Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

End of Bibblio RCM includes -->

Google Updates Vulnerability Data Format to Support Automation

The Open Source Vulnerability schema supports automated vulnerability handling in Go, Rust, Python, and Distributed Weakness Filing system, and it could be the favored format for future exporting of data.

Google continues to push to provide open source developers with more tools to improve the security of their software, with an update to the Open Source Vulnerability (OSV) schema, a machine-friendly way of describing vulnerability information, the company said this week. 

Related Content:

Google Experts Explore Open Source Security Challenges & Fixes

Special Report: Building the SOC of the Future

New From The Edge: An Interesting Approach to Cyber Insurance

The OSV schema aims to precisely describe vulnerabilities in a way tailored to the open source use case, "with the goal of automating and improving vulnerability triage for developers and users of open source software," Google stated in a blog post published on June 24. The project could allow various developer tools to natively handle vulnerability information and make it easier for users of open source components to know whether particular vulnerabilities affect their applications. 

The aim is to reduce the effort required to document vulnerabilities in open source projects, to make the issues easier to track, says Abhishek Arya, principal engineer in the Open Source Security group at Google.

"The intention is that there will be zero or minimal effort to issue vulnerabilities in the schema format, and the actual open source developers will have to do the least amount of work," Arya says. "Our ideal workflow is an OS developer makes a commit in their repository, maybe with some metadata, and all the automated systems will pick it up and notify the consumer."

The OSV schema is the latest effort by Google to make securing open source software easier and more efficient. In early June, the company released a cloud application that allows developers to explore the dependency graphs of various open source projects. Called Open Source Insights, the visualization site allows anyone to see the software libraries and other open source components on which 

In November, the company also announced, along with the Open Source Security Foundation (OpenSSF), a project called Security Scorecards for Open-Source Projects that rates projects based on a set of security-evaluation metrics. 

"A unified format means that vulnerability databases, open source users, and security researchers can easily share tooling and consume vulnerabilities across all of open source," members of Google's Open Source Security and Go development teams stated in the OSV blog post. "This means a more complete view of vulnerabilities in open source for everyone, as well as faster detection and remediation times resulting from easier automation."

Google released the original version of the schema in February, based on the database schema used by the Rust team for their vulnerability database. The Rust Foundation had already created a machine-readable format as part of its RustSec Advisory Database maintained by the Rust Secure Code Working Group.

The latest version announced this month also includes support for the vulnerability databases used by Go, Python, and the Distributed Weakness Filing (DWF) system, an open source project that aims to recreate and augment the Common Vulnerabilities and Exposures (CVE) project. 

The CVE project verifies software security issues and assigns vulnerability identifiers, but in 2016 and 2017 suffered an immense backlog due to operational issues. MITRE, the nonprofit government R&D organization that manages the CVE process, reorganized the vetting process and brought on more than a hundred companies and groups as CVE Numbering Authorities

The focus of the OSV schema on machine automation to make handling vulnerability information easier differentiates the schema from the popular CVE framework, Arya says. 

"Getting a CVE identifier is often time-consuming and a lot of work, so having this simple schema that focuses on automation really helps," he says. "So we can just focus on when an issue was introduced and when it was fixed, in terms of commit hashes or in terms of version, and then anyone can commit those patches."

MITRE did not provide information on whether it would support the format or work with Google on combining the CVE schema with the OSV schema. "We're always interested to see new ideas from the vulnerability management community," a MITRE spokesperson said via an e-mail. 

After several iterations, the OSV schema is now being used as the export format for data in the vulnerability and advisory databases for Go, Rust, Python, OSS-Fuzz, and DWF. In addition, Google has built automated tools for managing vulnerability databases that use the schema, including accurate matching to the open source repositories and the generation of additional data, such as the versions affected, without requiring human intervention.

Google used the tools to create the community Python advisory database, the company said.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-0560
PUBLISHED: 2023-01-28
A vulnerability, which was classified as critical, has been found in SourceCodester Online Tours & Travels Management System 1.0. This issue affects some unknown processing of the file admin/practice_pdf.php. The manipulation of the argument id leads to sql injection. The attack may be initiated...
CVE-2023-0561
PUBLISHED: 2023-01-28
A vulnerability, which was classified as critical, was found in SourceCodester Online Tours & Travels Management System 1.0. Affected is an unknown function of the file /user/s.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The expl...
CVE-2023-23628
PUBLISHED: 2023-01-28
Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the sett...
CVE-2023-23629
PUBLISHED: 2023-01-28
Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard...
CVE-2023-23616
PUBLISHED: 2023-01-28
Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, when submitting a membership request, there is no character limit for the reason provided with the request. This could potentially allow a user to...