Google has been busy developing projects to move the security needle forward for users of open source software. Google’s Open Source Vulnerabilities (OSV) project is focused on standardizing how open source vulnerabilities are described and support automated vulnerability publishing and querying. By standardizing and centralizing this data, the project hopes to streamline the vulnerability tracking process and reduce the effort associated with triaging open source vulnerabilities. Let’s dive in.
Don’t we have CVEs?
CVEs or Common Vulnerability and Exposures have been the go to for standardizing and tracking vulnerabilities for decades. However the CVE standard managed by the research and development arm of the US Government, MITRE, was never designed to handle vulnerabilities within open source projects nor the sheer volume of vulnerabilities discovered on a daily basis. The OSV is intended to better support tracking vulnerabilities within open source software but is mappable to the CVE database.
Schema is Tailored for Open Source Software Use Case
A major gap with CVEs was the limitation with how the framework describes affected software versions versus how open source projects track versions of their software. Think versions, tags and commit hashes. The OSV schema incorporates attributes relevant to open source and software development with a focus on being human readable, but easily integrated into build servers and DevOps pipelines for automation use cases.
Who is OSV For?
There are two primary users of the OSV project: Open Source Maintainers and Open Source Consumers. Additionally, external upstream repos can leverage the OSV to identify if they contain vulnerable packages and optionally the OSV can map to the existing CVE database for backwards compatibility and supporting traditional security teams and their processes.
How Does It Work?
Initially the project was populating it’s database through fuzzing popular open source projects with OSS-Fuzz. However, as of June 24th the project has evolved and expanded integrations with the Go, Rust, Python and DWF vulnerability databases providing a centralized language agnostic database. Now, vulnerability details from distributed vulnerability databases will be centralized within OSV where humans and machines alike can query these details. The OSV team intends to continue to expand integrations as well as enable open source maintainers direct access for tracking and updating vulnerability reports.
How to Consume?
As with many of these altruistic projects, it is in its infancy. The API to query has been built and the web interface allows for manually query. In the spirit of “if you build it, they will come”, Googles OSV team has laid the foundations and are looking to the open source community to integrate more data sources as well as develop integrations with popular build tools to truly take advantage of the automation capabilities.