Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

6/29/2021
05:55 PM
50%
50%

Google Updates Vulnerability Data Format to Support Automation

The Open Source Vulnerability schema supports automated vulnerability handling in Go, Rust, Python, and Distributed Weakness Filing system, and it could be the favored format for future exporting of data.

Google continues to push to provide open source developers with more tools to improve the security of their software, with an update to the Open Source Vulnerability (OSV) schema, a machine-friendly way of describing vulnerability information, the company said this week. 

Related Content:

Google Experts Explore Open Source Security Challenges & Fixes

Special Report: Building the SOC of the Future

New From The Edge: An Interesting Approach to Cyber Insurance

The OSV schema aims to precisely describe vulnerabilities in a way tailored to the open source use case, "with the goal of automating and improving vulnerability triage for developers and users of open source software," Google stated in a blog post published on June 24. The project could allow various developer tools to natively handle vulnerability information and make it easier for users of open source components to know whether particular vulnerabilities affect their applications. 

The aim is to reduce the effort required to document vulnerabilities in open source projects, to make the issues easier to track, says Abhishek Arya, principal engineer in the Open Source Security group at Google.

"The intention is that there will be zero or minimal effort to issue vulnerabilities in the schema format, and the actual open source developers will have to do the least amount of work," Arya says. "Our ideal workflow is an OS developer makes a commit in their repository, maybe with some metadata, and all the automated systems will pick it up and notify the consumer."

The OSV schema is the latest effort by Google to make securing open source software easier and more efficient. In early June, the company released a cloud application that allows developers to explore the dependency graphs of various open source projects. Called Open Source Insights, the visualization site allows anyone to see the software libraries and other open source components on which 

In November, the company also announced, along with the Open Source Security Foundation (OpenSSF), a project called Security Scorecards for Open-Source Projects that rates projects based on a set of security-evaluation metrics. 

"A unified format means that vulnerability databases, open source users, and security researchers can easily share tooling and consume vulnerabilities across all of open source," members of Google's Open Source Security and Go development teams stated in the OSV blog post. "This means a more complete view of vulnerabilities in open source for everyone, as well as faster detection and remediation times resulting from easier automation."

Google released the original version of the schema in February, based on the database schema used by the Rust team for their vulnerability database. The Rust Foundation had already created a machine-readable format as part of its RustSec Advisory Database maintained by the Rust Secure Code Working Group.

The latest version announced this month also includes support for the vulnerability databases used by Go, Python, and the Distributed Weakness Filing (DWF) system, an open source project that aims to recreate and augment the Common Vulnerabilities and Exposures (CVE) project. 

The CVE project verifies software security issues and assigns vulnerability identifiers, but in 2016 and 2017 suffered an immense backlog due to operational issues. MITRE, the nonprofit government R&D organization that manages the CVE process, reorganized the vetting process and brought on more than a hundred companies and groups as CVE Numbering Authorities

The focus of the OSV schema on machine automation to make handling vulnerability information easier differentiates the schema from the popular CVE framework, Arya says. 

"Getting a CVE identifier is often time-consuming and a lot of work, so having this simple schema that focuses on automation really helps," he says. "So we can just focus on when an issue was introduced and when it was fixed, in terms of commit hashes or in terms of version, and then anyone can commit those patches."

MITRE did not provide information on whether it would support the format or work with Google on combining the CVE schema with the OSV schema. "We're always interested to see new ideas from the vulnerability management community," a MITRE spokesperson said via an e-mail. 

After several iterations, the OSV schema is now being used as the export format for data in the vulnerability and advisory databases for Go, Rust, Python, OSS-Fuzz, and DWF. In addition, Google has built automated tools for managing vulnerability databases that use the schema, including accurate matching to the open source repositories and the generation of additional data, such as the versions affected, without requiring human intervention.

Google used the tools to create the community Python advisory database, the company said.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21991
PUBLISHED: 2021-09-22
The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server...
CVE-2021-21992
PUBLISHED: 2021-09-22
The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. A malicious actor with non-administrative user access to the vCenter Server vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash) may exploit this issue to create a denial-of-service ...
CVE-2021-34647
PUBLISHED: 2021-09-22
The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via t...
CVE-2021-34648
PUBLISHED: 2021-09-22
The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the /n...
CVE-2021-40684
PUBLISHED: 2021-09-22
Talend ESB Runtime in all versions from 5.1 to 7.3.1-R2021-09, 7.2.1-R2021-09, 7.1.1-R2021-09, has an unauthenticated Jolokia HTTP endpoint which allows remote access to the JMX of the runtime container, which would allow an attacker the ability to read or modify the container or software running in...