Comments (10)
I think that's a perfectly reasonable place
The CVE/NVD import tooling is here
https://github.com/cloudsecurityalliance/gsd-tools/tree/main/securitylist
Maybe start on a feature branch or fork that we can merge once it's all working
from gsd-tools.
I'm of the opinion not to overload fields to accomplish this. For example I'm not a fan of the affected field in OSV, I think it's overly complex.
The last time I discussed this with anyone I was leaning towards one ID per package/ecosystem, but that was before we had a concept of a namespace.
I think I currently would lean in the direction of using a lot of namespaces. For example if we had a PURL based namespace we would get a lot of functionality for free.
from gsd-tools.
thinking out loud namespaces give us the best of both worlds, e.g. you can have vendor/project/organization specific namespaces, e.g. "debian.org" with whatever their data/formats are, and standards-based namespaces, e.g. "packageurl" or "purl" or "CPE" or "OVAL" or whatever format. And now people have a hint at least on what that data is and how to go about processing it. Also ideally we have tools to parse our files.
from gsd-tools.
Yeah, I think I've come to a similar conclusion. I was thinking something like similar to what we have with cve.org and NVD namespaces we also have a namespace per other organization with more of a raw format of what they provide (I was thinking of starting with the GitHub security advisories and GitLab community advisories). Having that data is helpful (especially when they don't agree with each other) as it allows people to assign a degree of confidence based on sources they trust. And when there are disagreements between sources we can flag that for manual review and reach out to get them corrected in the sources when possible. GitLab at least is very happy to get that feedback. GitHub can be a bit more difficult since the advisories are often at a per-project level.
from gsd-tools.
But I also think there is value in having some sort of standard easily consumable format for most of those. One thing I was thinking of is letting the OSV project take care of some of that. I was already thinking of getting the various Linux distro alerts setup to feed into their existing pipeline. One really nice thing that OSV tries to do is have an array of explicit affected versions so that stuff consuming it doesn't have to understand the weirdness of various ecosystems version range logic.
from gsd-tools.
Anyways, I'll try to work on some example JSON of what I was thinking, hopefully sometime today
from gsd-tools.
Sorry, guess I didn't get to it yet. I'm thinking about too many things at once. Are there any objections to feeding in the data from GitHub Advisories into a namespace github.com
and GitLab Community Advisories into a namespace gitlab.com
similar to what we're doing with the cve and nvd data?
from gsd-tools.
And if we think that is okay, would gsd-tools be a good place to integrate those? I can create issues to track that work there if so (and work on it as well (I kinda already started anyways))
from gsd-tools.
Cool, I'll start working on that then and then come back to figuring out more of the details on this one. I do like the idea of having a bunch of the affected package urls somewhere and preferably not having to parse ecosystem-specific version ranges
from gsd-tools.
Related discussion in the OSV repo: ossf/osv-schema#123
from gsd-tools.
Related Issues (20)
- Update Edit Button to disable submission while already processing API requests
- Replicate the requests form for the Create GSD Form in GSD Web HOT 1
- Reach out to the OpenSSF community on participating with GSD
- Reach out to Ruby Advisory Database community about participation with GSD
- API Endpoint to request/reserve a GSD ID HOT 1
- Update gsd-web to use jsonschema validator HOT 2
- Update gsd-schema with kurtseifried/gsd-schema changes
- Link in https://github.com/cloudsecurityalliance/gsd-tools/blob/main/securitylist/README.md goes to 404 HOT 1
- schema.gsd.id Cloudflare Worker for schema $refs HOT 7
- Fix GSD Bot creating multiple affected packages instead of using multiple ranges
- Update GSD Bot to use INTRODUCED/FIX for reference types HOT 2
- Add tooltips for data.gsd.id add reference type
- Add text box for commit message when editing on data.gsd.id
- Update GSD Web to update modified at when changing a GSD
- Update Edit Button to support all OSV fields HOT 3
- GSD data normalization and format cross-compatibility/conversion
- Vulnerability Data Source Landscape HOT 1
- Update data.gsd.id show page to include all OSV values
- Create an OpenAPI v3.1 Spec for GSD API
- Create Python Interface for GSD HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gsd-tools.