Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

End of Bibblio RCM includes -->

Google Updates Vulnerability Data Format to Support Automation

The Open Source Vulnerability schema supports automated vulnerability handling in Go, Rust, Python, and Distributed Weakness Filing system, and it could be the favored format for future exporting of data.

Google continues to push to provide open source developers with more tools to improve the security of their software, with an update to the Open Source Vulnerability (OSV) schema, a machine-friendly way of describing vulnerability information, the company said this week. 

Related Content:

Google Experts Explore Open Source Security Challenges & Fixes

Special Report: Building the SOC of the Future

New From The Edge: An Interesting Approach to Cyber Insurance

The OSV schema aims to precisely describe vulnerabilities in a way tailored to the open source use case, "with the goal of automating and improving vulnerability triage for developers and users of open source software," Google stated in a blog post published on June 24. The project could allow various developer tools to natively handle vulnerability information and make it easier for users of open source components to know whether particular vulnerabilities affect their applications. 

The aim is to reduce the effort required to document vulnerabilities in open source projects, to make the issues easier to track, says Abhishek Arya, principal engineer in the Open Source Security group at Google.

"The intention is that there will be zero or minimal effort to issue vulnerabilities in the schema format, and the actual open source developers will have to do the least amount of work," Arya says. "Our ideal workflow is an OS developer makes a commit in their repository, maybe with some metadata, and all the automated systems will pick it up and notify the consumer."

The OSV schema is the latest effort by Google to make securing open source software easier and more efficient. In early June, the company released a cloud application that allows developers to explore the dependency graphs of various open source projects. Called Open Source Insights, the visualization site allows anyone to see the software libraries and other open source components on which 

In November, the company also announced, along with the Open Source Security Foundation (OpenSSF), a project called Security Scorecards for Open-Source Projects that rates projects based on a set of security-evaluation metrics. 

"A unified format means that vulnerability databases, open source users, and security researchers can easily share tooling and consume vulnerabilities across all of open source," members of Google's Open Source Security and Go development teams stated in the OSV blog post. "This means a more complete view of vulnerabilities in open source for everyone, as well as faster detection and remediation times resulting from easier automation."

Google released the original version of the schema in February, based on the database schema used by the Rust team for their vulnerability database. The Rust Foundation had already created a machine-readable format as part of its RustSec Advisory Database maintained by the Rust Secure Code Working Group.

The latest version announced this month also includes support for the vulnerability databases used by Go, Python, and the Distributed Weakness Filing (DWF) system, an open source project that aims to recreate and augment the Common Vulnerabilities and Exposures (CVE) project. 

The CVE project verifies software security issues and assigns vulnerability identifiers, but in 2016 and 2017 suffered an immense backlog due to operational issues. MITRE, the nonprofit government R&D organization that manages the CVE process, reorganized the vetting process and brought on more than a hundred companies and groups as CVE Numbering Authorities

The focus of the OSV schema on machine automation to make handling vulnerability information easier differentiates the schema from the popular CVE framework, Arya says. 

"Getting a CVE identifier is often time-consuming and a lot of work, so having this simple schema that focuses on automation really helps," he says. "So we can just focus on when an issue was introduced and when it was fixed, in terms of commit hashes or in terms of version, and then anyone can commit those patches."

MITRE did not provide information on whether it would support the format or work with Google on combining the CVE schema with the OSV schema. "We're always interested to see new ideas from the vulnerability management community," a MITRE spokesperson said via an e-mail. 

After several iterations, the OSV schema is now being used as the export format for data in the vulnerability and advisory databases for Go, Rust, Python, OSS-Fuzz, and DWF. In addition, Google has built automated tools for managing vulnerability databases that use the schema, including accurate matching to the open source repositories and the generation of additional data, such as the versions affected, without requiring human intervention.

Google used the tools to create the community Python advisory database, the company said.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file