security-advisories
security-advisories copied to clipboard
FriendsOfPHP
Export advisories in OSV format
Fixes #576
This commit adds an automatic OSV export to the osv branch while keeping the current repository as is.
Inspired by rustsec: https://github.com/rustsec/advisory-db/blob/main/.github/workflows/export-osv.yml
Preview
https://github.com/jaylinski/security-advisories/tree/osv
Possible improvements
- [ ] Validate generated JSON against spec (https://github.com/ossf/osv-schema/blob/main/validation/schema.json)
- [ ] Validate uniqueness of IDs
Before merging
- [ ] Create an empty
osvbranch with a readme similar to this one: https://github.com/rustsec/advisory-db/blob/osv/README.md
@icanhazstring The PHP and OSV vulnerability schemes don't have a fixed-field. Only the affected versions are listed.
(Or maybe I'm misunderstanding your question?)
@jaylinski was referring to the comment from @naderman about the Packagist advisory api about the fixed version.
Or is it somewhat possible to get security issue listed with affected version and the next which fixes it?
Just wanted to leave that here (probably you knew it already): e.g. https://github.com/github/advisory-database/blob/b07a1c25e2ec4fe59bf3dae2c6b7db3b02f4ae75/advisories/github-reviewed/2022/04/GHSA-x7cr-6qr6-2hh6/GHSA-x7cr-6qr6-2hh6.json
- gives an example of
fixedandintroducednested inaffected - OSV items do exist already in GitHub's advisory DB - can we some "synchronize" multiple sources (did not think about the details & consequences, yet)
@ohader The packagist.org API already synchronizes and merges github's db and friendsofphp, e.g. see here: https://packagist.org/packages/guzzlehttp/guzzle/advisories?version=6278149
It would really just need someone to build an OSV compatible output for the data we collect there to have an OSV database for PHP.
@naderman I woul;d not use packagist.org code.
@all: OSV may be the solution, but knowing Google atitude towards users' data, Id look elsewhere.
