Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add upstream field. #312

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
+24 −4
Open

Add upstream field. #312

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0a56215
Add `upstream` field.
oliverchang Nov 15, 2024
f159452
Update docs/schema.md
oliverchang Nov 20, 2024
591e0dc
Update docs/schema.md
oliverchang Nov 20, 2024
d588ce1
Update schema.md
oliverchang Nov 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,3 +37,4 @@
prefixes.
- 2024-09-12 Released version 1.6.6. Add RHBA, RHEA, SUSE-OU prefixes.
- 2024-09-16 Released version 1.6.7. JSON schema and minor text formatting changes.
- 2024-TBD Released version 1.6.8. Add `upstream` field.
27 changes: 23 additions & 4 deletions docs/schema.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ A JSON Schema for validation is also available
"published": string,
"withdrawn": string,
"aliases": [ string ],
"upstream": [ string ],
"related": [ string ],
"summary": string,
"details": string,
Expand Down Expand Up @@ -518,7 +519,27 @@ package(s). For example, if a CVE describes a vulnerability in a language
library, and a Linux distribution package contains that library and therefore
publishes an advisory, the distribution's OSV record must not list the CVE ID as
an alias. Similarly, distributions often bundle multiple upstream
vulnerabilities into a single record. `related` should be used in these cases.
vulnerabilities into a single record. To refer to these upstream
vulnerabilities, `upstream` should be used.

## upstream field

```
{
"upstream": [ string ]
}
```

The `upstream` field gives a list of IDs of upstream vulnerabilities that are
referred to by the vulnerability entry.

For example, a downstream package ecosystem (such as a Linux distribution) may
issue its own advisories that include (possibly multiple) upstream
vulnerabilities.

`upstream` should be considered transitive but not symmetric. For example, if B is
an upstream vulnerability for A, and C is an upstream vulnerability for B, then
C is also an upstream vulnerability for A. At the same time, if B is an upstream vulnerability for A, then A cannot be an upstream vulnerability for B.

## related field

Expand All @@ -531,9 +552,7 @@ vulnerabilities into a single record. `related` should be used in these cases.
The `related` field gives a list of IDs of closely related vulnerabilities, such
as:
- A similar but completely different vulnerability.
- A similar OSV entry that bundles multiple distinct vulnerabilities in the same
entry.
- Cases that do not satisfy the strict definition of `aliases`.
- Cases that do not satisfy the strict definition of `aliases` or `upstream`.

Related vulnerabilities are symmetric but not transitive.

Expand Down
Loading