Google launches Open Source Vulnerabilities (OSV) database

Google announced the launch of OSV (Open Source Vulnerabilities), a vulnerability database and triage infrastructure for open source projects.

Google last week announced the OSV (Open Source Vulnerabilities), a vulnerability database and triage infrastructure for open source projects.

The database aims at helping both open source maintainers and consumers of open source projects.

The archive could allow users and maintainers of open-source software to find the vulnerabilities that affect them, providing detailed info about versions and commits impacted by the issues. Maintainers of open source software could benefit of OSV’s automation to reduce the burden of triage.

“We are excited to launch OSV (Open Source Vulnerabilities), our first step towards improving vulnerability triage for developers and consumers of open source software.” reads the post published by Google. “The goal of OSV is to provide precise data on where a vulnerability was introduced and where it got fixed, thereby helping consumers of open source software accurately identify if they are impacted and then make security fixes as quickly as possible.”

At the time of the launch, the database only includes vulnerabilities from OSS-Fuzz (mostly C/C++), but Google plans to add more data sources soon (e.g. npm Registry and PyPI).

OSV already includes information on thousands of vulnerabilities from more than 380 critical open source projects integrated with Google’s OSS-Fuzz fuzzing service.

“OSV is a vulnerability database for open source projects. It exposes an API that lets users of these projects query whether or not their versions are impacted.” reads the description of the project.

“For each vulnerability, we perform bisects to figure out the exact commit that introduces the bug, as well the exact commit that fixes it. This is cross referenced against upstream repositories to figure out the affected tags and commit ranges.”

The OSV database exposes a simple API to query for vulnerabilities, maintainers and users could provide a git commit hash or a version number to receive the list of vulnerabilities that are present for that version.

“Similarly, it is time consuming for maintainers to determine an accurate list of affected versions or commits across all their branches for downstream consumers after a vulnerability is fixed, in addition to the process required for publication.” continues Google. “Unfortunately, many open source projects, including ones that are critical to modern infrastructure, are under resourced and overworked. Maintainers don’t always have the bandwidth to create and publish thorough, accurate information about their vulnerabilities even if they want to.”

The OSV aims at rethinking and promoting better, scalable vulnerability tracking for open source.

“In an ideal world, vulnerability management should be done closer to the actual open source development process, aided by automated infrastructure. Projects that depend on open source should be promptly notified and fixes uptaken quickly when a vulnerability is reported,” Google closes.

Users can access the OSV website and documentation at https://osv.dev and explore the open source repo or contribute to the project on GitHub. Google also set up a mailing list to stay up to date with OSV and share your thoughts on vulnerability tracking.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Open Source Vulnerabilities)

[adrotate banner=”5″]

[adrotate banner=”13″]