Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Query Regarding : OSV Database

26 views
Skip to first unread message

Arup Majumder

unread,
Aug 29, 2024, 9:21:32 AM8/29/24
to osv-d...@googlegroups.com
Hi,

I'm working on a vulnerability management solution for my organization and plan to integrate it with the OSV database. I have a few questions and would appreciate your insights. 

Queries : 

1. Who owns the OSV database?
2. Where is the physical data stored?
3. Is there any partnership with the Indian government or any related agency?
4. Does your system maintain a record of API calls, including details on who is querying based on CVE?
5. Is your API secured? I noticed that no registration, token, or certificate is required.
6. Do you also collect and provide vendor solutions/recommendations for specific CVEs?
7. Are you offering or generating solution recommendations for CVEs where none are currently available?

Thank you,
Arup

Andrew Pollock

unread,
Aug 30, 2024, 12:29:11 AM8/30/24
to Arup Majumder, osv-d...@googlegroups.com, Charl de Nysschen, Oliver Chang
On Thu, 29 Aug 2024 at 23:21, Arup Majumder <arup...@googlemail.com> wrote:
Hi,


Hi, thanks for your interest and consideration. Responses in line, below. Some of these could make good additional FAQ items.
 
I'm working on a vulnerability management solution for my organization and plan to integrate it with the OSV database. I have a few questions and would appreciate your insights. 

Queries : 

1. Who owns the OSV database?

I'll answer this in detail, because there's some nuance in both the question and the answer, due to one's meaning of "ownership".

OSV.dev aggregates data from a growing number of "home databases". These home databases are licensed under a variety of different open source or public domain licences. The enriched records are redistributed under the same terms they are ingested. The configuration for these is viewable at https://github.com/google/osv.dev/blob/master/source.yaml

The OSV.dev Google Cloud Platform project and all of the data stored within it is owned and funded by Google.

Further infrastructure detail is documented at https://google.github.io/osv.dev/architecture/
 

2. Where is the physical data stored?

The Cloud Datastore is in the GCP us-west2 location.
 

3. Is there any partnership with the Indian government or any related agency?
 
There is no partnership between Google's Open Source Security Team regarding OSV.dev and any Indian government or related agency. I'm not in a position to know about or speak to any broader GCP-related partnerships.

4. Does your system maintain a record of API calls, including details on who is querying based on CVE?
 
There is limited logging of the API usage by the GCP infrastructure that serves it, notably the requesting IP address and user-agent. You may have noted from the API documentation, that with the exception of retrieving individual vulnerabilities by their ID, all of the queries are by the HTTP POST method, and the contents of those queries are not logged.

As you note in question 5, all usage is unauthenticated HTTPS.

5. Is your API secured? I noticed that no registration, token, or certificate is required.

I am unsure what you mean by "secured". It is "secure" from a confidentiality and integrity standpoint in that all API usage is via HTTPS. Usage is unauthenticated.
 
6. Do you also collect and provide vendor solutions/recommendations for specific CVEs?

I am going to interpret this very literally as asking about CVE- prefixed records in OSV.dev. 

Such records present in OSV.dev are programmatically converted from the National Vulnerability Database (NVD) with limited additional metadata added. There is no human or programmatic curation of solutions and recommendations for remediation of specific CVEs beyond the identification of relevant Git commit ranges were possible, as described in this blog post. All of the relevant source code for this is available in our GitHub repo. The specific pieces to inspect are nvd-cve-osv and combine-to-osv.
 
7. Are you offering or generating solution recommendations for CVEs where none are currently available?


I'm not entirely sure how to interpret this question. I think it falls into the same category as the previous one, and so my response there is applicable.

regards

Andrew

--


Andrew Pollock

Software Engineer, Google Open Source Security Team | apol...@google.com

Google LLC

Reply all
Reply to author
Forward
0 new messages