By Lech Sandecki, Canonical; Andrew Pollock, Google Open Source Security Team
In today’s rapidly evolving open source ecosystem, managing vulnerabilities efficiently is crucial. That’s why we’re excited to share that Canonical is now issuing Ubuntu Security Notices (USNs) in the open source OSV format. This collaboration aims to simplify vulnerability management and enhance security for our users.
This integration is a testament to the ongoing collaboration within the OpenSSF Vulnerability Disclosures Working Group. Participation in this working group not only facilitates contributing to the OSV project but also enhances the overall security posture of the open source community. We encourage other Linux distributions to get involved and help us improve vulnerability disclosure processes.
OSV (Open Source Vulnerability) seeks to reduce the complexities of vulnerability management by providing an open, precise, and distributed approach to producing and consuming vulnerability information for open source. By adopting OSV, Canonical helps expand the comprehensiveness of vulnerability data available in this format, making the combined dataset more valuable to open source users for broad open source software vulnerability management. This data unlocks future scanning capabilities in Ubuntu containers.
OSV is not only a format for describing vulnerabilities but also a set of tools and integration opportunities that can consume such information, provide assessment and remediation guidelines to a user, by using tools such as OSV-Scanner. To make it possible for users to utilize OSV-Scanner on currently running Ubuntu releases, the Ubuntu Security Team packaged OSV-Scanner as a snap.
“With the move towards containerization, it is important to enable accurate vulnerability scanning of container images using Ubuntu. Having USNs available in OSV.dev unlocks OSV-Scanner to scan Ubuntu-based container images for known vulnerabilities. We look forward to working further on extending OSV-Scanner’s capabilities for scanning Ubuntu-based container images in the future,” said Oliver Chang from the OSV team.
With this data available, OSV-Scanner will soon be able to provide an automated remediation path for vulnerabilities in Ubuntu containers by pointing to a publicly available fix or a fix available in Ubuntu Pro. If you’re involved with a project and would like to contribute vulnerability data, we’d love to help get that data into OSV.
“Making sure that Ubuntu Security Notices are actionable and available to third-party tools remains a key goal for our security engineering team,” said Lech Sandecki, Product Manager at Canonical. “The OSV format has gained great traction. Canonical will ensure that OSV provides accurate and actionable information about open source software vulnerabilities and fixes available for thousands of open source applications and dependencies that we maintain.”
Learn more about:
- OpenSSF Vulnerability Disclosures Working Group
- The OSV Vulnerability Format; Getting to know the Open Source Vulnerability (OSV) format
- OSV.dev
- OSV-Scanner
- Ubuntu Pro
About the Authors:
Lech Sandecki is a Product Manager at Canonical. He leads a squad of product managers focused on security, compliance, support, and managed services. Lech owns Ubuntu Pro, the flagship enterprise offering for increased open source security and compliance. He ensured Ubuntu Pro is free for personal use on up to 5 machines.Â
Andrew Pollock is a Senior Software Engineer at Google, currently working on https://osv.dev. With a background as an Enterprise Security Engineer, he has extensive experience in large-scale Linux Systems Administration and GCP Security. Andrew is passionate about the human factors in security, focusing on scalable solutions, great user experiences and self-service opportunities. He has primarily worked in Linux/Unix environments as a Site Reliability Engineer or Security Engineer, with a strong interest in process improvement and automation.