Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(blog): 2024 Year in Review blog post #2932

Merged
merged 14 commits into from
Jan 12, 2025
Merged
116 changes: 116 additions & 0 deletions gcp/website/blog/content/posts/2024-in-review/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
---
title: "The Year in Review"
date: 2025-01-13T04:00:00Z
draft: false
author: The OSV Team
---
2024 has been an *even more* eventful year for OSV.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should also add https://security.googleblog.com/2024/12/google-cloud-expands-vulnerability.html somewhere now that it's published.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a new "Integrations" section under "Community" and linked to this blog post. Ideally we'd have some other noteworthy call outs in here...


<!--more-->

## New ecosystems support

[OSV Schema](https://github.com/ossf/osv-schema) adoption momentum continued, with 2024 being the year of the Linux distributions with four adopting the schema, and now included in our [OSV.dev](https://osv.dev/list) database:

* [Ubuntu](https://openssf.org/blog/2024/06/11/ubuntu-security-notices-now-available-in-osv/)
* [Chainguard](https://openssf.org/blog/2024/07/03/chainguard-enhances-security-with-osv-advisory-feed/)
* [Red Hat](https://openssf.org/blog/2024/11/01/red-hats-collaboration-with-the-openssf-and-osv-dev-yields-results-red-hat-security-data-now-available-in-the-osv-format/)
* [SUSE/openSUSE](https://github.com/ossf/osv-schema/pull/260)

We also expanded our existing coverage of Debian GNU/Linux, by [including CVE data from their Security Tracker](https://osv.dev/blog/posts/supporting-debian-security-tracker-data/) in our existing CVE record conversion.

Additionally, the [curl project](https://curl.se/) [started contributing vulnerability records](https://osv.dev/blog/posts/announcing-curl-via-rest/).

This has brought the total number of supported ecosystems to 30. The significantly increased coverage of Linux distributions has been very encouraging, and will enable a comprehensive container image scanning story in 2025.

### Impact of the NVD's analysis challenges on Git commit range coverage

Last year, we [announced](https://osv.dev/blog/posts/introducing-broad-c-c++-support/) the expansion of coverage of C/C++ software with Git range coverage of CVEs
andrewpollock marked this conversation as resolved.
Show resolved Hide resolved
programmatically converted from the NVD. The [reduction of the NVD's analysis capabilities](https://www.scworld.com/news/update-delays-to-nist-vulnerability-database-alarms-researchers) has had a broad impact on vulnerability management, and it has also impacted the effectiveness and comprehensiveness of this CVE conversion. Even with this unexpected challenge, slightly over 50% of in-scope CVEs have been able to be converted to OSV records with the [current implementation](https://github.com/google/osv.dev/tree/master/vulnfeeds/cmd/nvd-cve-osv).

On the expectation that this may persist into 2025, and in light of [related](https://github.com/cisagov/vulnrichment) [developments](https://www.cisa.gov/securebydesign/pledge) this year, we will be exploring additionally converting CVEs directly from the [CVE List](https://github.com/CVEProject/cvelist).

## Data Quality

We announced our [approach to data quality](https://osv.dev/blog/posts/announcing-data-quality-initiatives/), publishing a definition of the [Properties of a High Quality OSV Record](https://google.github.io/osv.dev/data_quality.html), and work on [this project](https://github.com/orgs/google/projects/62) is ongoing into 2025.

## Infrastructure

We added [support for importing records published at a REST API endpoint](https://osv.dev/blog/posts/announcing-curl-via-rest/), (with the [curl project](https://curl.se/) being the pilot home database to do so).

We also made improvements to the record import and ingestion processes, to be more tolerant of records with `GIT` ranges that are semantically valid, but incorrect, enabling more existing converted CVEs to be partially imported successfully.

A very impactful change to the OSV.dev [API](https://google.github.io/osv.dev/api/) has been the [ability to perform queries on existing and future data that OSV.dev did not have version enumeration support for](https://osv.dev/blog/posts/announcing-api-queries-for-more-linux-distros/). This unlocked the usage of existing data for vulnerability discovery via the API, and reduces the effort required to onboard additional ecosystems into the future.

We also continued to make performance and reliability improvements to the API, and transitioned the website serving infrastructure from Google App Engine to Cloud Run.

OSV.dev API usage of peaked at over 900 QPS in October, with at least 140 QPS specifically attributable to OSV-Scanner (including [OpenSSF Scorecard](https://securityscorecards.dev/)'s use of OSV-Scanner).

With the growth in ecosystems, we took the opportunity to [simplify the exported data](https://groups.google.com/g/osv-discuss/c/V7ZSZEMewGA) in our public GCS bucket.

## Community

### Integrations

Noteworthy integrations that happened this year:

* [Google Cloud used OSV to expand Artifact Registry's vulnerability detection](https://security.googleblog.com/2024/12/google-cloud-expands-vulnerability.html)

### Code

![Image shows the GitHub star history for all OSV-related GitHub repositories taken at November 27, 2024. osv-schema has approximately 180 stars, osv.dev has approximately 1,500 stars, osv-scanner has approximately 6,270 stars, and osv-scanner-action has 16 stars.](star-history-20241127.png "GitHub star history for all OSV repos, as of 2024/11/27")
andrewpollock marked this conversation as resolved.
Show resolved Hide resolved

Interest and external contributions continue:

* OSV Schema
* [18 total contributors](https://github.com/ossf/osv-schema/graphs/contributors?from=2024-01-01&to=2024-12-31&type=c)
* OSV.dev
* [28 total contributors](https://github.com/google/osv.dev/graphs/contributors?from=2024-01-01&to=2024-12-31&type=c)
* OSV-Scanner
* [32 total contributors](https://github.com/google/osv-scanner/graphs/contributors?from=2024-01-01&to=2024-12-31&type=c)
* OSV-Scanner GitHub Action
* [8 total contributors](https://github.com/google/osv-scanner-action/graphs/contributors?from=2024-01-01&to=2024-12-31&type=c)
andrewpollock marked this conversation as resolved.
Show resolved Hide resolved
* Over 400 GitHub repositories have [adopted](https://github.com/google/osv-scanner-action/network/dependents)

### Conferences and events

We gave OSV-related presentations at:

* [The inaugural VulnCon](https://www.first.org/conference/vulncon2024/program#pThe-Trials-and-Tribulations-of-Bulk-Converting-CVEs-to-OSV) in Raleigh, North Carolina, USA in February
* [The SOSS Community Day](https://sosscdna24.sched.com/event/1aNLy/beyond-just-update-all-the-things-uncovering-the-nuances-of-dependency-security-rex-pan-holly-gong-google) in Seattle, Washington, USA in April
* [The Open Source Summit, Japan](https://ossaidevjapan24.sched.com/event/1jKDY/trials-and-tribulations-of-updating-dependencies-for-vulnerability-remediation-xueqin-cui-michael-kedar-google) in Tokyo, Japan in October

## Tooling

### OSV-Scanner

This year, OSV-Scanner gained these noteworthy new features:

* [Guided Remediation](https://osv.dev/blog/posts/announcing-guided-remediation-in-osv-scanner/) for npm
* [Transitive dependency scanning for Maven](https://osv.dev/blog/posts/announcing-transitive-dependency-support-for-maven-pomxml-in-osv-scanner/)
* Support for private Maven registries
andrewpollock marked this conversation as resolved.
Show resolved Hide resolved
* The ability to override findings in specific packages
* Additional support for scanning
* NuGet version 2 lock files
* pdm lockfiles
* PNPM v9 lockfiles
* gradle/verification-metadata.xml
* CycloneDX 1.4 and 1.5

### A linter for OSV records

As part of the our data quality program, work commencing on an [OSV record linting tool](https://github.com/ossf/osv-schema/tree/main/tools/osv-linter), which will carry on into 2025.

## More to come in 2025

The team is looking forward to much more to come in 2025 and the OSV Schema and OSV.dev’s fourth birthday in February, and OSV-Scanner’s second birthday in December.

With a growing list of OSV-supported databases, our main priorities for 2025 continue to be centered around improving data
quality and providing accurate and actionable vulnerability scanning results that lead to easy remediation.

Stay tuned for more details on a few exciting things that we'll be working on throughout 2025! These are focused around:
- A comprehensive library for vulnerability management that will expose OSV-Scanner CLI functionality (OSV-SCALIBR)
- Better, layer-focused container scanning support, including base layer identification
- Guided Remediation for Maven
- Improvements to reachability analysis and VEX autogeneration
- And much more!
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading