Google Launches Open Source Vulnerability Tracking Program

Google has launched a new service OSV (Open Source Vulnerabilities), which offers access to a database of information about vulnerabilities in open source software.

The goal of the OSV project is to quickly inform maintainers about vulnerabilities, their status and the history of their fixes. The project also allows you to track the impact of vulnerabilities on derivative products. This was reported on the Google blog.

Vulnerability management can be all problematic for both consumers and developers of open source software, as in many cases tedious manual work is required.

It is often difficult for consumers of open source software to match a vulnerability, such as a Common Vulnerabilities and Exposures (CVE) entry, with the package versions they are using. This is because the versioning schemes in existing vulnerability standards (such as Common Platform Enumeration (CPE)) do not match the actual open source versioning schemes, which are usually versions / tags and commit hashes. The result is missed vulnerabilities that affect downstream consumers.

The new Google service provides an API that allows you to automate the generation of requests for information about vulnerabilities, tied to the state of the code repository. Vulnerabilities are assigned separate OSV identifiers that supplement the CVE with extended information. In particular, the OSV database reflects the status of fixing the problem, specifies the commits with the appearance and fixing of the vulnerability, the range of vulnerable versions, links to the project's repository with the code and notification of the problem.

OSV currently provides access to thousands of vulnerabilities from over 380 critical OSS projects integrated with OSS-Fuzz. In the future, it is planned to connect to the database information about vulnerabilities in projects in the Go language, as well as in the NPM and PyPl ecosystems.


Previous Post Next Post