Google Extends Open Source Vulnerability Database to Python, Rust, Go, and DWF

0

Where is your business on the AI ​​recruiting curve? Take the AI ​​survey to find out.


Let’s do it Information bulletin on OSS companies Guide your open source journey! register here..

Google today announced that it has extended an open source vulnerability (OSVA database to incorporate data from additional open source projects, using a unified schema to “accurately describe the vulnerability.”

The advantage of open source software is widely understood, however, concerns about vulnerabilities are often in the mind. · Most of the code base contains: There is at least one known open source vulnerability and this week’s report often concludes, The developer does not update the third-party libraries after integrating them into the software. The same report states that 92% of flaws in open source libraries can be easily fixed with a simple update.

Open source software affects almost everyone, everywhere. From small start-ups to large corporations, businesses rely on community components for most applications. Therefore, it is in everyone’s best interests to ensure that open source software is properly maintained.

Sorting vulnerabilities

February, google release open source vulnerability database. This is called the “first step to improving vulnerability triage” for developers and other open source consumers. Vulnerability triage is the process of assessing and ranking known vulnerabilities in a software component in order of risk to the applications that use it.

OSV provides data on where the vulnerability first occurred and where it was patched, allowing developers to better understand how the vulnerability is affected. On startup, the OSV says “Fuzzing (a technique for finding software programming errors) OSS-Fuzz service run by Google Integrate with hundreds of open source projects.

Today, Google is expanding OSV to include vulnerability databases from major open source projects, including: Python, rust, go, and DWF.

One of the main challenges of aggregating data from multiple open source databases is often compliance with the different formats created by individual organizations. This distributed model makes it more difficult to integrate and describe vulnerabilities in general terms. This is why Google is working with the wider open source community on a “Vulnerability Exchange Scheme” to describe the vulnerabilities of open source projects in a format that can be used by both humans and automation tools. . ..

Since collaboration is a central belief in open source software, extending OSV to include other open source ecosystems required the active participation of all relevant maintainers.

“Their feedback helped us iterate, improve and generalize the format,” Oliver Chang, Google software engineer, told VentureBeat. “Once the format was stable, we made some changes to the existing vulnerability dataset to match the format of the OSV schema, which allows the OSV service to aggregate the dataset. Anyone can now use it to check for open source dependency vulnerabilities. “

Double down

Google appears to have recently doubled its investment in open source security. Last week, it’s a new suggestion An “end-to-end framework for supply chain integrity” called the supply chain level (SLSA) of software artifacts. It specifies the level of security certification for various software packages. The Internet giant was also a founding member of the New Linux Foundation Project Called the Sigstore, which aims to help software developers identify the origin and reliability of their software. And in February, Google revealed it would be hiring two Linux kernel developers to help improve security.

New because Google expects more feedback from the open source community Vulnerability schema specification Not yet confirmed. However, OSS-Fuzz, Python, Rust, Go, and DWF all export this format and OSV combines them. Vulnerability database on the public portal You can also query using a single command Via the existing API.

Venture out

VentureBeat’s mission is to become a digital public place for technical decision-makers to acquire knowledge about innovative technologies and commerce. Our site provides important information on data technologies and strategies to guide you as you run your organization. We encourage you to become a member of the community and access:

  • The latest information on the subject that interests you
  • Newsletter
  • Secure sorting drive content and discounted access to valuable events such as: Transformation 2021: learn more
  • Network function, etc.

Become a member

Source Link Google Extends Open Source Vulnerability Database to Python, Rust, Go and DWF


Source link

Share.

About Author

Leave A Reply