Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add upstream field. #312

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,3 +37,4 @@
prefixes.
- 2024-09-12 Released version 1.6.6. Add RHBA, RHEA, SUSE-OU prefixes.
- 2024-09-16 Released version 1.6.7. JSON schema and minor text formatting changes.
- 2024-TBD Released version 1.6.8. Add `upstream` field.
26 changes: 22 additions & 4 deletions docs/schema.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ A JSON Schema for validation is also available
"published": string,
"withdrawn": string,
"aliases": [ string ],
"upstream": [ string ],
"related": [ string ],
"summary": string,
"details": string,
Expand Down Expand Up @@ -518,7 +519,26 @@ package(s). For example, if a CVE describes a vulnerability in a language
library, and a Linux distribution package contains that library and therefore
publishes an advisory, the distribution's OSV record must not list the CVE ID as
an alias. Similarly, distributions often bundle multiple upstream
vulnerabilities into a single record. `related` should be used in these cases.
vulnerabilities into a single record. `upstream` should be used in these cases.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I think it's slightly unclear what "these cases" refers to here, since this paragraph touches on both upstream and downstream packages.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the pointing this out. I've tweaked the wording here to make it clearer.


## upstream field

```
{
"upstream": [ string ]
}
```

The `upstream` field gives a list of IDs of upstream vulnerabilities that are
bundled by the vulnerability entry.
oliverchang marked this conversation as resolved.
Show resolved Hide resolved

For example, a downstream package ecosystem (such as a Linux distribution) may
issue its own advisories that include (possibly multiple) upstream
vulnerabilities.

`upstream` should be considered transitive but not symmetric. For example, if B is
an upstream vulnerability for A, and C is an upstream vulnerability for B, then
C is also an upstream vulnerability for A.
oliverchang marked this conversation as resolved.
Show resolved Hide resolved

## related field

Expand All @@ -531,9 +551,7 @@ vulnerabilities into a single record. `related` should be used in these cases.
The `related` field gives a list of IDs of closely related vulnerabilities, such
as:
- A similar but completely different vulnerability.
- A similar OSV entry that bundles multiple distinct vulnerabilities in the same
entry.
- Cases that do not satisfy the strict definition of `aliases`.
- Cases that do not satisfy the strict definition of `aliases` or `upstream`.

Related vulnerabilities are symmetric but not transitive.

Expand Down
Loading