Closed brettforbes closed 1 year ago
I am reading from the website:
All advisories in this database use the [OpenSSF OSV format](https://ossf.github.io/osv-schema/), which was developed in collaboration with open source communities.
The OSV schema provides a human and machine readable data format to describe vulnerabilities in a way that precisely maps to open source package versions or commit hashes.
Then following that link I can see that the current OSV schema:
Version 1.3.1 (September 28, 2022)
But was announced in 2021
And that blog mentions:
Our effort also aligns with the recent [US Executive Order on Improving the Nation’s Cybersecurity](https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity), which emphasized the need to remove barriers to sharing threat information in order to strengthen national infrastructure. This expanded shared vulnerability database marks an important step toward creating a more secure open-source environment for all users.
Looking back in chronological order CSAF
https://www.oasis-open.org/2022/11/28/common-security-advisory-framework-version-2-0-oasis-standard-is-now-published/
Common Security Advisory Framework Version 2.0 OASIS Standard 18 November 2022
So my guess is that Google has been working on their OSV schema in 2021 then CSAF was introduced? This is understandable but giving the resources available to Google why not moving into CSAF now?
Hi,
The OSV schema was created as a first class format for describing vulnerabilities in open source. Please see https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html for the full rationale on why we created it. The summary is there is no other simple format available that actually enforces machine readability and ties it to actual open source versioning practices (such as git commits).
OSV-Scanner provides SBOM support (with plans for automated VEX generation) to bridge the gaps with other standards.
We found the CSAF format lacking as a first class format for open source, but interoperability is still be possible -- it's completely possible to generate CSAF documents (VEX or advisories) from OSV schema entries, and something we could potentially build as part of the OSV-Scanner.
Closing this issue, but happy to discuss more.
Why do you want to push your own standard in front of what is mandated for the USA????????????
Why??? Anyone who touches your standard is doomed. They certainly could not sell to the government.
What rationale do you have to go against the Executive Orders???? Why even bother.
https://www.cisa.gov/blog/2022/11/10/transforming-vulnerability-management-landscape
Can you comprehend how much it sucks to be on the users side, and be faced with yet another island of poorly thought thought-through details??? Why can't the big vendors support the freaking standards?
Frankly this repo is just depressing