Business author and expert, H. James Harrington, once said, If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it. He was right. And Google is following this advice by introducing a new way to strengthen open-source security by introducing a vulnerability interchange schema for describing vulnerabilities across open-source ecosystems.
That’s very important. One low-level problem is that there are many security vulnerability databases, there’s no standard interchange format. If you want to aggregate information from multiple databases you must handle each one completely separately. That’s a real waste of time and energy. At the very least you must create parsers for each database format to merge their data. All this makes systematic tracking of dependencies and collaboration between vulnerability databases much harder than it should be.