Google today announced an expansion of its Open Source Vulnerability (OSV) database to include data from more open source projects such as Python, Rust, Go, and DWF using a unified schema for “accurately describing vulnerabilities.” While open source software has many advantages, vulnerabilities are also becoming a problem.
The vast majority of codebases contain at least one known open source vulnerability, and a report this week argues that more often, developers don’t update third-party libraries after they’ve been incorporated into their software. The report also states that 92% of open source library defects can be easily fixed with a simple update.
Open source software affects almost everyone, everywhere. From small startups to large enterprises, companies rely on community-driven components in most of their applications. Therefore, it is in everyone’s interest to ensure that open source software is properly maintained.
In February of this year, Google launched the Open Source Vulnerabilities (OSV) database. Google calls this a “first step toward improving vulnerability triage” for developers and other open source consumers. Vulnerability triage is the process of assessing and prioritizing known defects in a software component by the risk they pose to the applications that use that component.
Today, Google is expanding OSV to include vulnerability databases from major open source projects, including Python, Rust, Go, and DWF. One of the main challenges of aggregating data from multiple open source databases is that they may adhere to different formats, often created by individual organizations. This distributed model makes it more difficult to unify and describe vulnerabilities in a common language. As a result, Google, along with the wider open source community, has been working on a “vulnerability exchange model” to describe vulnerabilities in various open source projects in a format that can be used by both humans and automated tools.
“Their feedback helped iterate, improve and popularize the format,” Google software engineer Oliver Chang told VentureBeat. After the format was in a stable state, they made some modifications to their existing vulnerability dataset to match the OSV pattern Format. This allows their datasets to be aggregated in an OSV service, which anyone can use to query their open source dependencies for vulnerabilities.”