Systemic issue with OSV JSON Schema compliance

[andrewpollock]

Hi,

By the looks of it, there's a systemic issue with how OSV records are being generated (invalid schema_version field).

OSV.dev would like to start validating OSV records imported both against the JSON Schema and (separately) the Properties of a High Quality OSV Record so it would be good to address this issue in the short term.

We'll be in touch separately about any other problems we identify with your records.

/cc @hogo6002

[Shnatsel]

Ah, this appears to be a regression. I've opened a PR to fix this: https://github.com/rustsec/rustsec/pull/1287

[andrewpollock]

Could you also include OSV JSON Schema validation into your existing record linting workflow?

[andrewpollock]

When do you anticipate republishing the records using code that incorporates #1287 ? Ideally, the modified field should be updated to reflect the records have changed to assist with successful automatic updating by OSV.dev.

[Shnatsel]

I'll try to deploy the update in the next few days. That should apply the change to all new files being published.

Updating the modified field is trickier. We need to either bump the modification time on all the original advisories in the database (not in the OSV export branch) with some sort of no-op commit, like adding and removing a newline at the end of file, or hardcode in the exporter that modification times before today-ish get automatically bumped to today, and I don't love either option.

Any thoughts from the other maintainers?

[tarcieri]

No-op commit(s) sound fine to me

[andrewpollock]

Hey @Shnatsel it doesn't look like this ever got resolved?