Google launches Open Source Vulnerabilities project

by ·

Previously, Google proposed a framework for responding to open source software vulnerabilities. After that, Google launched Open Source Vulnerabilities (OSV) project.

OSV is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source.

For open source maintainers, OSV’s automation helps reduce the burden of triage. Each vulnerability undergoes automated bisection and impact analysis to determine precise affected commit and version ranges.

For open source consumers, OSV provides an API that lets users of these projects query whether or not their versions are impacted.

For users, OSV provides an API through which users can query the vulnerability of a given submission or version of a project. For example, the following command will return vulnerability information in JSON format.

[pastacode lang=”markup” message=”” highlight=”” provider=”manual”]

curl -X POST -d \
      '{"commit": "6879efc2c1596d11a6a6ad296f80063b558d5e0f"}' \
      "https://api.osv.dev/v1/query?key=$API_KEY"

  curl -X POST -d \
      '{"version": "1.0.0", "package": {"name": "foo", "ecosystem": "bar"}}' \
      "https://api.osv.dev/v1/query?key=$API_KEY"

[/pastacode]

Currently, OSV provides vulnerabilities access to more than 380 key OSS projects integrated by OSS-Fuzz, and plans to cooperate with the open-source community to expand the data of various language ecosystems (such as NPM, PyPI, Go), and formulate project maintainers. Under ideal circumstances, vulnerability management will be closer to the actual open source development process and be carried out with the help of automated infrastructure. For more information about the project, you can go to its official blog.

Tags: