Google today announced it has extended its Open Source Vulnerabilities (OSV) database to incorporate data from additional open source projects, using a unified schema for “describing vulnerabilities precisely.”
The benefits of open source software are widely understood, but concerns around vulnerabilities frequently rear their head. The vast majority of codebases contain at least one known open source vulnerability, while a report this week concluded that more often that not, developers don’t update third-party libraries after including them in their software. That same report noted that 92% of open source library flaws could be easily fixed with a simple update.
Open source software impacts pretty much everyone, everywhere. From small startups to major enterprises, companies rely on community-driven components in most of their applications. So it’s in everyone’s interests to ensure open source software is properly maintained.
In February, Google launched the Open Source Vulnerabilities database, which it called its “first step toward improving vulnerability triage” for developers and other open source consumers. Vulnerability triage is the process of assessing and ranking known flaws in software components in order of the risk they pose to an application that uses it.
The OSV serves data on where a vulnerability first emerged and where it got fixed so developers can better understand how they are impacted. At launch, the OSV included data from “fuzzing” (a technique to find software programming errors) vulnerabilities gleaned from the Google-led OSS-Fuzz service, which integrates with hundreds of open source projects.
One of the major challenges of aggregating data from multiple open source databases is that they can adhere to different formats, often created by an individual organization. This distributed model makes it more difficult to unify and describe vulnerabilities in a common vernacular. So Google, in conjunction with the wider open source community, has been working on a “vulnerability interchange schema” to describe vulnerabilities across open source projects in a format that can be used by both humans and automation tools.
Given that collaboration is the core tenet of open source software, expanding the OSV to include other open source ecosystems required active participation from all maintainers involved.
“Their feedback helped to iterate, improve, and generalize the format,” Google software engineer Oliver Chang told VentureBeat. “After the format was in a stable state, they made some changes in their existing vulnerability datasets to match the OSV schema format. This allowed aggregation of their datasets in the OSV service, which anyone could use to query for vulnerabilities in their open source dependencies.”
Google has seemingly doubled down on its open source security investments of late. Last week, it proposed a new “end-to-end framework for supply chain integrity” called Supply Chain Levels for Software Artifacts (SLSA), which designates security certification levels for different software packages. The internet giant was also a founding member of a new Linux Foundation project called Sigstore, which is setting out to help software developers confirm the origin and authenticity of software. And in February, Google revealed it would underwrite the salaries of two Linux Kernel developers to help improve security.