Add support for OSV

[nscuro]

Thanks for this amazing project, we make heavy use of the clients library in Hyades!

Beside the NVD and GitHub Advisories, we also mirror the OSV database. We currently do this by recurringly downloading ZIPs from OSV's GCS bucket, e.g. https://osv-vulnerabilities.storage.googleapis.com/Maven/all.zip. The official REST API does not offer any mirroring capabilities yet.

We'd love to offload the downloading and deserialization logic for OSV to the OVP client as well. Is OSV support something you'd consider implementing?

[jeremylong]

Yes - OSV can be added to the library. However, I have some work to complete on dependency-check before I can do much more with this project.

[sschuberth]

BTW, we already have a JVM client (written in Kotlin) for OSV (and several others) as part of ORT.

@jeremylong, do you think it generally could make sense to join forces here?

[nscuro]

@sschuberth @jeremylong On the topic of joining forces, and please excuse me if this is not 100% related to this issue:

In the Dependency-Track project we're aiming to compile our own database(s), based on the various public sources: DependencyTrack/dependency-track#4122 (Google doc with a few more details here).

I wonder if this is something both of your projects would be interested in, too?

[sschuberth]

we're aiming to compile our own database(s), based on the various public sources:

Sounds quite a bit like what https://github.com/aboutcode-org/vulnerablecode/ does, or? (Also see the supported sources for aggregation.)