Google announced last week the launch of OSV (Open Source Vulnerabilities), presented as a database of vulnerabilities and at the same time screening infrastructure for open source projects. The Google statement says that OSV should make it easier for open source users to find out what vulnerabilities affect them. It can also help software maintainers to identify all versions and commits affected by a failure.
Google says that for users in general, OSV can be easily consulted, and can complement queries to other vulnerability databases. “OSV automates the screening workflow for users of open source packages; it has an API for querying vulnerabilities, ”says the post in which the Google security team provided this information.
In the case of maintainers, they can obtain information about the impact of the vulnerabilities by simply providing the commit that introduced the bug and the commit that corrects the bug.
“Unfortunately, many open source projects, including those that are essential to modern infrastructure, are under-resourced and overloaded. Maintainers do not always have the bandwidth to create and publish complete and accurate information about their vulnerabilities, even if they want to, ”said Google security experts.
OSV already stores information about thousands of vulnerabilities in more than 380 projects and is integrated with Google’s OSS-Fuzz broadcast service. The company also intends to connect it to data from repositories such as npm Registry and PyPI. OSV will also make it easier for developers to send information about vulnerabilities.
“Our goal with OSV is to rethink and promote better and scalable vulnerability tracking for open source. In an ideal world, vulnerability management should be done closer to the actual open source development process, aided by automated infrastructure. Projects that rely on open source must be notified immediately and fixed quickly when a vulnerability is reported, ”said Google.
With international agencies
See the original post at: https://www.cisoadvisor.com.br/google-lanca-banco-de-dados-para-vulnerabilidades-de-codigo-aberto/?rand=59039