Alexis Mousset
Alexis Mousset
I don't see why we could not add an advisory for `cargo` "the crate", and one for cargo the tool (in `rust/cargo/`), they are meant to be used in different...
We are missing license/attribution information in the OSV export (as @Shnatsel pointed out). I don't see any obvious location in the [specs](https://ossf.github.io/osv-schema/) (the credits part does not fit this need)....
> I think SPDX license identifiers are the most common way to encode license information in a machine-readable way. The default for RustSec's toml format is CC0 but now we're...
After some previous discussions I changed the: ```toml license = "CC-BY-4.0" attribution = ["I'm the author"] ``` into: ```toml syndicated_from = "GHSA" ``` Which in retrospect does not seem to...
Nice, I didn't see that they [explicitly accepted](https://docs.github.com/en/site-policy/github-terms/github-terms-for-additional-products-and-features#advisory-database) a link only, the license itself requires more. So it gives: ```toml license = "CC-BY-4.0" attribution_url = "https://github.com/advisories/GHSA-f8vr-r385-rh5r" ```
PR updated. Next identified steps: * Announce the future addition of CC-BY 4.0 advisories in the database. * Merge this change (and bump rustsec version as adding the metadata fields...
I'm unsure about this. For example on rustsec.org we would display something like `Advisory available under CC-BY 4.0 license` without an explicit source, which might lead readers to attribute the...
> Is there precedent for this in other vulnerability DBs we could lean on? I could not find any, and OSV does not include a field for this information. >...
It has been deployed.
Could you elaborate on what were your expectations and which kind of documentation would have helped you?