Google has launched the Open Source Vulnerabilities (OSV) website, offering up a vulnerability database to help triage bugs in open-source projects and help maintainers and consumers of open source.
Google argues that users of open-source software find it difficult to map a vulnerability such as a Common Vulnerabilities and Exposures entry to the package versions they are using because versioning schemes in existing vulnerability standards do not map well with the actual open-source versioning schemes, which are typically versions/tags and commit hashes. "The result is missed vulnerabilities that affect downstream consumers," it warns.
The OSV aims to address issues around the triage of newly discovered bugs via automation.
"For open source maintainers, OSV's automation helps reduce the burden of triage. Each vulnerability undergoes automated bisection and impact analysis to determine precise affected commit and version ranges," Google notes.
"Similarly, it is time consuming for maintainers to determine an accurate list of affected versions or commits across all their branches for downstream consumers after a vulnerability is fixed, in addition to the process required for publication. Unfortunately, many open source projects, including ones that are critical to modern infrastructure, are under resourced and overworked. Maintainers don't always have the bandwidth to create and publish thorough, accurate information about their vulnerabilities even if they want to.
"We are planning to work with open source communities to extend with data from various language ecosystems (e.g. NPM, PyPI) and work out a pipeline for package maintainers to submit vulnerabilities with minimal work."
According to Google, OSV is meant to provide precise data on "where a vulnerability was introduced and where it got fixed, thereby helping consumers of open-source software accurately identify if they are impacted and then make security fixes as quickly as possible."
OSV is another step in Google's efforts to improve the state of security in open-source software development in light of these recent supply chain attacks. Google wants the community to agree on what is a critical project and then apply more stringent rules on maintainers of those projects. It's just a discussion but the company wants the industry to improve vulnerability management in open-source software development.