It became known that Google has launched a new service called Open Source Vulnerabilities. With its help, users will be able to access a database with information about vulnerabilities in open source software.
As part of this service, users will be provided with an API that will automate the generation of requests to obtain data on vulnerabilities. Vulnerabilities hitting the Google database will receive separate identifiers that supplement the CVE with extended information. For example, the OSV database records the status of a fix for a problem, the range of vulnerable software versions, and much more.
The goal of the project is to simplify the process of informing package maintainers about vulnerabilities by more accurately identifying the versions and commits affected by the problem. The data collected in the OSV database allows at the level of commits and tags to track the manifestation of vulnerabilities and analyze the vulnerability of derivative products. Among other things, users will be able to use the service to request data on the presence of a vulnerability by the commit number or software version.
At the moment, the OSV database consists of about 25 thousand vulnerabilities that were identified as a result of automatic testing using the OSS-Fuzz system, which covers over 380 open source projects in C and C ++. In the future, the developers intend to expand the base by integrating new sources of information about vulnerabilities. Work is already underway to add information about vulnerabilities in Go projects.
If you notice an error, select it with the mouse and press CTRL + ENTER.