Google continues to push to provide open source developers with more tools to improve the security of their software, with an update to the Open Source Vulnerability (OSV) schema, a machine-friendly way of describing vulnerability information, the company said this week.
The OSV schema aims to precisely describe vulnerabilities in a way tailored to the open source use case, "with the goal of automating and improving vulnerability triage for developers and users of open source software," Google stated in a blog post published on June 24. The project could allow various developer tools to natively handle vulnerability information and make it easier for users of open source components to know whether particular vulnerabilities affect their applications.
The aim is to reduce the effort required to document vulnerabilities in open source projects, to make the issues easier to track, says Abhishek Arya, principal engineer in the Open Source Security group at Google.
"The intention is that there will be zero or minimal effort to issue vulnerabilities in the schema format, and the actual open source developers will have to do the least amount of work," Arya says. "Our ideal workflow is an OS developer makes a commit in their repository, maybe with some metadata, and all the automated systems will pick it up and notify the consumer."
The OSV schema is the latest effort by Google to make securing open source software easier and more efficient. In early June, the company released a cloud application that allows developers to explore the dependency graphs of various open source projects. Called Open Source Insights, the visualization site allows anyone to see the software libraries and other open source components on which
In November, the company also announced, along with the Open Source Security Foundation (OpenSSF), a project called Security Scorecards for Open-Source Projects that rates projects based on a set of security-evaluation metrics.
"A unified format means that vulnerability databases, open source users, and security researchers can easily share tooling and consume vulnerabilities across all of open source," members of Google's Open Source Security and Go development teams stated in the OSV blog post. "This means a more complete view of vulnerabilities in open source for everyone, as well as faster detection and remediation times resulting from easier automation."
Google released the original version of the schema in February, based on the database schema used by the Rust team for their vulnerability database. The Rust Foundation had already created a machine-readable format as part of its RustSec Advisory Database maintained by the Rust Secure Code Working Group.
The latest version announced this month also includes support for the vulnerability databases used by Go, Python, and the Distributed Weakness Filing (DWF) system, an open source project that aims to recreate and augment the Common Vulnerabilities and Exposures (CVE) project.
The CVE project verifies software security issues and assigns vulnerability identifiers, but in 2016 and 2017 suffered an immense backlog due to operational issues. MITRE, the nonprofit government R&D organization that manages the CVE process, reorganized the vetting process and brought on more than a hundred companies and groups as CVE Numbering Authorities.
The focus of the OSV schema on machine automation to make handling vulnerability information easier differentiates the schema from the popular CVE framework, Arya says.
"Getting a CVE identifier is often time-consuming and a lot of work, so having this simple schema that focuses on automation really helps," he says. "So we can just focus on when an issue was introduced and when it was fixed, in terms of commit hashes or in terms of version, and then anyone can commit those patches."
MITRE did not provide information on whether it would support the format or work with Google on combining the CVE schema with the OSV schema. "We're always interested to see new ideas from the vulnerability management community," a MITRE spokesperson said via an e-mail.
After several iterations, the OSV schema is now being used as the export format for data in the vulnerability and advisory databases for Go, Rust, Python, OSS-Fuzz, and DWF. In addition, Google has built automated tools for managing vulnerability databases that use the schema, including accurate matching to the open source repositories and the generation of additional data, such as the versions affected, without requiring human intervention.
Google used the tools to create the community Python advisory database, the company said.