Skip to content

Commit

Permalink
Add upstream field.
Browse files Browse the repository at this point in the history 
Fixes #249.

Signed-off-by: Oliver Chang <ochang@google.com>
  • Loading branch information
@oliverchang
oliverchang committed Nov 15, 2024
1 parent 00aefbd commit 7be52ec
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 4 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,3 +37,4 @@
prefixes.
- 2024-09-12 Released version 1.6.6. Add RHBA, RHEA, SUSE-OU prefixes.
- 2024-09-16 Released version 1.6.7. JSON schema and minor text formatting changes.
- 2024-TBD Released version 1.6.8. Add `upstream` field.
26 changes: 22 additions & 4 deletions docs/schema.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ A JSON Schema for validation is also available
"published": string,
"withdrawn": string,
"aliases": [ string ],
"upstream": [ string ],
"related": [ string ],
"summary": string,
"details": string,
Expand Down Expand Up @@ -518,7 +519,26 @@ package(s). For example, if a CVE describes a vulnerability in a language
library, and a Linux distribution package contains that library and therefore
publishes an advisory, the distribution's OSV record must not list the CVE ID as
an alias. Similarly, distributions often bundle multiple upstream
vulnerabilities into a single record. `related` should be used in these cases.
vulnerabilities into a single record. `upstream` should be used in these cases.

## upstream field

```
{
"upstream": [ string ]
}
```

The `upstream` field gives a list of IDs of upstream vulnerabilities that are
bundled by the vulnerability entry.

For example, a downstream package ecosystem (such as a Linux distribution) may
issue its own advisories that include (possibly multiple) upstream
vulnerabilities.

`upstream` should be considered transitive but not symmetric. For example, if B is
an upstream vulnerability for A, and C is an upstream vulnerability for B, then
C is also an upstream vulnerability for A.

## related field

Expand All @@ -531,9 +551,7 @@ vulnerabilities into a single record. `related` should be used in these cases.
The `related` field gives a list of IDs of closely related vulnerabilities, such
as:
- A similar but completely different vulnerability.
- A similar OSV entry that bundles multiple distinct vulnerabilities in the same
entry.
- Cases that do not satisfy the strict definition of `aliases`.
- Cases that do not satisfy the strict definition of `aliases` or `upstream`.

Related vulnerabilities are symmetric but not transitive.

Expand Down

0 comments on commit 7be52ec

Please sign in to comment.