Google rolls out a unified security vulnerability schema for open-source software
1 min read
Jun 25, 2021
Google recognizes that before you can understand something, you need to measure it, and is bringing a way to measure security errors across open-source software programs.
Business author and expert, H. James Harrington, once said, "If you can't measure something, you can't understand it. If you can't understand it, you can't control it. If you can't control it, you can't improve it." He was right. And Google is following this advice by introducing a new way to strengthen open-source security by introducing a vulnerability interchange schema for describing vulnerabilities across open-source ecosystems.
That's very important. One low-level problem is that there are many security vulnerability databases, there's no standard interchange format. If you want to aggregate information from multiple databases you must handle each one completely separately. That's a real waste of time and energy. At the very least you must create parsers for each database format to merge their data. All this makes systematic tracking of dependencies and collaboration between vulnerability databases much harder than it should be.
