Document version of OSV schema

[kurtseifried]

So other OSV based YAML vuln databases include the schema_version tag (e.g. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/antlr4-java/OSV-2022-667.yaml), which version of the OSV schema is PyPa currently using?

The only reference I found was in https://github.com/pypa/advisory-database/issues/73 which points to the current OSV schema file (which doesn't require the schema_version tag, but it's something I've suggested in https://github.com/ossf/osv-schema/issues/116)

[oliverchang]

In the absence of an explicit value, the value is assumed to be "1.0.0" per https://ossf.github.io/osv-schema/#schema_version-field, which predates the addition of this field.

The OSV schema is intended to be backwards compatible, in that newer versions do not change the meaning of existing fields.

[oliverchang]

That said, we can very easily update the schema_versions here, we just haven't had the need to adopt the newer fields added since 1.0.0 yet.

[kurtseifried]

Can I suggest that PyPa document this in the README.md? E.g. "We use OSV 1.0.0 in YAML format for the files" and if you ever change you can update the docs. Thanks

[di]

I'd merge a PR with this change. I've updated the issue title accordingly. Thanks!

[joshbuker]

The confusion here is why https://github.com/ossf/osv-schema/pull/131 and https://github.com/ossf/osv-schema/pull/132 would be useful to include.

[miketheman]

This is now implicitly specified in the pre-commit URL: https://github.com/pypa/advisory-database/blob/4e47b499500eddf5954bf49f6a92f8c62e0a0e3a/.pre-commit-config.yaml#L7