-
Notifications
You must be signed in to change notification settings - Fork 193
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs(blog): 2024 Year in Review blog post (#2932)
This is the preliminary draft of the 2024 Year in Review blog post I ran out of steam towards the end, please suggest edits as you see fit. --------- Co-authored-by: Oliver Chang <[email protected]>
- Loading branch information
1 parent
b55f83f
commit 36b43d8
Showing
2 changed files
with
116 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| --- | ||
| title: "The Year in Review" | ||
| date: 2025-01-13T04:00:00Z | ||
| draft: false | ||
| author: The OSV Team | ||
| --- | ||
| 2024 has been an *even more* eventful year for OSV. | ||
|
|
||
| <!--more--> | ||
|
|
||
| ## New ecosystems support | ||
|
|
||
| [OSV Schema](https://github.com/ossf/osv-schema) adoption momentum continued, with 2024 being the year of the Linux distributions with four adopting the schema, and now included in our [OSV.dev](https://osv.dev/list) database: | ||
|
|
||
| * [Ubuntu](https://openssf.org/blog/2024/06/11/ubuntu-security-notices-now-available-in-osv/) | ||
| * [Chainguard](https://openssf.org/blog/2024/07/03/chainguard-enhances-security-with-osv-advisory-feed/) | ||
| * [Red Hat](https://openssf.org/blog/2024/11/01/red-hats-collaboration-with-the-openssf-and-osv-dev-yields-results-red-hat-security-data-now-available-in-the-osv-format/) | ||
| * [SUSE/openSUSE](https://github.com/ossf/osv-schema/pull/260) | ||
|
|
||
| We also expanded our existing coverage of Debian GNU/Linux, by [including CVE data from their Security Tracker](https://osv.dev/blog/posts/supporting-debian-security-tracker-data/) in our existing CVE record conversion. | ||
|
|
||
| Additionally, the [curl project](https://curl.se/) [started contributing vulnerability records](https://osv.dev/blog/posts/announcing-curl-via-rest/). | ||
|
|
||
| This has brought the total number of supported ecosystems to 30. The significantly increased coverage of Linux distributions has been very encouraging, and will enable a comprehensive container image scanning story in 2025. | ||
|
|
||
| ### Impact of the NVD's analysis challenges on Git commit range coverage | ||
|
|
||
| Last year, we [announced](https://osv.dev/blog/posts/introducing-broad-c-c++-support/) the expansion of coverage of C/C++ software with Git range coverage of CVEs | ||
| programmatically converted from the NVD. The [reduction of the NVD's analysis capabilities](https://www.scworld.com/news/update-delays-to-nist-vulnerability-database-alarms-researchers) has had a broad impact on vulnerability management, and it has also impacted the effectiveness and comprehensiveness of this CVE conversion. Even with this unexpected challenge, slightly over 50% of in-scope CVEs have been able to be converted to OSV records with the [current implementation](https://github.com/google/osv.dev/tree/master/vulnfeeds/cmd/nvd-cve-osv). | ||
|
|
||
| On the expectation that this may persist into 2025, and in light of [related](https://github.com/cisagov/vulnrichment) [developments](https://www.cisa.gov/securebydesign/pledge) this year, we will be exploring additionally converting CVEs directly from the [CVE List](https://github.com/CVEProject/cvelist). | ||
|
|
||
| ## Data Quality | ||
|
|
||
| We announced our [approach to data quality](https://osv.dev/blog/posts/announcing-data-quality-initiatives/), publishing a definition of the [Properties of a High Quality OSV Record](https://google.github.io/osv.dev/data_quality.html), and work on [this project](https://github.com/orgs/google/projects/62) is ongoing into 2025. | ||
|
|
||
| ## Infrastructure | ||
|
|
||
| We added [support for importing records published at a REST API endpoint](https://osv.dev/blog/posts/announcing-curl-via-rest/), (with the [curl project](https://curl.se/) being the pilot home database to do so). | ||
|
|
||
| We also made improvements to the record import and ingestion processes, to be more tolerant of records with `GIT` ranges that are semantically valid, but incorrect, enabling more existing converted CVEs to be partially imported successfully. | ||
|
|
||
| A very impactful change to the OSV.dev [API](https://google.github.io/osv.dev/api/) has been the [ability to perform queries on existing and future data that OSV.dev did not have version enumeration support for](https://osv.dev/blog/posts/announcing-api-queries-for-more-linux-distros/). This unlocked the usage of existing data for vulnerability discovery via the API, and reduces the effort required to onboard additional ecosystems into the future. | ||
|
|
||
| We also continued to make performance and reliability improvements to the API, and transitioned the website serving infrastructure from Google App Engine to Cloud Run. | ||
|
|
||
| OSV.dev API usage of peaked at over 900 QPS in October, with at least 140 QPS specifically attributable to OSV-Scanner (including [OpenSSF Scorecard](https://securityscorecards.dev/)'s use of OSV-Scanner). | ||
|
|
||
| With the growth in ecosystems, we took the opportunity to [simplify the exported data](https://groups.google.com/g/osv-discuss/c/V7ZSZEMewGA) in our public GCS bucket. | ||
|
|
||
| ## Community | ||
|
|
||
| ### Integrations | ||
|
|
||
| Noteworthy integrations that happened this year: | ||
|
|
||
| * [Google Cloud used OSV to expand Artifact Registry's vulnerability detection](https://security.googleblog.com/2024/12/google-cloud-expands-vulnerability.html) | ||
|
|
||
| ### Code | ||
|
|
||
|  | ||
|
|
||
| Interest and external contributions continue: | ||
|
|
||
| * OSV Schema | ||
| * [18 total contributors](https://github.com/ossf/osv-schema/graphs/contributors?from=2024-01-01&to=2024-12-31&type=c) | ||
| * OSV.dev | ||
| * [28 total contributors](https://github.com/google/osv.dev/graphs/contributors?from=2024-01-01&to=2024-12-31&type=c) | ||
| * OSV-Scanner | ||
| * [32 total contributors](https://github.com/google/osv-scanner/graphs/contributors?from=2024-01-01&to=2024-12-31&type=c) | ||
| * OSV-Scanner GitHub Action | ||
| * [8 total contributors](https://github.com/google/osv-scanner-action/graphs/contributors?from=2024-01-01&to=2024-12-31&type=c) | ||
| * Over 400 GitHub repositories have [adopted](https://github.com/google/osv-scanner-action/network/dependents) | ||
|
|
||
| ### Conferences and events | ||
|
|
||
| We gave OSV-related presentations at: | ||
|
|
||
| * [The inaugural VulnCon](https://www.first.org/conference/vulncon2024/program#pThe-Trials-and-Tribulations-of-Bulk-Converting-CVEs-to-OSV) in Raleigh, North Carolina, USA in February | ||
| * [The SOSS Community Day](https://sosscdna24.sched.com/event/1aNLy/beyond-just-update-all-the-things-uncovering-the-nuances-of-dependency-security-rex-pan-holly-gong-google) in Seattle, Washington, USA in April | ||
| * [The Open Source Summit, Japan](https://ossaidevjapan24.sched.com/event/1jKDY/trials-and-tribulations-of-updating-dependencies-for-vulnerability-remediation-xueqin-cui-michael-kedar-google) in Tokyo, Japan in October | ||
|
|
||
| ## Tooling | ||
|
|
||
| ### OSV-Scanner | ||
|
|
||
| This year, OSV-Scanner gained these noteworthy new features: | ||
|
|
||
| * [Guided Remediation](https://osv.dev/blog/posts/announcing-guided-remediation-in-osv-scanner/) for npm | ||
| * [Transitive dependency scanning for Maven](https://osv.dev/blog/posts/announcing-transitive-dependency-support-for-maven-pomxml-in-osv-scanner/) | ||
| * Support for private Maven registries | ||
| * The ability to override findings in specific packages | ||
| * Additional support for scanning | ||
| * NuGet version 2 lock files | ||
| * pdm lockfiles | ||
| * PNPM v9 lockfiles | ||
| * gradle/verification-metadata.xml | ||
| * CycloneDX 1.4 and 1.5 | ||
|
|
||
| ### A linter for OSV records | ||
|
|
||
| As part of the our data quality program, work commencing on an [OSV record linting tool](https://github.com/ossf/osv-schema/tree/main/tools/osv-linter), which will carry on into 2025. | ||
|
|
||
| ## More to come in 2025 | ||
|
|
||
| The team is looking forward to much more to come in 2025 and the OSV Schema and OSV.dev’s fourth birthday in February, and OSV-Scanner’s second birthday in December. | ||
|
|
||
| With a growing list of OSV-supported databases, our main priorities for 2025 continue to be centered around improving data | ||
| quality and providing accurate and actionable vulnerability scanning results that lead to easy remediation. | ||
|
|
||
| Stay tuned for more details on a few exciting things that we'll be working on throughout 2025! These are focused around: | ||
| - A comprehensive library for vulnerability management that will expose OSV-Scanner CLI functionality (OSV-SCALIBR) | ||
| - Better, layer-focused container scanning support, including base layer identification | ||
| - Guided Remediation for Maven | ||
| - Improvements to reachability analysis and VEX autogeneration | ||
| - And much more! |
Binary file added
BIN
+177 KB
gcp/website/blog/content/posts/2024-in-review/star-history-20241127.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.