How Do You Spell Control? Maybe Google?
July 8, 2021
The lack of a standardized format has made it difficult to manage vulnerabilities in open source software. Now, SiliconAngle reports, “Google Announces Unified Schema to Make Sharing Vulnerabilities Easier.” Writer Duncan Riley explains:
“Google LLC today announced a unified schema for describing vulnerabilities precisely to make it easier to share vulnerabilities between databases. The idea behind the unified schema is to address an issue with existing vulnerability databases where various ecosystems and organizations create their own data. As each uses its own format to describe vulnerabilities, a client tracking vulnerabilities across multiple databases must handle each separately. Because of the lack of a common standard, sharing vulnerabilities among databases is challenging. The new unified schema for describing vulnerabilities has been designed by the Google Open Source Security Team, Go Team and the broader open-source community and has been designed from the beginning for open-source ecosystems. The unified format will allow vulnerability databases, open-source users and security researchers to share tooling and consume vulnerabilities more easily across open source, providing a complete view of vulnerabilities in open source.”
Google also launched its Open Source Vulnerabilities database in February, describing it as the “first step toward improving vulnerability triage for developers and consumers of open-source software.” Originally populated with a few thousand vulnerabilities from the OSS-Fuzz project, the database is being expanded to open-source ecosystems Go, Rust, Python and DWF. These seems like moves in the right direction, but can we trust Google deliver objective, unfiltered reports? Or will it operate as it has with YouTube filtering and AI ethics staff management?
Cynthia Murrell, July 8, 2021