its new capabilities into OSV-Scanner as the primary CLI interface."

Read more of this story at Slashdot.

Fortune reports 18% of workers have engaged in "career catfishing" — getting a job offer, but then refusing to show up on the first day of work. And when someone posted Fortune's article to Reddit's antiwork subreddit, it drew 2,100 upvotes -- and another 84 comments. ("I love doing this...! This feels really great to do after a company has jerked you around, and basically said that several other people were in line ahead of you... after five interviews.") But Fortune reports there's other sources of frustration: At the moment, Gen Z is contending with an onerous battle to land an entry-level, full-time role. The class of 2025 is set to apply to more jobs than the graduating class prior, already submitting 24% more applications on average this past summer than seniors did last year. Furthermore, the class of 2024 applied to 64% more jobs than the cohort before them, according to job platform Handshake. To make matters all the more bleak, the number of job listings has dwindled from 2023 levels, generating deeper frenzy and more intense competition for the roles listed. That adds up to a hiring managers' market and senior executives are playing hardball; only 12% of mid-level executives think entry-level workers are prepared to join the workforce, per a report from technology education provider General Assembly. About one in four say they wouldn't hire today's entry-level employees. Yet, that's not really the point of entry-level roles, points out Jourdan Hathaway, General Assembly's chief business officer. By definition, it's a position that requires investment in a young adult, she explained. "The entry-level employee pipeline is broken," Hathaway wrote in a statement. "Companies must rethink how they source, train, and onboard employees." The especially competitive hiring landscape could be forcing Gen Zers to accept the first gig they can get because the job market is so dire — only to later regret it and not show up the first day. The article also acknowledges that "employers themselves have a role in the two-way communication — or lack thereof — between hire and hirer." Almost 80% of hiring managers admitted they've stopped responding to candidates during the application process, according to a survey of 625 hiring managers from Resume Genius. Gen Zers say that their ghosting is in reaction to the company's behavior. More than a third of applicants who have purposefully dropped the ball say it was because a recruiter was rude to them or misled them about a position, according to Monster... In part, it's likely AI that's fueling said ghosting. AI has become more integrated into the hiring process, becoming a screener that rejects resumes without ever reaching a human person's eyes. That phenomenon possibly fuels both sides' tendency to be non-responsive...

Read more of this story at Slashdot.