oliverchang
commented
2 months ago I don't think we have any plans from any sources to publish LINUX- entries today. That one in the OSV.dev repo is a completely made-up one.
Closed andrewpollock closed 2 months ago
oliverchang
commented
2 months ago I don't think we have any plans from any sources to publish LINUX- entries today. That one in the OSV.dev repo is a completely made-up one.
andrewpollock
commented
2 months ago I don't think we have any plans from any sources to publish LINUX- entries today. That one in the OSV.dev repo is a completely made-up one.
In the interests of consistency and correctness, should we:
oliverchang
commented
2 months ago I don't think we have any plans from any sources to publish LINUX- entries today. That one in the OSV.dev repo is a completely made-up one.
In the interests of consistency and correctness, should we:
adjust this PR to remove the Linux kernel from the schema entirely?
- and then remove the OSV.dev test case?
- merge this PR?
I don't think we have any plans from any sources to publish LINUX- entries today. That one in the OSV.dev repo is a completely made-up one.
In the interests of consistency and correctness, should we:
- adjust this PR to remove the Linux kernel from the schema entirely?
Do you mean the "Linux" ecosystem? That's always been valid, and historicaclly advisories for it have been published under a different prefix (GSD-).
- and then remove the OSV.dev test case?
We can just rename the OSV.dev testcase to an existing prefix? e.g. GSD or CVE?
- merge this PR?
oliverchang
commented
2 months ago I don't think we have any plans from any sources to publish LINUX- entries today. That one in the OSV.dev repo is a completely made-up one.
In the interests of consistency and correctness, should we:
adjust this PR to remove the Linux kernel from the schema entirely?
- and then remove the OSV.dev test case?
- merge this PR?
I don't think we have any plans from any sources to publish LINUX- entries today. That one in the OSV.dev repo is a completely made-up one.
In the interests of consistency and correctness, should we:
- adjust this PR to remove the Linux kernel from the schema entirely?
Do you mean the "Linux" ecosystem? That's always been valid, and historicaclly advisories for it have been published under a different prefix (GSD-).
- and then remove the OSV.dev test case?
We can just rename the OSV.dev testcase to an existing prefix? e.g. GSD or CVE?
- merge this PR?
andrewpollock
commented
2 months ago Do you mean the "Linux" ecosystem? That's always been valid, and historicaclly advisories for it have been published under a different prefix (GSD-).
Sorry, yes.
It turns out the ecosystem gets a mention under the ecosystems at https://ossf.github.io/osv-schema/#affectedpackage-field but not the ID prefixes at https://ossf.github.io/osv-schema/#id-modified-fields, which is why it was omitted when I generated the regex (I worked off the ID prefix list only).
We can just rename the OSV.dev testcase to an existing prefix? e.g. GSD or CVE?
Sure, I'll close this PR. It turns out that Wolfi is completely missing from https://ossf.github.io/osv-schema/#affectedpackage-field so I'm going to need to send another PR to correct that situation.
Not currently in production use, but OSV.dev has a test case using it.
Missed when generating the regex because it's absent from https://ossf.github.io/osv-schema/#id-modified-fields (should it be?)
(This made me go and research how the Linux Kernel CVEs are generated)