Google extends open source vulnerability database to Python and Go
To solve the vulnerability problem related to open source projects, Google is building a vulnerability database 'Open Source Vulnerabilities (OSV)'. The announcement dated June 24, 2021 revealed that the scope of open source projects handled by OSV extends to Python, Rust, Go, and DWF.
Google Online Security Blog: Announcing a unified vulnerability schema for open source
https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html
GitHub --google / oss-fuzz: OSS-Fuzz --continuous fuzzing for open source software.
https://github.com/google/oss-fuzz
Google extends open source vulnerabilities database to Python, Rust, Go, and DWF | VentureBeat
https://venturebeat.com/2021/06/24/google-extends-open-source-vulnerabilities-database-to-python-rust-go-and-dwf/
Many companies and developers use open source software whose source code is open to the public, but by its very nature, open source software carries certain security risks. For example, so far investigated 84% of the commercial code base 'at least one of the open-source vulnerability has been included' in things has been confirmed . While open source library vulnerabilities can be fixed with a simple update, it has also been found that 79% of developers have not updated third-party libraries in their code. Under these circumstances, it has been pointed out that many code bases have left open source vulnerabilities unfixed.
To solve the above problems, Google launched OSV in February. To fix an open source vulnerability, you first need a 'vulnerable triage' that ranks the risk of the vulnerability, which can be laborious and time consuming. OSV is an effort to improve the process of vulnerability triage.
OSV
https://osv.dev/
Launching OSV --Better vulnerability triage for open source | Google Open Source Blog
https://opensource.googleblog.com/2021/02/launching-osv-better-vulnerability.html
OSV records the data of the location where the vulnerability was first confirmed and fixed, which helps developers understand the impact of the vulnerability. At the time of publication, Google stored the data obtained by fuzzing various open sources in OSV.
And on June 24, 2021, Google announced that it would extend the scope of open source projects handled by OSV to Python, Rust, Go, and DWF.
Databases of open source vulnerabilities are often created individually by each company or organization and are written in their own format. The challenge is that clients need to track vulnerabilities in multiple databases and handle each individually. Google is working on a 'vulnerable exchange schema' in collaboration with various open source communities. This schema now describes vulnerabilities across multiple open source projects in a format that can be used by both 'humans' and 'automation tools.'
With the help of various communities, Google has been expanding its OSV with feedback. 'After the format was stable, community participants made modifications to their existing vulnerability dataset to match the format of the OSV schema,' said Oliver Chang, a Google engineer. This allows the OSV schema to aggregate their datasets, allowing anyone to query for vulnerabilities. '
Related Posts:
in Security, Posted by darkhorse_log