Google unveils a unified vulnerability schema for open source

Get a free Techzine subscription!

The release aims to make it easier to share vulnerabilities between databases.

Google this week announced a unified schema to address an issue with existing vulnerability databases. Specifically, the release wants to address the problems arising when various ecosystems and organizations create their own data.

Each entity uses its own format to describe vulnerabilities. This means a client tracking vulnerabilities across multiple databases has to handle each separately. Until now, the lack of a common standard made sharing vulnerabilities among databases very difficult.

The new schema is a product of the Google Open Source Security Team, Go Team and the broader open-source community. The company says they designed the schema from the beginning for open-source ecosystems. The unified format will allow vulnerability databases, open-source users and security researchers to share tooling and consume vulnerabilities more easily. This will provide a complete view of vulnerabilities in open source.

Reducing manual work to facilitate database “triage”

Oliver Chang of the Google Open Source Security team and Russ Cox from the Go team jointly detailed the innovation in a blog post this week. “One important focus is improving how we identify and respond to known security vulnerabilities without doing extensive manual work,” they write. “It is essential to have a precise common data format to triage and remediate security vulnerabilities, particularly when communicating about risks to affected dependencies—it enables easier automation and empowers consumers of open-source software to know when they are impacted and make security fixes as soon as possible.”

Google released the Open Source Vulnerabilities (OSV) database in February. Their goal was to automate and improve vulnerability triage for developers and users of open source software. This week they took the next step by expanding OSV to several key open-source ecosystems: Go, Rust, Python, and DWF. “This expansion unites and aggregates four important vulnerability databases, giving software developers a better way to track and remediate the security issues that affect them.”