By Oliver Chang, Google Open Source Security Team and Kate Catlin, GitHub Advisory Database Team
To keep the modern technological world of open source software safe, it is critical to efficiently and accurately communicate information about open source vulnerabilities. Unfortunately, many existing vulnerability standards were designed for a broader set of software and when they are applied to our open source world, they’re clunky and can’t match the speed at which many communities work at. Imagine a widely adopted project is at critical risk—at that moment, can we afford inefficiency or lossy information models?
The OSV Schema, created through the collaboration between OpenSSF members and housed within the Vulnerability Disclosures Working Group, solves this problem. It provides a minimal, easy-to-use first class JSON format for describing vulnerabilities in open source software. Each OSV advisory uses git commit hashes or package manager versions to describe vulnerabilities, which are familiar concepts for open source users and provide precise information on exactly what is vulnerable. The goal is to make both the production and consumption of open source advisories simple and precise.
OSV started as a way to communicate about vulnerabilities found through fuzzing open source projects using the OSS-Fuzz service. After extensive collaboration and feedback from open source communities, the OSV Schema was announced in 2021 and shortly after became an OpenSSF project. Since that time, it has seen significant adoption including services (GitHub Security Advisories), several language ecosystems (Rust, Go, Python), and Linux distributions (Rocky Linux). In total, OSV has been adopted by 18 ecosystems and 44,000 advisories are written in the format. Additionally, it’s been adopted by client tooling such as Renovate, OWASP Dependency-Track, and govulncheck. OSV’s schema for describing affected version ranges has also directly informed the upcoming CVE 5.0 standard.
OSV’s industry-wide collaboration enables an open, distributed model for managing vulnerabilities in open source–much like how open source software itself is developed! To read more about how OSV works with other vulnerability identifier standards, read this blog.
The GitHub Security Advisory Database is one example of this collaborative effort. In 2022, GitHub opened up an open source repository of CVEs formatted with the OSV schema and welcomed the community to contribute via pull requests. They’ve since had over 1,800 proposed edits, each one making the information more complete and the community safer. The GitHub Security Advisory Database powers Dependabot, but by republishing the data in the OSV format the information becomes available beyond just Dependabot users. GitHub uses OSV because open, machine readable vulnerability data is critical to the security (and therefore, the success) of open source communities.
We look forward to further community adoption, whether through tools built on top of OSV, contributions of vulnerability information, or new vulnerability databases leveraging the OSV schema. Check out OSV.dev for an aggregated list of all advisories from OSV sources and the list of tools and databases using OSV at https://github.com/ossf/osv-schema! If you’re maintaining a vulnerability database and would like to contribute OSV support and have questions, please file an issue in our repo!