Google launches unified initiative to boost open source security reporting
One of the problems with open source vulnerability databases is that each uses its own format to describe vulnerabilities and this makes tracking and sharing of vulnerabilities between databases difficult.
To address this and boost security, the Google Open Source Security team, Go team, and the broader open-source community have been developing a simple vulnerability interchange schema for describing vulnerabilities.
It's been designed from the beginning for open-source ecosystems, allowing for easier automation and empowering consumers of open-source software to know when they are impacted and make security fixes as soon as possible.
Google launched its Open Source Vulnerabilities (OSV) database in February, today it's expanded to cover more open-source ecosystems: Go, Rust, Python, and DWF. This is in line with the US Executive Order on Improving the Nation's Cybersecurity, which emphasizes the need to remove barriers to sharing threat information in order to protect infrastructure.
Google's specification for the schema says, "This shared interchange format is not expected to be the internal format for any particular database. We hope only that every vulnerability database will make its entries available in this format to enable interoperability."
You can read more on the Google Security Blog where you'll also find links to a range of tools built to improve and automate vulnerability database management.
Image credit: Willy Barton / Shutterstock