Add upstream field.
#312
Add upstream field.
#312
Conversation
Fixes #249. Signed-off-by: Oliver Chang <ochang@google.com>
|
LGTM |
docs/schema.md
Outdated
| @@ -518,7 +519,26 @@ package(s). For example, if a CVE describes a vulnerability in a language | |||
| library, and a Linux distribution package contains that library and therefore | |||
| publishes an advisory, the distribution's OSV record must not list the CVE ID as | |||
| an alias. Similarly, distributions often bundle multiple upstream | |||
| vulnerabilities into a single record. `related` should be used in these cases. | |||
| vulnerabilities into a single record. `upstream` should be used in these cases. | |||
There was a problem hiding this comment.
nit: I think it's slightly unclear what "these cases" refers to here, since this paragraph touches on both upstream and downstream packages.
There was a problem hiding this comment.
Thanks for the pointing this out. I've tweaked the wording here to make it clearer.
Co-authored-by: Dan Luhring <luhring@users.noreply.github.com> Signed-off-by: Oliver Chang <oliverchang@users.noreply.github.com>
Co-authored-by: Dan Luhring <luhring@users.noreply.github.com> Signed-off-by: Oliver Chang <oliverchang@users.noreply.github.com>
Signed-off-by: Oliver Chang <oliverchang@users.noreply.github.com>
|
Thanks for the suggestions @luhring ! |
|
Without reading too deeply into this change it does seem like an interesting restriction to have available. Is anyone committing to producing OSV records which use this relation? |
We have a lot of positive feedback on #249 from various distro feed owners. The change itself is also proposed by @luhring from Chainguard. While "committing" is a strong word, I think this would be a field that will be used from these feeds. |
|
Gotcha. Well then seems like a reasonable reference type to me 👍 |
|
Ditto what @oliverchang said — and we plan on using it for the Chainguard feed. |
Fixes #249.