Making Sense of Open-Source Vulnerability Databases: NVD, OSV, and More

Open-source vulnerabilities are a critical aspect of application security. With software developers constantly grappling with vulnerabilities in the packages their applications rely on, keeping track of every issue manually is impossible. This is where vulnerability databases come into play. Over time, multiple databases have emerged, each with its own acronyms like CVE, NVD, OSS, and OSV. While they collectively provide a wealth of information, the growing ecosystem has made it challenging to navigate.

In this blog, we’ll explore the most relevant vulnerability databases for open-source software, compare their strengths and weaknesses, and provide recommendations for improving vulnerability tracking. By the end, you’ll have a clear understanding of how these databases work and how they can benefit your security practices.

Foundations of Vulnerability Management

Before diving into the databases, it’s essential to understand the history of vulnerability tracking. MITRE and NIST were pioneers in establishing standards for vulnerability enumeration and tracking.

CVE: A Vulnerability Identification Standard

In 1999, MITRE introduced the Common Vulnerabilities and Exposures (CVE) standard, which became the Rosetta Stone for identifying security issues in software. It allows software vendors and consumers to reference specific vulnerabilities and their patches. However, CVE is solely an identification system—it doesn’t provide detailed context about vulnerabilities.

NVD: A Comprehensive Vulnerability Database

The National Vulnerability Database (NVD), maintained by NIST, builds on the CVE list by adding context such as vulnerability categories (CWE IDs), CVSS severity scores, and details about fixes. While NVD is a long-established database, it has limitations, especially for open-source vulnerability tracking.

For instance, NVD has recently faced issues with missing or incomplete data, likely due to its reliance on human analysis. Additionally, it doesn’t track malicious packages, which are intentionally backdoored and don’t receive CVEs.

Open-Source Vulnerability Databases

To address the gaps in NVD, open-source vulnerability databases have emerged. These databases aggregate information from multiple sources, including NVD, to provide more comprehensive and timely data.

OSV: An Open Schema and Vulnerability Database

Launched in 2021, the Open Source Vulnerability (OSV) project introduced the OSV data format, designed to provide actionable vulnerability information in a machine-readable format. The OSV database, OSV.dev, aggregates data from 24 sources, including GitHub Advisory Database, and automatically enriches vulnerabilities with details like affected version ranges.

Sponsored by Google, OSV.dev is free and open-sourced under the Apache 2.0 license. Its automated approach reduces the manual effort required for vulnerability triage, making it a valuable resource for developers.

Commercially Backed Vulnerability Databases

Several commercial databases focus on open-source packages, offering varying levels of openness and additional features.

Sonatype OSS Index

The OSS Index is a free, open-source vulnerability database that aggregates data from public sources. While it doesn’t perform additional human analysis, it provides similar coverage to OSV.dev and is a great alternative for developers.

Snyk

Snyk is a commercial application security company that maintains its own vulnerability database. It includes unique features like unpublished vulnerability tracking, container image analysis, and cloud misconfiguration information. However, access to its database is limited to Snyk’s tools or Enterprise API.

Vulncheck

Vulncheck is another commercial database backed by human analysts. It focuses on both open-source and commercial software and offers unique free resources like the Known Exploited Vulnerabilities catalog and NVD++, an enhanced mirror of the NVD.

Other Notable Databases

While this blog focuses on open-source vulnerability databases, two additional databases are worth mentioning:

• Cloud Vulnerability Database: Maintained by Wiz, it tracks vulnerabilities in cloud hosting providers.

• NotCVE Project: A database of security issues denied or unacknowledged by vendors.

Future Improvements

During the research for this blog, I spoke with Andrew Pollock, a software engineer at Google working on the OSV project. He highlighted three areas for future improvement:

1. Vulnerable Symbol Disclosure: Identifying which functions or symbols are related to a vulnerability can reduce false positives.

2. Standardized Release Practices: Tagging security fixes in releases or commits can enhance the speed and quality of vulnerability tracking.

3. Detailed Vulnerability Disclosures: Providing structured, actionable disclosures can significantly improve vulnerability management.

Conclusion

Vulnerability databases are indispensable for managing security issues in open-source software. While paid databases like Snyk and Vulncheck offer additional features, free projects like OSV and OSS Index provide comprehensive, up-to-date information.

Adopting open standards like the OSV format will strengthen vulnerability databases, benefiting developers and security professionals alike. If you’re an open-source maintainer, consider updating your release and disclosure processes to help downstream consumers manage vulnerabilities effectively.

How ZippyOPS Can Help

At ZippyOPS, we provide consulting, implementation, and management services for DevOps, DevSecOps, DataOps, Cloud, Automated Ops, AI Ops, ML Ops, Microservices, Infrastructure, and Security. Our expertise ensures your systems are secure, efficient, and scalable.

• Our Services: Explore our services

• Our Products: Check out our products

• Our Solutions: Discover our solutions

• Demo Videos: Watch our YouTube playlist

If this sounds interesting, email us at [email protected] for a consultation.

By leveraging the right vulnerability databases and partnering with experts like ZippyOPS, you can stay ahead of security challenges and ensure your applications are robust and secure