Recent vulnerabilities such as Log4j2 have called attention to the challenges of securing open-source software, which is used widely by tech companies and other industry enterprises. Google will release the security-vetted versions of open source software packages that it runs itself for industry and government use.
The OSV schema aims to precisely describe vulnerabilities in a way tailored to the open source use case, with the goal of automating and improving vulnerability triage for developers and users of open source software, Google stated in a blog post published on June 24. The project could allow various developer tools to natively handle vulnerability information and make it easier for users of open source components to know whether particular vulnerabilities affect their applications.
The aim is to reduce the effort required to document vulnerabilities in open source projects, to make the issues easier to track, says Abhishek Arya, principal engineer in the Open Source Security group at Google.