Feb 08 2021

Google launches Open Source Vulnerabilities (OSV) database

Category: Security vulnerabilitiesDISC @ 3:57 pm


Google last week announced the OSV (Open Source Vulnerabilities), a vulnerability database and triage infrastructure for open source projects.

The database aims at helping both open source maintainers and consumers of open source projects.

The archive could allow users and maintainers of open-source software to find the vulnerabilities that affect them, providing detailed info about versions and commits impacted by the issues. Maintainers of open source software could benefit of OSV’s automation to reduce the burden of triage.

“We are excited to launch OSV (Open Source Vulnerabilities), our first step towards improving vulnerability triage for developers and consumers of open source software.” reads the post published by Google. “The goal of OSV is to provide precise data on where a vulnerability was introduced and where it got fixed, thereby helping consumers of open source software accurately identify if they are impacted and then make security fixes as quickly as possible.”

At the time of the launch, the database only includes vulnerabilities from OSS-Fuzz (mostly C/C++), but Google plans to add more data sources soon (e.g. npm Registry and PyPI).

OSV already includes information on thousands of vulnerabilities from more than 380 critical open source projects integrated with Google’s OSS-Fuzz fuzzing service.

“OSV is a vulnerability database for open source projects. It exposes an API that lets users of these projects query whether or not their versions are impacted.” reads the description of the project.

“For each vulnerability, we perform bisects to figure out the exact commit that introduces the bug, as well the exact commit that fixes it. This is cross referenced against upstream repositories to figure out the affected tags and commit ranges.”

The OSV database exposes a simple API to query for vulnerabilities, maintainers and users could provide a git commit hash or a version number to receive the list of vulnerabilities that are present for that version.

Leave a Reply

You must be logged in to post a comment. Login now.