more data cleanup #2399
more data cleanup #2399
Conversation
| { | ||
| "package": { | ||
| "name": "Secure Remote Access (SRA)", | ||
| "ecosystem": "GSD" |
There was a problem hiding this comment.
Wait, isn't the ecosystem supposed to be the ecosystem of the package? e.g., NPM or RubyGems.
There was a problem hiding this comment.
There isn't an ecosystem for general software so we use "GSD" https://ossf.github.io/osv-schema/#affectedpackage-field
There was a problem hiding this comment.
This is an example of the limitations of ecosystem / package, relevant to:
There was a problem hiding this comment.
One option:
{
"software": {
"name": "Secure Remote Access (SRA)"
}
}There was a problem hiding this comment.
That's not compliant with the OSV schema
There was a problem hiding this comment.
Neither is using an ecosystem of GSD.
There was a problem hiding this comment.
Oliver had a suggestion for what to temporarily use for unsupported ecosystems somewhere, let me see if I can find it again.
There was a problem hiding this comment.
There was a problem hiding this comment.
Although also not officially OSV. Has someone already started a conversation on the OSV spec either proposing new ecosystem values or having some way of allowing unsupported ones until there is an official one?
There was a problem hiding this comment.
Yes: ossf/osv-schema#83
| "ecosystem": "GSD" | ||
| }, | ||
| "versions": [ | ||
| "8.x, 9.0.0.9-26sv and earlier" |
There was a problem hiding this comment.
This should be multiple strings ["8.x", "9.0.0.9-26sv and earlier"] as defined here. Also the "and ealier" part is very vague.
There was a problem hiding this comment.
Again this is part of the problem, bad data, and I'm not going to completely cvlean it up one by one, I'm currently getting the files into json compliant state, a data compliant state is step #4.
|
Exactly. GSD is a horrible value to use. But there's no really better alternative. "software"? "C"? "github" (if hosted there), "OpenSource"? This is about starting the conversation of how we fix and improve the OSV schema and data because ecosystem is well meaning, and works well for some cases (where there is a clear ecosystem), but the world of software/hwardware/services/etc is wide and diverse and ecosystem won't work for all of it. For example: "We just need clearly defined rules for each ecosystem. There must be no ambiguity as to what a "name" means in an ecosystem. This is not always obvious: e.g. for Debian, this must be source packages, not binary packages. For Python, the package name must be normalized. We can't just have e.g. ecosystem: "", name: "human readable text" as these are not very actionable." Which... I'm not sure that will work at a meta level at all for us. E.g. Where do debian binary packages go for ecosystem? As you can see this is problematic in many ways. |
No description provided.