Security News > 2021 > February > Open Source Vulnerabilities database: Nice idea but too many Google-shaped hoops to jump through at present

Hands On. Google has big ambitions for its new Open Source Vulnerabilities database, but getting started requires a Google Cloud Platform account and there are other obstacles that may add friction to adoption.

The company wants to see more discipline and checks in critical open-source software, and revealed that it maintains its own private repositories for many projects to guard against compromised code or newly committed vulnerabilities.

The company has now answered the need, or so it hopes, by creating the Open Source Vulnerabilities database and API, which lets developers or users of open-source projects query for flaws in the particular version they are using.

Google said that open-source project maintainers "Don't always have the bandwidth to create and publish thorough, accurate information about their vulnerabilities even if they want to." The idea is that simply providing a test case to OSV that reproduces the bug will be enough to narrow down the precise version of the code that is affected.

Why bother with OSV when we have CVE, which has 148,882 records, many more than OSV, and is already embedded in the community? "We plan to aggregate existing vulnerabilities feeds. OSV complements CVEs by extending them with precise vulnerability metadata and making it easier to query for them," state the docs.

Developer tools could use it to answer the specific question: what are the vulnerabilities in the exact versions of the open-source libraries in use by this application? Its usefulness though will depend on attracting broad support, so these early obstacles are unfortunate.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/02/11/google_osv_database/