security-advisories
security-advisories copied to clipboard
Export advisories in OSV format
Fixes #576
This commit adds an automatic OSV export to the osv
branch while keeping the current repository as is.
Inspired by rustsec: https://github.com/rustsec/advisory-db/blob/main/.github/workflows/export-osv.yml
Preview
https://github.com/jaylinski/security-advisories/tree/osv
Possible improvements
- [ ] Validate generated JSON against spec (https://github.com/ossf/osv-schema/blob/main/validation/schema.json)
- [ ] Validate uniqueness of IDs
Before merging
- [ ] Create an empty
osv
branch with a readme similar to this one: https://github.com/rustsec/advisory-db/blob/osv/README.md
Any new update here to get the fixed version into the list as well?
@icanhazstring The PHP and OSV vulnerability schemes don't have a fixed
-field. Only the affected
versions are listed.
(Or maybe I'm misunderstanding your question?)
@jaylinski was referring to the comment from @naderman about the Packagist advisory api about the fixed version.
Or is it somewhat possible to get security issue listed with affected version and the next which fixes it?
Just wanted to leave that here (probably you knew it already): e.g. https://github.com/github/advisory-database/blob/b07a1c25e2ec4fe59bf3dae2c6b7db3b02f4ae75/advisories/github-reviewed/2022/04/GHSA-x7cr-6qr6-2hh6/GHSA-x7cr-6qr6-2hh6.json
- gives an example of
fixed
andintroduced
nested inaffected
- OSV items do exist already in GitHub's advisory DB - can we some "synchronize" multiple sources (did not think about the details & consequences, yet)
@ohader The packagist.org API already synchronizes and merges github's db and friendsofphp, e.g. see here: https://packagist.org/packages/guzzlehttp/guzzle/advisories?version=6278149
It would really just need someone to build an OSV compatible output for the data we collect there to have an OSV database for PHP.
@naderman I woul;d not use packagist.org
code.
@all: OSV may be the solution, but knowing Google atitude towards users' data, Id look elsewhere.