Google LLC today announced a unified schema for describing vulnerabilities precisely to make it easier to share vulnerabilities between databases.

The idea behind the unified schema is to address an issue with existing vulnerability databases where various ecosystems and organizations create their own data. As each uses its own format to describe vulnerabilities, a client tracking vulnerabilities across multiple databases must handle each separately. Because of the lack of a common standard, sharing vulnerabilities among databases is challenging.

The new unified schema for describing vulnerabilities has been designed by the Google Open Source Security Team, Go Team and the broader open-source community and has been designed from the beginning for open-source ecosystems. The unified format will allow vulnerability databases, open-source users and security researchers to share tooling and consume vulnerabilities more easily across open source, providing a complete view of vulnerabilities in open source.

“This new vulnerability schema aims to address some key problems with managing vulnerabilities in open source,” Oliver Chang from the Google Open Source Security Team and Russ Cox from the Go Team said in a blog post. “We found that there was no existing standard format which enforces version specification that precisely matches naming and versioning schemes used in actual open-source package ecosystems.”

In one example, matching a vulnerability such as a Common Vulnerabilities and Exposures listing to a package name and set of versions in a package manager is said to be difficult to do in an automated way using existing mechanisms.

“With this schema, we hope to define a format that all vulnerability databases can export,” Chang and Cox added. “A unified format means that vulnerability databases, open-source users and security researchers can easily share tooling and consume vulnerabilities across all of open source. ”

The schema comes in the footsteps of Google’s own Open Source Vulnerabilities database launched in February. Google pitched the database at launch as being a “first step toward improving vulnerability triage for developers and consumers of open-source software.”

The OSV database initially launched with a dataset of a few thousand vulnerabilities from the OSS-Fuzz project. Along with announcing the unified schema for describing vulnerabilities, Google also announced that the OSV database has now expanded to several key open-source ecosystems, including Go, Rust, Python and DWF.

Photo: Thomas Hawk/Flickr