Skip to content

Commit

Permalink
Release 1.6.3 (#234)
Browse files Browse the repository at this point in the history
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <github@calebbrown.id.au>
Signed-off-by: Stefano Zacchiroli <zack@upsilon.cc>
Signed-off-by: Chris Bloom <chrisbloom7@github.com>
Signed-off-by: Oliver Chang <ochang@google.com>
Signed-off-by: Oliver Chang <oliverchang@users.noreply.github.com>
Co-authored-by: Caleb Brown <github@calebbrown.id.au>
Co-authored-by: Stefano Zacchiroli <zack@upsilon.cc>
Co-authored-by: Reden Martinez <128058721+redenmartinez@users.noreply.github.com>
Co-authored-by: Amanda L Martin <hythloda@gmail.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
  • Loading branch information
6 people authored Apr 5, 2024
1 parent 1fcd55b commit b4adcc1
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 3 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,4 @@
definitions of `aliases` and `related`.
- 2023-11-29 Released version 1.6.1. Some cleanup of the schema layout.
- 2024-01-16 Released version 1.6.2. Added CVSS_V4 and Ubuntu ecosystem.
- 2024-04-05 Released version 1.6.3. Added Maven registry support.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ This is the repository for the Open Source Vulnerability schema (OSV Schema), wh
- [Go Vulnerability Database](https://github.com/golang/vulndb)
- [Haskell Security Advisories](https://github.com/haskell/security-advisories)
- [LoopBack Advisory Database](https://github.com/loopbackio/security/tree/main/advisories)
- [Malicious Packages Repository](https://github.com/ossf/malicious-packages)
- [OSS-Fuzz](https://github.com/google/oss-fuzz-vulns)
- [OSV.dev maintained converters](https://github.com/google/osv.dev#current-data-sources) (Debian, Alpine, NVD)
- [PyPI Advisory Database](https://github.com/pypa/advisory-database)
Expand Down
26 changes: 23 additions & 3 deletions docs/schema.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ aside:
show_edit_on_github: true
---

**Version 1.6.2 (Jan 16, 2024)**
**Version 1.6.3 (April 5, 2024)**

Original authors:
- Oliver Chang (ochang@google.com)
Expand Down Expand Up @@ -277,6 +277,17 @@ The defined database prefixes and their "home" databases are:
</ul>
</td>
</tr>
<tr>
<td><code>MAL</code></td>
<td><a href="https://github.com/ossf/malicious-packages/tree/main/osv/">Malicious Packages Repository</a></td>
<td>
<ul>
<li>How to contribute: <a href="https://github.com/ossf/malicious-packages/blob/main/CONTRIBUTING.md">https://github.com/ossf/malicious-packages/blob/main/CONTRIBUTING.md</a></li>
<li>Source URL: <code>N/A</code></li>
<li>OSV Formatted URL: <code>https://api.osv.dev/v1/vulns/&lt;ID&gt;</code></li>
</ul>
</td>
</tr>
<tr>
<td><code>OSV</code></td>
<td><a href="https://osv.dev/list">Advisories allocated by OSV.dev (currently only from OSS-Fuzz)</a></td>
Expand Down Expand Up @@ -623,7 +634,7 @@ The defined ecosystems are:
| `Hackage` | The Haskell package ecosystem. The `name` field is a Haskell package name as published on Hackage. |
| `Hex` | The package manager for the Erlang ecosystem; the `name` is a Hex package name. |
| `Linux` | The Linux kernel. The only supported `name` is `Kernel`. |
| `Maven` | The Maven Java package ecosystem. The `name` field is a Maven package name. |
| `Maven` | The Maven Java package ecosystem. The `name` field is a Maven package name in the format `groupId:artifactId`. The ecosystem string might optionally have a `:<REMOTE-REPO-URL>` suffix to denote the remote repository URL that best represents the source of truth for this package, without a trailing slash (e.g. `Maven:https://maven.google.com`). If this is omitted, this is assumed to be the Maven Central repository (`https://repo.maven.apache.org/maven2`).
| `npm` | The NPM ecosystem; the `name` field is an NPM package name. |
| `NuGet` | The NuGet package ecosystem. The `name` field is a NuGet package name. |
| `OSS-Fuzz` | For reports from the OSS-Fuzz project that have no more appropriate ecosystem; the `name` field is the name assigned by the OSS-Fuzz project, as recorded in the submitted fuzzing configuration. |
Expand Down Expand Up @@ -740,6 +751,15 @@ this opens up the possibility for false negatives, which is why `fixed` is
overwhelmingly preferred. An [example](#last_affected-vs-fixed-example) is available to
illustrate the difference.

The `fixed` and `limit` events are closely related and involve a similar
trade-off for `GIT` ranges. (See the [limit example](#Limit-events) for details
about how they differ.) `events` arrays with `fixed` events must include all
other cherrypicked fix commits in all branches as separate `fixed` events to
avoid *false positive* matches in other branches. Conversely, `limit` events
restrict the set of vulnerable commits to those reachable from the `limit`,
which may result in *false negatives*. Where possible, it's strongly
recommended to use `fixed` over `limit`.

There must be at least one `introduced` object in the `events` array. While
not required, it's also recommended to keep the `events` array sorted according
to the `affected[].ranges[].type` of the range.
Expand All @@ -761,7 +781,7 @@ This field is required if `affected[].ranges[].type` is `GIT`.
### affected[].ranges[].database_specific field

The `ranges` object's `database_specific` field is a JSON object holding
additional information about the range from which the record was obtained. The
additional information about the range as defined by the database from which the record was obtained. The
meaning of the values within the object is entirely defined by the database and
beyond the scope of this document.

Expand Down

0 comments on commit b4adcc1

Please sign in to comment.