Google recently launched the "OSV" (Open Source Vulnerabilities) database, as a "first step towards improving vulnerability triage for developers and consumers of open source software."
The purpose of OSV will be to provide precise data on where a vulnerability was introduced and where it was fixed. This will help consumers of open source software determine if they were impacted and make the appropriate security changes.
Google says the OSV project evolved from its efforts to improve vulnerability management in open source.
Google launches OSV
Google notes that vulnerability management can be very painful for consumers and developers of open source software.
For consumers, it can be challenging to map a vulnerability like a CVE entry to the package versions they are using. The result can be missed vulnerabilities which affect downstream consumers.
For developers, it is incredibly time consuming to get an accurate list of affected versions from all branches for downstream consumers after a vulnerability is fixed.
Google adds that many open source projects are overworked and underfunded, including ones that are critical to modern infrastructure. This is where OSV steps in.
Google has two primary goals for OSV:
"Reduce the work required by maintainers to publish vulnerabilities.
Improve the accuracy of vulnerability queries for downstream consumers by providing precise vulnerability metadata in an easy-to-query database (complementing existing vulnerability databases)."
How does OSV work?
Google says that OSV will automate workflow for an open source package consumer by providing an API to query for vulnerabilities.
"OSV aims to simplify the vulnerability reporting process for an open source package maintainer by accurately determining the list of affected versions and commits. This requires providing both the commits that introduce and fix the bugs. If that information is not available, OSV requires providing a reproduction test case and steps to generate an application build, and then it performs bisection to find these commits in an automated fashion. OSV takes care of the rest of the analysis to figure out impacted commit ranges (accounting for cherry picks) and versions/tags."
Currently, OSV provides access to thousands of vulnerabilities from more than 380 critical OSS projects integrated with OSS-Fuzz.
Google plans to extend this with data from a variety of language ecosystems and to create a pipeline for package maintainers to submit vulnerabilities with minimal work.
"Our goal with OSV is to rethink and promote better, scalable vulnerability tracking for open source. In an ideal world, vulnerability management should be done closer to the actual open source development process, aided by automated infrastructure. Projects that depend on open source should be promptly notified and fixes uptaken quickly when a vulnerability is reported."
For more information, read Google's Security Blog about OSV.