google
data duplication in Downstream database records
Describe the bug When Upstream/Downstream relations in records were introduced potential inconsistency appeared: Downstream records should or should not have own Summary and Description fields.
The OSV-Schema doesn't give explicit guidelines.
If a Downstream record has these fields:
- Pros:
- Everything works as expected
- Cons:
- Data is duplicated. If the data is different it's undetermined how a user should interpret the difference
If a Downstream record has NONE of these fields:
- Pros:
- Database is consistent. Data may be found from the Upstream fields
- Cons:
- The records has no Summary and Description so database entry is not informative. Also OSV-Scanner doesn't extract this information.
To Reproduce
- https://osv.dev/vulnerability/BELL-CVE-2025-40000 is the example of the record having empty fields
- https://osv.dev/vulnerability/UBUNTU-CVE-2025-40000 is the example where the fields are copied but with the messed up formatting.
Expected behaviour Consistent database and all the fields available in Downsteam records.
Additional context The best solution I see is:
- propagate the missing info from Upstream record.
- Make apps like OSV-scanner do the same.
Sorry for taking so long to get back to you.
We believe that while the downstream records are addressing the same CVE or other record, downstream data providers should be able to communicate what they wish about how the vulnerability affects their specific system. Hence we don't want to enforce the same summary/details information to be propagated downstream. There are also cases where it doesn't make sense to propagate it downstream, as there are records like USNs that have multiple upstreams as they are addressing patching multiple advisories in one record.
I'll discuss with the team and see if there is anything here we have the capacity to action as I don't particularly like not having the details information, but generally we leaving this sort of thing up to data providers.
