Google rolls out a unified security vulnerability schema for open-source software

guest · Jun 24, 2021

Google rolls out a unified security vulnerability schema for open-source software
Google is bringing a way to measure security errors across open-source software programs
June 24, 2021
https://www.zdnet.com/article/googl...ulnerability-schema-for-open-source-software/

Business author and expert, H. James Harrington, once said, "If you can't measure something, you can't understand it. If you can't understand it, you can't control it. If you can't control it, you can't improve it." He was right. And Google is following this advice by introducing a new way to strengthen open-source security by introducing a vulnerability interchange schema for describing vulnerabilities across open-source ecosystems.

That's very important. One low-level problem is that there are many security vulnerability databases, there's no standard interchange format.
So, Google built on the work it's already done on the Open Source Vulnerabilities (OSV) database and the OSS-Fuzz dataset of security vulnerabilities.
Click to expand...

Now the OSV and the schema has been expanded to several new key open-source ecosystems: Go, Rust, Python, and DWF. This expansion unites and aggregates their vulnerability databases. This gives developers a better way to track and remediate their security issues.
This new vulnerability schema aims to address some key problems with managing open-source vulnerabilities.
Click to expand...

A number of public vulnerability databases today are already exporting this format, with more in the pipeline:

Go vulnerability database for Go packages

Rust advisory database for Cargo packages

Python advisory database for PyPI packages

DWF database for vulnerabilities in the Linux kernel and other popular software

OSS-Fuzz database for vulnerabilities in C/C++ software found by OSS-Fuzz

The OSV service has also aggregated all of these vulnerability databases, which are viewable at the project's web UI. The databases can also be queried with a single command via its existing APIs.
Click to expand...

guest · Dec 15, 2022

Google launches OSV-Scanner, a new open-source vulnerability database
By Patrick Devaney - December 15, 2022

Google has launched a new open-source tool designed to give open-source developers access to information that could help them stay on top of potential vulnerabilities that could affect their projects. The OSV-Scanner builds on top of a tool Google developed in 2021 called the OSV.dev service.
Click to expand...

The OSV.dev service is an open-source distributed vulnerability database that conglomerates the different open-source ecosystems and vulnerabilities into a single location and in a machine-readable format. The move marked an important step as unifying open-source vulnerabilities and databases in this way had proven challenging with each using their own format. Describing the move in June last year, Google said:

“With this schema we hope to define a format that all vulnerability databases can export. A unified format means that vulnerability databases, open-source users, and security researchers can easily share tooling and consume vulnerabilities across all of open-source. This means a more complete view of vulnerabilities in open source for everyone, as well as faster detection and remediation times resulting from easier automation.”
Click to expand...

The news OSV-Scanner tool marks the next step in this journey as it offers what Google is calling an “officially supported front end to the OSV database”. As mentioned above, the huge numbers and varieties of formats were a challenge to compile together but they are also a challenge to keep track of. This necessitates the automation of the task, which is where this new scanner tool comes in:

According to the Google blog post announcing the new OSV-scanner, the OSV.dev database is now the biggest open-source vulnerability database of its kind, containing over 38,000 advisories. This has jumped up from 15,000 advisories just a year ago.
Click to expand...

Google: Announcing OSV-Scanner: Vulnerability Scanner for Open Source

by Rex Pan - December 13, 2022
Today, we’re launching the OSV-Scanner, a free tool that gives open source developers easy access to vulnerability information relevant to their project.

Last year, we undertook an effort to improve vulnerability triage for developers and consumers of open source software. This involved publishing the Open Source Vulnerability (OSV) schema and launching the OSV.dev service, the first distributed open source vulnerability database. OSV allows all the different open source ecosystems and vulnerability databases to publish and consume information in one simple, precise, and machine readable format.
Click to expand...

Log in or Sign up

Google rolls out a unified security vulnerability schema for open-source software

guest Guest

guest Guest

Log in or Sign up

Google rolls out a unified security vulnerability schema for open-source software

guest Guest

guest Guest

Useful Searches