osv.dev
osv.dev copied to clipboard
google
Support RedHat vulnerabilities
Currently OSV supports a few operating system ecosystems like Debian & Alpine. We would like to open a feature request for supporting RedHat ecosystem vulnerabilities.
Thanks, have a nice day.
This issue has not had any activity for 60 days and will be automatically closed in two weeks
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
is adding RedHat datasource on your roadmap?
We're largely dependent on Red Hat to provide the data in the OSV format, conversations are ongoing...
/cc @mprpic
The Red Hat ecosystem is large and varied so we're still working out the kinks on how to best structure the data in the OSV schema, but it's in progress! Since there is interest in this data, I'll ask here @fingeromer, are you mostly interested in data on vulnerabilities affecting RPMs shipped on RHEL? Or other Red Hat products as well?
The onboarding process is a little bit bespoke and toilsome at the moment, but something we're continuously improving on and streamlining with each new data source onboarded. I would like to get it to the point of being much more checklist/cookbook driven than it currently is. My detailed response here is an (ongoing) experiment at further process improvement and seeks to address some recent actionable feedback received by another data source onboarding. Your actionable feedback is also very welcome.
In a nutshell:
- [ ] Decide if you're going to publish records via a Git repository, GCS bucket or REST endpoint (I'm going to assume a Git repository?)
- [ ] Create a PR to reserve a prefix in the OSV-Schema (worked examples: https://github.com/ossf/osv-schema/pull/235 https://github.com/ossf/osv-schema/pull/223 https://github.com/ossf/osv-schema/pull/219)
- [ ] We review the records you start publishing for OSV Schema correctness and quality (the work happening under the OSV Data Quality Program is also relevant here, as an FYI) as part of reviewing and merging that PR
- [ ] Create a PR to extend purl_helpers.py (if appropriate)
- [ ] Create a PR to start importing the records you are publishing into our test instance of OSV.dev and validate everything is working as intended there (worked example: https://github.com/google/osv.dev/pull/2086)
- [ ] Create a PR to start importing the records you are publishing into our production environment (worked example: https://github.com/google/osv.dev/pull/2105)
Known onboarding rough edges:
- the format of the
source{,_test}.yamlfiles (hopefully the example PRs plus other existing entries will make this reasonably self-evident). Specifically, FYI, the value fortypecorresponds with those defined at https://github.com/google/osv.dev/blob/381f459de12e181447731beee9ba4b06a513c586/osv/models.py#L783-L787
We going to publish the records at a new REST endpoint https://access.redhat.com/security/data/osv/
Add Red Hat Ecosystem in osv-schema repo.
I guess we don't need to adjust purl_helpers because we include purls with our OSV records.
I guess we don't need to adjust purl_helpers because we include purls with our OSV records.
Correct.