Google wants to create a standard vocabulary for describing security vulnerabilities

News
By published

Finalized vulnerability schema spec will help further secure open source projects

Security
(Image credit: Shutterstock)

Google aims to make open source software more secure by creating a unified schema to describe security vulnerabilities more accurately.

Back in February, the search giant released the Open Source Vulnerabilities (OSV) database with the goal of both automating and improving vulnerability triage for developers and those who rely on open source software. 

Google's initial effort at creating this new database was helped in part thanks to the inclusion of a dataset containing several thousand vulnerabilities from the OSS-Fuzz project. In the time since, the company has leveraged user feedback to help improve the project and make the database accessible to even more users.

Now though Google has announced in a new blog post that it will expand OSV with the addition of several key open source ecosystems including Go, Rust, Python and DWF. This new expansion will unite and aggregate information on security vulnerabilities from four vulnerability databases to provide developers with a better way to track and remediate security issues.

Open Source Vulnerabilities database

As different ecosystems and organizations have created separate databases which use their own format to describe open source vulnerabilities, tracking security bugs and flaws across multiple databases can be difficult and tedious.

For this reason the Google Open Source Security team, the Go team and the broader open source community have been working to develop a simple vulnerability interchange schema designed to describe vulnerabilities. 

As part of this work, the new vulnerability schema aims to address some key problems with managing vulnerabilities in open source projects such as enforcing version specification that precisely matches naming and versioning schemes in actual open source package ecosystems. The schema also needs to be able to be used to describe vulnerabilities in any open source ecosystem while also being easy to use by both automated systems and people.

The vulnerability schema spec has now gone through several iterations and it will likely be some time before Google's teams can finalize it. 

However, developers and open source software advocates can now access the Go vulnerability database, Rust advisory database, Python advisory database, DWF database for vulnerabilities in the Linux kernel and other popular software as well as the OSS-Fuzz database for vulnerabilities in C/C++.

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
coding
Popular open source vulnerability scanner Nuclei forced to patch worrying security flaw
Holographic representation of cloud computing over open businessman's hand
Businesses are struggling to address vulnerabilities hidden in phantom dependencies
Shadowed hands on a digital background reaching for a login prompt.
A flaw in Google OAuth system is exposing millions of users via abandoned accounts
An abstract image of digital security.
Identifying the evolving security threats to AI models
A hand reaching out to touch a futuristic rendering of an AI processor.
Google Cloud unveils new AI Protection security tools, no matter which model you use
Hacker Typing
Racing against time on a menacing caldera: survey finds majority of organizations take days to tackle critical vulnerabilities, each of them a potential open goal for cybercriminals
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
Zotac Gaming RTX 5090 Graphics Card
Nvidia Blackwell stock woes are compounded by price hikes as more RTX 5090 GPUs soar in pricing, and I’m sick and tired of it all at this point
A collage of Elizabeth Olsen's Scarlet Witch and Tatiana Maslany's She-Hulk
Marvel fans are already tired of Doomsday and Secret Wars cast gossip as two more superheroes get linked with roles in the next two Avengers movies
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
New Call of Duty: Warzone trailer shows a beautiful rebuilt Verdansk, but some fans want more: 'it won't be the same unfortunately'
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
Hornet swings their weapon in mid air

Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
See more latest
Most Popular
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Sony WF-C710N in blue glass on beige background
Sony WF-C710 earbuds land, and I think they'll be the 2025 budget buds to beat
The RIG M2 Streamstar attached to a boom arm.
The RIG M2 Streamstar has the world's first Bluetooth audio gateway in a wired gaming microphone
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
New Call of Duty: Warzone trailer shows a beautiful rebuilt Verdansk, but some fans want more: 'it won't be the same unfortunately'
Data leak
A major Keenetic router data leak could put a million households at risk
A collage of Elizabeth Olsen's Scarlet Witch and Tatiana Maslany's She-Hulk
Marvel fans are already tired of Doomsday and Secret Wars cast gossip as two more superheroes get linked with roles in the next two Avengers movies
Quordle on a smartphone held in a hand
Quordle hints and answers for Wednesday, March 26 (game #1157)