To address vulnerabilities related to open source projects, Google is building a vulnerability database, Open Source Vulnerabilities (OSV). In the announcement on June 24, 2021, it was revealed that the scope of open source projects handled by OSV was expanded to include Python, Rust, Go, and DWF.
Although many companies and developers use open source software whose source code has been released, open source software has certain security risks due to its nature. For example, research so far has confirmed that 84% of commercial codebases contain one or more open source vulnerabilities. Open source library vulnerabilities can be fixed with simple updates, but it turns out that 79% of developers do not update third-party libraries in their code. In this situation, the problem is pointed out that many code-based open source vulnerabilities remain unfixed.
To solve this problem, Google launched OSV in February. Resolving open source vulnerabilities requires a vulnerability assessment that evaluates vulnerability risk first, but this takes time and effort. OSV is an effort to improve the vulnerability screening process.
OSV records the location data where a vulnerability was first identified and fixed, helping developers understand the impact of a vulnerability. At the time of disclosure, Google stored data from a fuzz targeting various open sources in OSV.
Next, on June 24, Google announced that it would expand the scope of open source projects handled by OSV to Python, Rust, Go, and DWF.
Open source vulnerability databases are written in a number of unique formats that companies and organizations can individually create. The challenge is that clients need to track vulnerabilities across multiple databases and address each one individually. Google worked with various open source communities to work on the vulnerability exchange scheme. This schema resulted in vulnerabilities being written across multiple open source projects in a format that could be used by both human and automated tools.
Google expanded OSV by getting feedback from various community collaborations. Google said that after the format was stabilized, community participants made modifications to their existing vulnerability datasets to match the OSV schema format. Related information can be found here.