Tooling exists for OSV record creators to validate that they meet the minimum quality bar at record creation time

[andrewpollock]

Where possible, relying on JSON schema validation

[andrewpollock]

There are valid concerns about the UX of JSON Schema validation.

I am exploring options to address these concerns:

• https://github.com/orgs/json-schema-org/discussions/717
• https://github.com/santhosh-tekuri/jsonschema/issues/44#issuecomment-2113758545
• https://mastodon.au/@andrewpollock/112448327948079755

I am not feeling particularly confident they can be fundamentally addressed, though, at this point in time.

In the interests of not succumbing to the tyranny of the or one possibility is to do both JSON Schema validation and replicate the checks in the OSV record linter that will be inevitably necessary.

That also feels not very DRY, though, and introduces other maintenance and behaviour consistency headaches.

[andrewpollock]

Decision:

Take a belt-and-suspenders approach: add schema validation (and more human-targeted title) to the OSV Schema where practical, but replicate the checks in the linter.

[oliverchang]

Decision:

Take a belt-and-suspenders approach: add schema validation (and more human-targeted title) to the OSV Schema where practical, but replicate the checks in the linter.

+1 that makes sense.

Let's do the basic checks where we can in the JSON schema to enable a flexible option that can be re-used everywhere, and offer a more full featured standalone linter separately for users that can integrate that.

[andrewpollock]

https://github.com/ossf/osv-schema/pull/246 bolstered the schema validation to the extent I currently believe possible.

[andrewpollock]

ossf/osv-schema#246 bolstered the schema validation to the extent I currently believe possible.

I spoke too soon: https://github.com/ossf/osv-schema/pull/251 adds CVSS score validation.

[andrewpollock]

https://github.com/ossf/osv-schema/issues/90 is relevant to this work also.