Author and business expert H. James Harrington once said, “If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t make it better. “He was right. And Google is following that advice by introducing a new way to boost open source security by introducing a vulnerability swap scheme to describe the vulnerabilities. in open source ecosystems.
Its very important. A low level problem is that there are many databases of security vulnerabilities, there is no standard exchange format. If you want to aggregate information from multiple databases, you must manage each of them completely separately. It is a real waste of time and energy. At the very least, you should create analyzers for each database format in order to merge their data. All of this makes systematic dependency tracking and collaboration between vulnerability databases much more difficult than it should be.
Thus, Google built on the work already done on the Open Source Vulnerabilities (OSV) database and the OSS-Fuzz data set on security vulnerabilities. The Google Open Source Security team, the Go team, and the wider open source community all helped create this simple vulnerability trading scheme. While working on the schema, they could communicate accurate vulnerability data for hundreds of critical open source projects.
Now the OSV and Schema have been extended to several new key open source ecosystems: Go, Rust, Python, and DWF. This extension unites and aggregates their vulnerability databases. This gives developers a better way to track and resolve their security issues.
This new vulnerability scheme aims to address some key issues related to open source vulnerability management. This:
- Applies a version specification that precisely matches the naming and versioning schemes used in actual open source package ecosystems. For example, it is difficult to map a vulnerability such as a CVE to a package name and a set of versions in a package manager in an automated manner using existing mechanisms such as CPEs.
- Can describe vulnerabilities in any open source ecosystem, without requiring ecosystem-dependent logic to address them.
- Is easy to use by automated systems and humans.
In short, as Abhishek Arya, the head of the Google Open Source security team, wrote in a note on the specification manuscript: “The intention is to create a simple schema format that contains metadata of precise vulnerability, details needed to fix the bug, and is a low burden on the resource-constrained open source ecosystem. “
The hope is that with this scheme, developers can define a format that all vulnerability databases can export. Such a unified format would mean that programmers and security researchers can easily share vulnerability tools and data across all open source projects.
The vulnerability schema specification has undergone several iterations, but is not yet complete. Google and friends are seeking more feedback as finalization nears. A number of public vulnerability databases already export this format, and more are in preparation:
The OSV service has also aggregated all of these vulnerability databases, which are searchable on the project’s web user interface. Databases can also be queried with a single command through its existing APIs.
In addition to the existing automation of OSV, Google created more automation tools for the maintenance of the vulnerability database and used these tools to bootstrap the community’s Python advisory database. This automation takes existing flows, accurately associates them with packages, and generates entries containing precise and validated version ranges with minimal human intervention. Google plans to extend this tool to other ecosystems for which there is no database of vulnerabilities or little support for the ongoing maintenance of the database.
This effort also aligns with the recent U.S. decree on improving national cybersecurity, which underscored the need to remove barriers to sharing threat information in order to strengthen national infrastructure. This extensive shared vulnerability database marks an important step towards creating a more secure open source environment for all users.
Want to get involved? You should. This promises to make open source software, whatever your project, a lot easier to secure.