Google has launched the Open Source Vulnerabilities (OSV) website, offering up a vulnerability database to help triage bugs in open-source projects and help maintainers and consumers of open source.
Google argues that users of open-source software find it difficult to map a vulnerability such as a Common Vulnerabilities and Exposures entry to the package versions they are using because versioning schemes in existing vulnerability standards do not map well with the actual open-source versioning schemes, which are typically versions/tags and commit hashes. “The result is missed vulnerabilities that affect downstream consumers,” it warns.
Google is already sponsoring open-source projects to move them from buggy C code to the memory-safe programming language, Rust. Last week, it also proposed a framework for the open-source community to judge which projects should be deemed “critical” and tougher rules on developers who contribute to these projects.
SEE: Security Awareness and Training policy (TechRepublic Premium)
The OSV aims to address issues around the triage of newly discovered bugs via automation.
“For open source maintainers, OSV’s automation helps reduce the burden of triage. Each vulnerability undergoes automated bisection and impact analysis to determine precise affected commit and version ranges,” Google notes.
“Similarly, it is time consuming for maintainers to determine an accurate list of affected versions or commits across all their branches for downstream consumers after a vulnerability is fixed, in addition to the process required for publication. Unfortunately, many open source projects, including ones that are critical to modern infrastructure, are under resourced and overworked. Maintainers don’t always have the bandwidth to create and publish thorough, accurate information about their vulnerabilities even if they want to.
“We are planning to work with open source communities to extend with data from various language ecosystems (e.g. NPM, PyPI) and work out a pipeline for package maintainers to submit vulnerabilities with minimal work.”
Google’s effort mirrors Microsoft’s open-source security initiatives through GitHub that aim to speed up remediation via tools like Microsoft Teams.
According to Google, OSV is meant to provide precise data on “where a vulnerability was introduced and where it got fixed, thereby helping consumers of open-source software accurately identify if they are impacted and then make security fixes as quickly as possible.”
OSS-Fuzz has been a successful program at Google, helping uncover thousands of bugs in key open-source projects. Fuzzing involves throwing code at an application with the intent of crashing the program.
OSV is another step in Google’s efforts to improve the state of security in open-source software development in light of these recent supply chain attacks. Google wants the community to agree on what is a critical project and then apply more stringent rules on maintainers of those projects. It’s just a discussion but the company wants the industry to improve vulnerability management in open-source software development.
However it has listed over 380 open-source software projects it considers critical and is working with package distribution platforms to improve vulnerability management.
“Vulnerability management can be painful for both consumers and maintainers of open source software, with tedious manual work involved in many cases,” Google said.