Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

End of Bibblio RCM includes -->

Google Updates Vulnerability Data Format to Support Automation

The Open Source Vulnerability schema supports automated vulnerability handling in Go, Rust, Python, and Distributed Weakness Filing system, and it could be the favored format for future exporting of data.

Google continues to push to provide open source developers with more tools to improve the security of their software, with an update to the Open Source Vulnerability (OSV) schema, a machine-friendly way of describing vulnerability information, the company said this week. 

Related Content:

Google Experts Explore Open Source Security Challenges & Fixes

Special Report: Building the SOC of the Future

New From The Edge: An Interesting Approach to Cyber Insurance

The OSV schema aims to precisely describe vulnerabilities in a way tailored to the open source use case, "with the goal of automating and improving vulnerability triage for developers and users of open source software," Google stated in a blog post published on June 24. The project could allow various developer tools to natively handle vulnerability information and make it easier for users of open source components to know whether particular vulnerabilities affect their applications. 

The aim is to reduce the effort required to document vulnerabilities in open source projects, to make the issues easier to track, says Abhishek Arya, principal engineer in the Open Source Security group at Google.

"The intention is that there will be zero or minimal effort to issue vulnerabilities in the schema format, and the actual open source developers will have to do the least amount of work," Arya says. "Our ideal workflow is an OS developer makes a commit in their repository, maybe with some metadata, and all the automated systems will pick it up and notify the consumer."

The OSV schema is the latest effort by Google to make securing open source software easier and more efficient. In early June, the company released a cloud application that allows developers to explore the dependency graphs of various open source projects. Called Open Source Insights, the visualization site allows anyone to see the software libraries and other open source components on which 

In November, the company also announced, along with the Open Source Security Foundation (OpenSSF), a project called Security Scorecards for Open-Source Projects that rates projects based on a set of security-evaluation metrics. 

"A unified format means that vulnerability databases, open source users, and security researchers can easily share tooling and consume vulnerabilities across all of open source," members of Google's Open Source Security and Go development teams stated in the OSV blog post. "This means a more complete view of vulnerabilities in open source for everyone, as well as faster detection and remediation times resulting from easier automation."

Google released the original version of the schema in February, based on the database schema used by the Rust team for their vulnerability database. The Rust Foundation had already created a machine-readable format as part of its RustSec Advisory Database maintained by the Rust Secure Code Working Group.

The latest version announced this month also includes support for the vulnerability databases used by Go, Python, and the Distributed Weakness Filing (DWF) system, an open source project that aims to recreate and augment the Common Vulnerabilities and Exposures (CVE) project. 

The CVE project verifies software security issues and assigns vulnerability identifiers, but in 2016 and 2017 suffered an immense backlog due to operational issues. MITRE, the nonprofit government R&D organization that manages the CVE process, reorganized the vetting process and brought on more than a hundred companies and groups as CVE Numbering Authorities

The focus of the OSV schema on machine automation to make handling vulnerability information easier differentiates the schema from the popular CVE framework, Arya says. 

"Getting a CVE identifier is often time-consuming and a lot of work, so having this simple schema that focuses on automation really helps," he says. "So we can just focus on when an issue was introduced and when it was fixed, in terms of commit hashes or in terms of version, and then anyone can commit those patches."

MITRE did not provide information on whether it would support the format or work with Google on combining the CVE schema with the OSV schema. "We're always interested to see new ideas from the vulnerability management community," a MITRE spokesperson said via an e-mail. 

After several iterations, the OSV schema is now being used as the export format for data in the vulnerability and advisory databases for Go, Rust, Python, OSS-Fuzz, and DWF. In addition, Google has built automated tools for managing vulnerability databases that use the schema, including accurate matching to the open source repositories and the generation of additional data, such as the versions affected, without requiring human intervention.

Google used the tools to create the community Python advisory database, the company said.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.