Comments (7)
rschultheis
commented on August 22, 2024
3
👋 Hello from the GitHub Advisory Database team!
This project looks really neat, and also quite similar to what we are hoping to do with GitHub Advisory Database long term: make a comprehensive and timely database of all the vulnerabilities in all of open-source.
Our current advisory data is available through our API and anyone is welcome to use it, including for commercial purposes.
We do not currently support the C ecosystem unfortunately, and it appears the initial data in OSV is focussed on C. When do add support for C we will reach out about importing the data from OSV. If there is some way we could modify our data to better support the goals of OSV I would love to hear those ideas.
Generally I would love for GitHub and Google to collaborate on some standards for what metadata is important. In particular I would like to know what metadata is important for supporting container scanning. The GitHub database is not really setup currently to support container scanning (though the trivy scanner does use our data to scan containers). Our data was initially tailored for our own Dependabot scanner, but we ultimately want to ultimately support all kinds of scanners.
You can find us at [email protected] if you would ever like to discuss any details.
from osv.dev.
Shnatsel
commented on August 22, 2024
3
Hello from the Secure Code working group of the Rust programming language! We maintain a machine-readable database of vulnerabilities in Rust libraries ('crates' in Rust parlance) published on crates.io, Rust's central package repository. The data is in the public domain, stored in a Github repo in TOML format.
We already track the precise ranges of affected versions and provide automated tooling to scan projects for vulnerabilities. Our tooling assumes the Cargo build system. We'd be very happy to make our data available more broadly, e.g to Linux distros or to companies that don't use Cargo.
You can check out the schema and browse the actual data here. Our contacts can be found here. Googlers can contact me internally at sdavydov@.
from osv.dev.
oliverchang
commented on August 22, 2024
1
Closing, as we document all our data sources in https://github.com/google/osv.dev/blob/master/README.md.
from osv.dev.
westurner
commented on August 22, 2024
It's worth pushing for CodeMeta Schema.org JSON-LD for general [software, research] object metadata. https://github.com/codemeta/codemeta/blob/master/codemeta.jsonld
All of these catalogs could be linked data with a common schema at the sources someday.
Practically, how do I link from the CodeMeta metadata for a https://schema.org/SoftwareApplication with an @id and https://schema.org/url s (mapped from the native package metadata to the CodeMeta JSON-LD @context with CodeMeta crosswalks) to the https://schema.org/identifier s in each of the respective vuln databases?
from osv.dev.
oliverchang
commented on August 22, 2024
Hi @rschultheis Thank you for reaching out! It's awesome to see the work that you've already done in this space and the similar goals :)
We are very very interested to collaborate in this space (in particular defining a standard format for interchange and scanning). I'll reach out to the email you provided soon to discuss in more detail!
from osv.dev.
cniweb
commented on August 22, 2024
Hello,
can you support Sonatype OSS Index:
https://ossindex.sonatype.org
REST-API:
https://ossindex.sonatype.org/doc/rest
Thanks
Christian
from osv.dev.
westurner
commented on August 22, 2024
- https://codemeta.github.io/ for reading SoftwareApplication metadata from an expanding set of software package formats
-
https://github.com/codemeta/codemeta :
Minimal metadata schemas for science software and code, in JSON-LD
CodeMeta contributors are creating a minimal metadata schema for science software and code, in JSON and XML. The goal of CodeMeta is to create a concept vocabulary that can be used to standardize the exchange of software metadata across repositories and organizations. CodeMeta started by comparing the software metadata used across multiple repositories, which resulted in the CodeMeta Metadata Crosswalk. That crosswalk was then used to generate a set of software metadata concepts, which were arranged into a JSON-LD context for serialization.
-
from osv.dev.
Related Issues (20)
- Data quality issue with CVE-2021-42384
- Standardised formatting for OSV Schema HOT 5
- Missing entries in the package field for GIT based ecosystem HOT 1
- Make documentation site style match main site. HOT 1
- combine-to-osv: withdraw rejected CVEs
- Support easy access to the json version of a vulnerability HOT 5
- Bioconductor enumeration code is fault-intolerant
- Request OSS-Fuzz project owner approval before importing OSS-Fuzz reports HOT 14
- Withdrawing OSV reports is too heavyweight HOT 5
- Disable automatic OSS-Fuzz -> OSV import for BoringSSL
- CVEs getting reported for git hash, which have been resolved HOT 2
- Navigating away from a blog post attempts to get the blog's images from the new page
- There is a human readable authoritative definition of what the minimum quality bar looks like for an an OSV record that is acceptable for import by OSV.dev
- Tooling exists for OSV record creators to validate that they meet the minimum quality bar at record creation time HOT 5
- The minimum quality bar is sustainably enforced by OSV.dev
- OSV record providers have a machine-readable way to reason about existing published records that do not meet this quality bar
- OSV.dev downstream users have a way to reason about records that are absent from OSV.dev because of failure to meet the minimum quality bar
- OSV.dev downstream users have a clearly defined user journey to make corrections to OSV records served by OSV.dev with minimal overhead by all parties
- Data quality issue CVE-2023-24163 HOT 3
- Data quality issue with GHSA-4wrc-f8pq-fpqp HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from osv.dev.