Add CRAN+Bioconductor ecosystems (#176)

Closes #175. I didn't quite understand "Source URL" vs. "OSV Formatted URL" so I took a guess. cc @tylfin as upstream maintainer. I marked this as "unofficial" despite R Consortium backing, please CMIIW. --------- Signed-off-by: Michael Chirico <michaelchirico4@gmail.com> Signed-off-by: Oliver Chang <oliverchang@users.noreply.github.com> Co-authored-by: Tyler Finethy <tylfin@gmail.com> Co-authored-by: Oliver Chang <oliverchang@users.noreply.github.com>
ossf · Jul 24, 2023 · 853d448 · 853d448
1 parent a2972fc
commit 853d448
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -14,6 +14,7 @@ This is the repository for the Open Source Vulnerability schema, which is curren
 - [Bitnami Vulnerability Database](https://github.com/bitnami/vulndb)
 - [OSV.dev maintained converters](https://github.com/google/osv.dev#current-data-sources)
 - [VMWare Photon OS](https://github.com/vmware/photon/wiki/Security-Advisories) (unofficial)
+- [RConsortium Advisory Database](https://github.com/RConsortium/r-advisory-database)
 
 Together, these include vulnerabilities from:
 -   AlmaLinux
@@ -35,6 +36,7 @@ Together, these include vulnerabilities from:
 -   Photon OS
 -   Pub
 -   PyPI
+-   R (CRAN and Bioconductor)
 -   Rocky Linux
 -   RubyGems
 

diff --git a/docs/schema.md b/docs/schema.md
@@ -319,6 +319,17 @@ The defined database prefixes and their "home" databases are:
         </ul>
       </td>
     </tr>
+    <tr>
+      <td><code>RSEC</code></td>
+      <td><a href="https://github.com/RConsortium/r-advisory-database">RConsortium Advisory Database</a></td>
+      <td>
+        <ul>
+          <li>How to contribute: <a href="https://github.com/RConsortium/r-advisory-database#readme">https://github.com/RConsortium/r-advisory-database#readme</a></li>
+          <li>Source URL: <code>https://osv.dev/vulnerability/&lt;ID&gt;</code></li>
+          <li>OSV Formatted URL: <code>https://github.com/RConsortium/r-advisory-database/blob/main/&lt;package&gt;/&lt;ID&gt;.yaml</code> (unofficial)</li>
+        </ul>
+      </td>
+    </tr>
     <tr>
       <td>Your database here</td>
       <td colspan="2"><a href="https://github.com/ossf/osv-schema/compare">Send us a PR</a></td>
@@ -564,6 +575,8 @@ The defined ecosystems are:
 | `AlmaLinux` | AlmaLinux package ecosystem; the `name` is the name of the source package. The ecosystem string might optionally have a `:<RELEASE>` suffix to scope the package to a particular AlmaLinux release. `<RELEASE>` is a numeric version.
 | `Bitnami` | Bitnami package ecosystem; the `name` is the name of the affected component. |
 | `Photon OS` | The Photon OS package ecosystem; the `name` is the name of the RPM package. The ecosystem string must have a `:<RELEASE-NUMBER>` suffix to scope the package to a particular Photon OS release. Eg `Photon OS:3.0`. |
+| `CRAN` | The biological R package ecosystem. The `name` is an R package name. |
+| `Bioconductor` | The R package ecosystem. The `name` is an R package name. |
 | Your ecosystem here. | [Send us a PR](https://github.com/ossf/osv-schema/compare). |
 
 It is permitted for a database name (the DB prefix in the `id` field) and an
@@ -1346,6 +1359,12 @@ TODO
 }
 ```
 
+## R CRAN & Bioconductor vulnerability
+
+TODO
+
+<!-- Format pending, check https://github.com/RConsortium/r-advisory-database/pull/1 -->
+
 # Change Log
 
 - 2021-03-29 added "withdrawn" field