Comments (7)
Hi @pombredanne , just following up on this issue.
Our data is now available at https://github.com/google/oss-fuzz-vulns under the CC-BY-4.0 License.
Users can also submit changes to these files and have them reflect in OSV (i.e. they are the source of truth).
from osv.dev.
As part of #44 the source of truth for our data will live in various repos.
If that repo happens to be part of OSV / OSS-Fuzz / Something else controlled by us, it'll be whatever license that repo is licensed under, which is most likely Apache 2.0.
Would that work for you?
from osv.dev.
As part of #44 the source of truth for our data will live in various repos.
If that repo happens to be part of OSV / OSS-Fuzz / Something else controlled by us, it'll be whatever license that repo is licensed under, which is most likely Apache 2.0.
Would that work for you?
Thanks. Any license is better than no license, Apache is fine, although not a license designed for data and therefore likely not the best pick. As for the API-accessible data today, what would the license be?
BTW, your API requires an API key but your web site does not. So why an extra layer of auth? Implicitly you are encouraging users (me) to build a web scraper rather than to use your API to avoid the hassle of API key management.
from osv.dev.
Thanks. Any license is better than no license, Apache is fine, although not a license designed for data and therefore likely not the best pick. As for the API-accessible data today, what would the license be?
I don't know the answer for the API-accessible data. I can find out and get back to you. I don't expect this to be an issue.
BTW, your API requires an API key but your web site does not. So why an extra layer of auth? Implicitly you are encouraging users (me) to build a web scraper rather than to use your API to avoid the hassle of API key management.
Thanks for the feedback.
The API key requirement is an unfortunate requirement but it's necessary for the higher QPS allowed by the API and to prevent abuse. The web UI has a lower QPS and serves a different purpose. The web UI primary serves the pagination/search and viewing individual Vulnerability data by a human while the API is mostly for querying by commit or version for automation.
from osv.dev.
Thanks. Any license is better than no license, Apache is fine, although not a license designed for data and therefore likely not the best pick. As for the API-accessible data today, what would the license be?
I don't know the answer for the API-accessible data. I can find out and get back to you. I don't expect this to be an issue.
Following up on this, may I recommend just waiting for our officially supported data dump (#44) to starting dumping OSS-Fuzz vulnerabilities? The license will also likely be something that's friendly for datasets. This will be available very soon.
from osv.dev.
Following up on this, may I recommend just waiting for our officially supported data dump (#44) to starting dumping OSS-Fuzz vulnerabilities? The license will also likely be something that's friendly for datasets. This will be available very soon.
@oliverchang sure thing and thank you for the reply. We have had a pending ticket to include and scrape OSS-Fuzz data for about 1.5 years at nexB/vulnerablecode#117 so we can wait alright and there is no rush!
We will not write a scraper for now.
from osv.dev.
@oliverchang Thank you ++ for following through! I am closing this then. We will report any issues we face and find.
from osv.dev.
Related Issues (20)
- Missing entries in the package field for GIT based ecosystem HOT 1
- Make documentation site style match main site. HOT 1
- combine-to-osv: withdraw rejected CVEs
- Support easy access to the json version of a vulnerability HOT 5
- Bioconductor enumeration code is fault-intolerant
- Request OSS-Fuzz project owner approval before importing OSS-Fuzz reports HOT 14
- Withdrawing OSV reports is too heavyweight HOT 5
- Disable automatic OSS-Fuzz -> OSV import for BoringSSL
- CVEs getting reported for git hash, which have been resolved HOT 2
- Navigating away from a blog post attempts to get the blog's images from the new page
- There is a human readable authoritative definition of what the minimum quality bar looks like for an an OSV record that is acceptable for import by OSV.dev
- Tooling exists for OSV record creators to validate that they meet the minimum quality bar at record creation time HOT 5
- The minimum quality bar is sustainably enforced by OSV.dev
- OSV record providers have a machine-readable way to reason about existing published records that do not meet this quality bar
- OSV.dev downstream users have a way to reason about records that are absent from OSV.dev because of failure to meet the minimum quality bar
- OSV.dev downstream users have a clearly defined user journey to make corrections to OSV records served by OSV.dev with minimal overhead by all parties
- Data quality issue CVE-2023-24163 HOT 3
- Data quality issue with GHSA-4wrc-f8pq-fpqp HOT 1
- Handle very long fields on vulnerabilities pages HOT 1
- nvd-cve-osv: OpenSSL versions do not normalize correctly HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from osv.dev.