Google wants to create a standard vocabulary for describing security vulnerabilities
Finalized vulnerability schema spec will help further secure open source projects
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Googleaims to makeopen source softwaremore secure by creating a unified schema to describe security vulnerabilities more accurately.
Back in February, the search giant released the Open Source Vulnerabilities (OSV) database with the goal of both automating and improving vulnerability triage for developers and those who rely on open source software.
Google’s initial effort at creating this new database was helped in part thanks to the inclusion of a dataset containing several thousand vulnerabilities from theOSS-Fuzzproject. In the time since, the company has leveraged user feedback to help improve the project and make the database accessible to even more users.
Now though Google has announced in a newblog postthat it will expand OSV with the addition of several key open source ecosystems including Go, Rust, Python and DWF. This new expansion will unite and aggregate information on security vulnerabilities from four vulnerability databases to provide developers with a better way to track and remediate security issues.
Open Source Vulnerabilities database
As different ecosystems and organizations have created separate databases which use their own format to describeopen source vulnerabilities, tracking security bugs and flaws across multiple databases can be difficult and tedious.
For this reason the Google Open Source Security team, the Go team and the broader open source community have been working to develop a simple vulnerability interchange schema designed to describe vulnerabilities.
As part of this work, the new vulnerability schema aims to address some key problems with managing vulnerabilities in open source projects such as enforcing version specification that precisely matches naming and versioning schemes in actual open source package ecosystems. The schema also needs to be able to be used to describe vulnerabilities in any open source ecosystem while also being easy to use by both automated systems and people.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The vulnerability schema spec has now gone through several iterations and it will likely be some time before Google’s teams can finalize it.
However, developers and open source software advocates can now access theGo vulnerability database,Rust advisory database,Python advisory database,DWF databasefor vulnerabilities in theLinux kerneland other popular software as well as theOSS-Fuzz databasefor vulnerabilities in C/C++.
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
Washington state court systems taken offline following cyberattack
Is it still worth using Proton VPN Free?
7 myths about email security everyone should stop believing
