Merged
Conversation
Fixes #249. Signed-off-by: Oliver Chang <ochang@google.com>
This was referenced Nov 15, 2024
Collaborator
|
LGTM |
luhring
reviewed
Nov 19, 2024
docs/schema.md
Outdated
| publishes an advisory, the distribution's OSV record must not list the CVE ID as | ||
| an alias. Similarly, distributions often bundle multiple upstream | ||
| vulnerabilities into a single record. `related` should be used in these cases. | ||
| vulnerabilities into a single record. `upstream` should be used in these cases. |
Contributor
There was a problem hiding this comment.
nit: I think it's slightly unclear what "these cases" refers to here, since this paragraph touches on both upstream and downstream packages.
Collaborator
Author
There was a problem hiding this comment.
Thanks for the pointing this out. I've tweaked the wording here to make it clearer.
Co-authored-by: Dan Luhring <luhring@users.noreply.github.com> Signed-off-by: Oliver Chang <oliverchang@users.noreply.github.com>
Co-authored-by: Dan Luhring <luhring@users.noreply.github.com> Signed-off-by: Oliver Chang <oliverchang@users.noreply.github.com>
Signed-off-by: Oliver Chang <oliverchang@users.noreply.github.com>
Collaborator
Author
|
Thanks for the suggestions @luhring ! |
Contributor
|
Without reading too deeply into this change it does seem like an interesting restriction to have available. Is anyone committing to producing OSV records which use this relation? |
Collaborator
Author
We have a lot of positive feedback on #249 from various distro feed owners. The change itself is also proposed by @luhring from Chainguard. While "committing" is a strong word, I think this would be a field that will be used from these feeds. |
darakian
approved these changes
Dec 10, 2024
Contributor
|
Gotcha. Well then seems like a reasonable reference type to me 👍 |
Contributor
|
Ditto what @oliverchang said — and we plan on using it for the Chainguard feed. |
andrewpollock
added a commit
to andrewpollock/osv-schema
that referenced
this pull request
Feb 3, 2025
This commit adds the `upstream` field to the schema definition. It was omitted from ossf#312 Signed-off-by: Andrew Pollock <apollock@google.com>
oliverchang
pushed a commit
that referenced
this pull request
Feb 3, 2025
This commit adds the `upstream` field to the schema definition. It was omitted from #312 Signed-off-by: Andrew Pollock <apollock@google.com>
jess-lowe
added a commit
to google/osv.dev
that referenced
this pull request
Feb 27, 2025
This PR aims to prepare the models.py file to support the 'upstream' field to be introduced by ossf/osv-schema#312. Part of addressing #3052 This will calculate all of the transitive upstream dependencies of a given CVE. Hierarchy will be calculated and determined by the frontend in a later PR.
hogo6002
pushed a commit
to hogo6002/osv.dev
that referenced
this pull request
Feb 27, 2025
This PR aims to prepare the models.py file to support the 'upstream' field to be introduced by ossf/osv-schema#312. Part of addressing google#3052 This will calculate all of the transitive upstream dependencies of a given CVE. Hierarchy will be calculated and determined by the frontend in a later PR.
andrewpollock
pushed a commit
that referenced
this pull request
Mar 18, 2025
…tests (#345) CVE upstream has moved from `related` to `upstream` to support #312 schema change. The `GO` vuln alias (for the CVE entry) has been left in related, so as not to affect the computation on the OSV.dev hierarchy display side. Tests updated to the latest schema version as well. Signed-off-by: Jess Lowe <jesslowe@google.com>
progval
added a commit
to progval/osv
that referenced
this pull request
Dec 19, 2025
Includes: * 1.6.6: ossf/osv-schema#276 * 1.6.7: nothing * 1.7.0: ossf/osv-schema#312 ossf/osv-schema#319 ossf/osv-schema#337 * 1.7.1: nothing * 1.7.2: ossf/osv-schema#351 ossf/osv-schema#347 ossf/osv-schema#358 * 1.7.3: ossf/osv-schema#394 * 1.7.4: ossf/osv-schema#434 ossf/osv-schema#357
progval
added a commit
to progval/osv
that referenced
this pull request
Dec 19, 2025
Includes: * 1.6.6: ossf/osv-schema#276 * 1.6.7: nothing * 1.7.0: ossf/osv-schema#312 ossf/osv-schema#319 ossf/osv-schema#337 * 1.7.1: nothing * 1.7.2: ossf/osv-schema#351 ossf/osv-schema#347 ossf/osv-schema#358 * 1.7.3: ossf/osv-schema#394 * 1.7.4: ossf/osv-schema#434 ossf/osv-schema#357
progval
added a commit
to progval/osv
that referenced
this pull request
Dec 19, 2025
Includes: * 1.7.0: ossf/osv-schema#312 (`upstream` field) ossf/osv-schema#319 ossf/osv-schema#337 (`Ubuntu` as `severity` score) * 1.7.1: nothing * 1.7.2: ossf/osv-schema#351 ossf/osv-schema#347 ossf/osv-schema#358 * 1.7.3: ossf/osv-schema#394 * 1.7.4: ossf/osv-schema#434 ossf/osv-schema#357
progval
added a commit
to progval/osv
that referenced
this pull request
Dec 19, 2025
Includes: * 1.7.0: * ossf/osv-schema#312 (`upstream` field) * ossf/osv-schema#319 * ossf/osv-schema#337 (`Ubuntu` as `severity` score) * 1.7.1: nothing * 1.7.2: * ossf/osv-schema#351 * ossf/osv-schema#347 * ossf/osv-schema#358 * 1.7.3: * ossf/osv-schema#394 * 1.7.4: ossf/osv-schema#434 * ossf/osv-schema#357
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #249.