Announcement: 

Google is partnering with Open Source Technology Improvement Fund, Inc to sponsor security reviews of critical open source software. 

OSTIF is elated to announce that we are planning to improve security of eight open-source projects thanks to support from the Google Open Source Security Team.

This marks a major success in bringing on large corporate donors to support OSTIF’s model of improving open source software through security reviews and source code audits. A focused, well-scoped review by an experienced team can drive significant and long-lasting improvements in widely used projects. For example, OSTIF’s end-to-end review of Unbound, an open-source Domain Name System (DNS) resolver used in securing websites, resulted in 48 changes that strengthened its security, including finding and patching one Critical, five High, and five Medium severity issues.

Google’s support will allow OSTIF to launch the Managed Audit Program (MAP), which will expand our in-depth security reviews to even more projects vital to the open source ecosystem. Our initial list of 25 MAP projects was identified empirically by research [ 1 ], [ 2 ], [ 3 ] targeted at identifying the most critical digital infrastructure, and cross-referenced with OpenSSF’s Security Scorecards to prioritize projects within the list. Together, these efforts identified eight libraries, frameworks and apps that would benefit the most from security improvements and make the largest impact on the open-source ecosystem that relies on them. 

The Projects

Git

Git is the de facto version control software used in modern DevOps. According to the Criticality Score Index, Git is the second-most critical application in C and the 10th-most critical application across all platforms. In development since 2005, git makes up the foundation of github and gitlab and is undoubtedly one of the most critical pieces of open-source software in the world. 

Lodash

Lodash, a modern JavaScript utility library with over 200 functions to facilitate web development, can be found in most environments that support JavaScript, which is most of the world wide web. Lodash is also used and tested in most current web browsers, including Chrome since v74. Lodash was chosen for security review due to ubiquity and project age, along with a relatively high Criticality Score of 77%. The Linux Foundation & The Laboratory for Innovation Science at Harvard’s study titled “Vulnerabilities in the Core” identified lodash as one of the most used packages according to dependency analysis. Furthermore, taking into account at least 7 reported vulnerabilities since 2018 and a Security Scorecard of 50%, it is reasonable to justify a Security Review and a boost to security posture. 

Laravel

Laravel is a php web application framework that is used by many modern, full-stack web applications, including integrations with Google Cloud. Laravel was chosen for security review due to ubiquity and project age along with a relatively high Criticality Score of 79%. Laravel has at least 9 reported vulnerabilities since 2017 and a Security Scorecard of 58%, making it a good candidate for Security Review and a boost to security posture. 

Slf4j

Slf4j is a logging facade for various Java logging frameworks. “Vulnerabilities in the Core” identified slf4j as one of most-used non-JavaScript packages according to dependency analysis. Factoring in the project age of 16 years and various vulnerability reports, such as CVE-2018-0088, a detailed review would likely provide substantial improvement to its security posture. 

Jackson-core & Jackson-databind

Jackson-core is a JSON for Java, Streaming API, and extra shared components and the base the Jackson data-bind package. Both projects were identified by “Vulnerabilities in the Core” as the 1st and 2nd most-used non-JavaScript packages. With project ages of over 9 years and Security Scorecard of 42% and 58% respectively, it is reasonable to justify a review and a boost to security posture for these widely-used dependencies.

Httpcomponents-core & Httpcomponents-client

The core and client components of Apache httpcomponents, these projects are responsible for creating and maintaining a toolset of low-level Java components focused on HTTP and associated protocols. Fundamental functions of the web, these projects were identified in the most widely used non-javascript packages. 

 

Thank You

We would like to thank the Google Open Source Security Team for helping us scale our impact to not only find bugs but also fix issues across the open-source ecosystem. From here, we hope to significantly grow operations to support hundreds of projects in the coming few years. To reach this goal, we will need support from the communities that rely on this infrastructure, and improve our data to target the best projects for our work. In the end, we believe these combined efforts will lead to a safer open source environment for everyone.