Google wants to create a standard vocabulary for describing security vulnerabilities
Finalized vulnerability schema spec will help further secure open source projects
Google aims to make open source software more secure by creating a unified schema to describe security vulnerabilities more accurately.
Back in February, the search giant released the Open Source Vulnerabilities (OSV) database with the goal of both automating and improving vulnerability triage for developers and those who rely on open source software.
Google's initial effort at creating this new database was helped in part thanks to the inclusion of a dataset containing several thousand vulnerabilities from the OSS-Fuzz project. In the time since, the company has leveraged user feedback to help improve the project and make the database accessible to even more users.
- We've rounded up the best antivirus software available
- These are the best ransomware protection solutions on the market
- Keep your devices virus free with the best malware removal software
Now though Google has announced in a new blog post that it will expand OSV with the addition of several key open source ecosystems including Go, Rust, Python and DWF. This new expansion will unite and aggregate information on security vulnerabilities from four vulnerability databases to provide developers with a better way to track and remediate security issues.
Open Source Vulnerabilities database
As different ecosystems and organizations have created separate databases which use their own format to describe open source vulnerabilities, tracking security bugs and flaws across multiple databases can be difficult and tedious.
For this reason the Google Open Source Security team, the Go team and the broader open source community have been working to develop a simple vulnerability interchange schema designed to describe vulnerabilities.
As part of this work, the new vulnerability schema aims to address some key problems with managing vulnerabilities in open source projects such as enforcing version specification that precisely matches naming and versioning schemes in actual open source package ecosystems. The schema also needs to be able to be used to describe vulnerabilities in any open source ecosystem while also being easy to use by both automated systems and people.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The vulnerability schema spec has now gone through several iterations and it will likely be some time before Google's teams can finalize it.
However, developers and open source software advocates can now access the Go vulnerability database, Rust advisory database, Python advisory database, DWF database for vulnerabilities in the Linux kernel and other popular software as well as the OSS-Fuzz database for vulnerabilities in C/C++.
- We've also highlighted the best endpoint protection
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.