ssst0n3
commented
1 year ago Why
There are many problems to solve industry-wide concerning vulnerability detection, tracking, and response. One low-level problem is that there are many databases and no standard interchange format.
- A client that wants to aggregate information from multiple databases must handle each database completely separately.
- Databases that want to exchange information with each other must also each have their own parser for each format.
- Systematic tracking of dependencies and collaboration between vulnerability database efforts is hampered by not having a common interchange format.
What
This document defines a draft of a standard interchange format. We hope to define a format that all vulnerability databases can export, to make it easier for users, security researchers, and any other efforts to consume all available databases. Use of this format would also make it easier for the databases themselves to share or cross-check information.
This shared interchange format is not expected to be the internal format for any particular database. We hope only that every vulnerability database will make its entries available in this format to enable interoperability.
Overall, the approach of this schema is to define only the fields that absolutely must be shared between databases, leaving customizations to the “ecosystem_specific” and “database_specific” blocks (see below)
https://ossf.github.io/osv-schema/
What, Why, How