Open oliverchang opened 1 week ago
For version ordering, SUSE seems to use RPM (https://en.opensuse.org/openSUSE:Package_versioning_guidelines).
For https://ftp.suse.com/pub/projects/security/osv/, we may need an https://ftp.suse.com/pub/projects/security/osv/all.json
per https://google.github.io/osv.dev/rest-api-contribution/#1-a-url-pointing-to-a-rest-endpoint-containing-at-least-all-of-the-vulnerabilities-ids-and-date-modified. @msmeissn is this something that would be possible to add?
i added an all.json file now.
Thanks @msmeissn !
@hogo6002 can you see if we can start ingesting this into our test instance?
Hey @msmeissn, I have a question about the data prefixes and would like some clarification.
The ossf schema lists the valid prefixes for SUSE as only SUSE-SU-
, but I noticed that all.json
also contains entries other than SUSE-SU-
(security updates), such as SUSE-RU-
(recommended updates) and SUSE-FU-
(feature updates).
I just want to confirm if we only want to ingest data with the SU-
prefix into OSV or if we want to ingest all the data from all.json
into OSV.
Also, I'm wondering if entries with other prefixes, such as SUSE-RU-
and SUSE-FU-
, are actually security-related data (they do have related CVEs on their records)?
ok, problem is that occasionaly "recommended (bugfix)" or feature updates also include CVEs and I generate entries for those. Note that only bugfix or freature updates that have CVEs will be reported for OSV.
I sent a PR to osv-schema to allow them, so we can consume those.
I sent a PR to osv-schema to allow them, so we can consume those.
Thanks! I will start to ingest data into our test instance.
SUSE/openSUSE data is available on test.osv.dev now!
website: https://test.osv.dev/list?q=&ecosystem=SUSE https://test.osv.dev/list?q=&ecosystem=openSUSE
API query:
curl -d \ '{"version": "1.2.0~rc3", "package": {"name": "runc", "ecosystem": "openSUSE"}}' \ "https://api.test.osv.dev/v1/query"
Per https://github.com/ossf/osv-schema/issues/259, the SUSE/openSUSE ecosystems have been added to the OSV schema, and there is a feed available at https://ftp.suse.com/pub/projects/security/osv/