UPDATED 09:00 EST / JUNE 24 2021

SECURITY

Google announces unified schema to make sharing vulnerabilities easier

Google LLC today announced a unified schema for describing vulnerabilities precisely to make it easier to share vulnerabilities between databases.

The idea behind the unified schema is to address an issue with existing vulnerability databases where various ecosystems and organizations create their own data. As each uses its own format to describe vulnerabilities, a client tracking vulnerabilities across multiple databases must handle each separately. Because of the lack of a common standard, sharing vulnerabilities among databases is challenging.

The new unified schema for describing vulnerabilities has been designed by the Google Open Source Security Team, Go Team and the broader open-source community and has been designed from the beginning for open-source ecosystems. The unified format will allow vulnerability databases, open-source users and security researchers to share tooling and consume vulnerabilities more easily across open source, providing a complete view of vulnerabilities in open source.

“This new vulnerability schema aims to address some key problems with managing vulnerabilities in open source,” Oliver Chang from the Google Open Source Security Team and Russ Cox from the Go Team said in a blog post. “We found that there was no existing standard format which enforces version specification that precisely matches naming and versioning schemes used in actual open-source package ecosystems.”

In one example, matching a vulnerability such as a Common Vulnerabilities and Exposures listing to a package name and set of versions in a package manager is said to be difficult to do in an automated way using existing mechanisms.

“With this schema, we hope to define a format that all vulnerability databases can export,” Chang and Cox added. “A unified format means that vulnerability databases, open-source users and security researchers can easily share tooling and consume vulnerabilities across all of open source. ”

The schema comes in the footsteps of Google’s own Open Source Vulnerabilities database launched in February. Google pitched the database at launch as being a “first step toward improving vulnerability triage for developers and consumers of open-source software.”

The OSV database initially launched with a dataset of a few thousand vulnerabilities from the OSS-Fuzz project. Along with announcing the unified schema for describing vulnerabilities, Google also announced that the OSV database has now expanded to several key open-source ecosystems, including Go, Rust, Python and DWF.

Photo: Thomas Hawk/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU