Google aims to make open source software (opens in new tab)more secure by creating a unified schema to describe security vulnerabilities more accurately.
Back in February, the search giant released the Open Source Vulnerabilities (OSV) database with the goal of both automating and improving vulnerability triage for developers and those who rely on open source software.
Google's initial effort at creating this new database was helped in part thanks to the inclusion of a dataset containing several thousand vulnerabilities from the OSS-Fuzz (opens in new tab) project. In the time since, the company has leveraged user feedback to help improve the project and make the database accessible to even more users.
- We've rounded up the best antivirus (opens in new tab) software available
- These are the best ransomware protection (opens in new tab) solutions on the market
- Keep your devices virus free with the best malware removal software (opens in new tab)
Now though Google has announced in a new blog post (opens in new tab) that it will expand OSV with the addition of several key open source ecosystems including Go, Rust, Python and DWF. This new expansion will unite and aggregate information on security vulnerabilities from four vulnerability databases to provide developers with a better way to track and remediate security issues.
Open Source Vulnerabilities database
As different ecosystems and organizations have created separate databases which use their own format to describe open source vulnerabilities (opens in new tab), tracking security bugs and flaws across multiple databases can be difficult and tedious.
For this reason the Google Open Source Security team, the Go team and the broader open source community have been working to develop a simple vulnerability interchange schema designed to describe vulnerabilities.
As part of this work, the new vulnerability schema aims to address some key problems with managing vulnerabilities in open source projects such as enforcing version specification that precisely matches naming and versioning schemes in actual open source package ecosystems. The schema also needs to be able to be used to describe vulnerabilities in any open source ecosystem while also being easy to use by both automated systems and people.
The vulnerability schema spec has now gone through several iterations and it will likely be some time before Google's teams can finalize it.
However, developers and open source software advocates can now access the Go vulnerability database (opens in new tab), Rust advisory database (opens in new tab), Python advisory database (opens in new tab), DWF database (opens in new tab) for vulnerabilities in the Linux kernel (opens in new tab) and other popular software as well as the OSS-Fuzz database (opens in new tab) for vulnerabilities in C/C++.
- We've also highlighted the best endpoint protection (opens in new tab)