Comments (6)
oliverchang
commented on July 28, 2024
1
that sounds great, is there any timeline on it?
@elanzini This is a priority for us and we are hoping to have this in the coming weeks and months.
thanks for the clarification, we have been discussing something similar for VulnerableCode and may be we could evolve some common data structures. Food for thoughts
@pombredanne We would love to see the minimal schema we have today (https://osv.dev/docs/#tag/vulnerability_schema) be extended and more adopted. It would be super awesome if the open source world could agree on a commonly adopted format for describing vulnerabilities in a minimal way for the purpose of aggregation and interchange/notification.
We are very open to suggestions for (backwards compatible) changes if you have any.
from osv.dev.
oliverchang
commented on July 28, 2024
Hi yes!
This is planned as part of #44. These dumped vulnerability data can also be edited by the community to improve the accuracy of the data.
(I'll close this as a duplicate).
from osv.dev.
pombredanne
commented on July 28, 2024
@oliverchang I am not sure what in #44 is about providing a data dump of all vulnerabilities in your DB?
from osv.dev.
oliverchang
commented on July 28, 2024
@pombredanne The model that we are envisioning for integrating new sources is for there to be YAML files which serve as the source of truth, so by default the data is available in a repo.
For the existing case (OSS-Fuzz bugs), the data will be dumped in the same format into a repo as well.
from osv.dev.
elanzini
commented on July 28, 2024
@oliverchang that sounds great, is there any timeline on it?
from osv.dev.
pombredanne
commented on July 28, 2024
@pombredanne The model that we are envisioning for integrating new sources is for there to be YAML files which serve as the source of truth, so by default the data is available in a repo.
For the existing case (OSS-Fuzz bugs), the data will be dumped in the same format into a repo as well.
@oliverchang thanks for the clarification, we have been discussing something similar for VulnerableCode and may be we could evolve some common data structures. Food for thoughts
@sbs2001 ping FYI ^
from osv.dev.
Related Issues (20)
- Missing entries in the package field for GIT based ecosystem HOT 1
- Make documentation site style match main site. HOT 1
- combine-to-osv: withdraw rejected CVEs
- Support easy access to the json version of a vulnerability HOT 5
- Bioconductor enumeration code is fault-intolerant
- Request OSS-Fuzz project owner approval before importing OSS-Fuzz reports HOT 14
- Withdrawing OSV reports is too heavyweight HOT 5
- Disable automatic OSS-Fuzz -> OSV import for BoringSSL
- CVEs getting reported for git hash, which have been resolved HOT 2
- Navigating away from a blog post attempts to get the blog's images from the new page
- There is a human readable authoritative definition of what the minimum quality bar looks like for an an OSV record that is acceptable for import by OSV.dev
- Tooling exists for OSV record creators to validate that they meet the minimum quality bar at record creation time HOT 5
- The minimum quality bar is sustainably enforced by OSV.dev
- OSV record providers have a machine-readable way to reason about existing published records that do not meet this quality bar
- OSV.dev downstream users have a way to reason about records that are absent from OSV.dev because of failure to meet the minimum quality bar
- OSV.dev downstream users have a clearly defined user journey to make corrections to OSV records served by OSV.dev with minimal overhead by all parties
- Data quality issue CVE-2023-24163 HOT 3
- Data quality issue with GHSA-4wrc-f8pq-fpqp HOT 1
- Handle very long fields on vulnerabilities pages HOT 1
- nvd-cve-osv: OpenSSL versions do not normalize correctly HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from osv.dev.