osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard
verified publisher icon google

schema: Move the `severity` from `Vulnerability` into the respective `Affected`

Open fviernau opened this issue 3 years ago • 1 comments

Vulnerability has the arrays severity and affected. I couldn't find the documentation for these arrays, but my guess is that the i-th severity entry corresponds to the package referenced by the i-th entry in affected.

Can you confirm that above assumption is true? If so, would it make sense to change the schema as follows?

from:

Vulernability (
  ...  
  severity[]
  affected[]
  ...
)

to:

Vulernability (
  ...  
  affected[]
  ...
)

Affected(
  ...
  severity
  ...
)

fviernau avatar Jul 20 '22 11:07 fviernau

Hi!

This assumption is not correct -- the severity field is an array only to account for multiple scoring algorithms (currently only CVSS is supported).

I think we need some clarification on the spec (https://ossf.github.io/osv-schema/#severity-field) here?

oliverchang avatar Jul 20 '22 23:07 oliverchang

Close since moved over to osv-schema

another-rex avatar Oct 18 '22 01:10 another-rex