Replies: 2 comments
-
|
RE relationship data, there's an issue in the OSV repo for this: ossf/osv-schema#53 |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
This is the most correct thing we can do for now within OSV data, we should avoid adding metadata (and encourage OSV upstream to create a solution), and we should definitely avoid human readable prose like CVE does ("*** some text that varies and has no real standard format ***") |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
e.g. Say we ingest a GHSA that has no matching CVE (e.g. GHSA-vp9c-fpxx-744v at time of writing), and later a CVE gets released. Going off of previous discussions, we would want to assign a GSD matching the CVE number for ease of discovery, withdraw the old ID and redirect it to the new ID.
How would that withdrawal process work?
e.g. it could look something like this:
Withdrawn ID
{ "gsd": { "osvSchema": { "id": "GSD-withdrawn-id", "modified": "<timestamp>", "withdrawn": "<timestamp>", "related": ["GSD-new-id"], "summary": "Duplicate of GSD-new-id" } } }New ID
{ "gsd": { "osvSchema": { "id": "GSD-new-id", "aliases": ["GHSA-vp9c-fpxx-744v", "CVE-new-id"], "related": ["GSD-withdrawn-id"], "modified": "timestamp", "summary": "personnummer/ruby vulnerable to Improper Input Validation" } } }That said, being able to add relationship data for the related field would be incredibly helpful, as we could then mark the relationship between IDs as "duplicate of" / "duplicated by"
Beta Was this translation helpful? Give feedback.
All reactions