osv-schema icon indicating copy to clipboard operation
osv-schema copied to clipboard

Published 20 hours ago verified publisher icon ossf

Define a protocol / conventions for discovery

Open oliverchang opened this issue 3 years ago • 3 comments

Currently, the way to discover / determine OSV producers is to look at the README.md in this repo.

There should be a more well defined way to do this.

oliverchang avatar Jul 11 '22 06:07 oliverchang

Relates to #51, which would allow this type of discovery/determination when looking at individual IDs / entries.

What the schema_format field wouldn't cover is some sort of organic list of the various DBs using OSV. I would love to see a comprehensive list of all the databases out there, and that might be something the GSD project helps put together as we start looking at ingesting said DBs into their respective namespaces in the GSD. With that list, it should be simple to add an additional field to track what format(s) they use/support.

joshbuker avatar Jul 11 '22 22:07 joshbuker

This speaks to having an identifier in the JSON format like CVE does. Then you could trivially:

  • search github for "data_type": "OSV",
  • check if a JSON file is in OSV format trivially
  • also ideally we wand out GSD's so easily that people just use us and we don't have to go looking

Do we have any data on producers of OSV data that aren't already well known?

kurtseifried avatar Jul 12 '22 00:07 kurtseifried

bump: @oliverchang can we please add a

"data_type": "OSV",

like CVE has:

"data_type": "CVE"

and if not why not?

kurtseifried avatar Oct 01 '22 04:10 kurtseifried