Schema proposal: ecosystem severities
33 views
Skip to first unread message
David Fernandez Gonzalez
Dec 17, 2024, 2:05:13 PM12/17/24
to [email protected], Denis Pilipchuk
Hi everyone,
Currently, the schema allows CVSS severities under severity[].
Nevertheless, you can find references to other severities under other
areas: on the summary [1][2], per-package under ecosystem_specific
[3][4], or under database_specific [5][6].
It's common practice for security teams to provide a severity related to
the security issue within their ecosystem. The severities previously
mentioned are examples of them. Other publishers have them too but they
are not present on the OSV documents.
This presents a problem within the schema: publishers have the need to
provide this ecosystem severity, but there is no defined way to do so.
This results in having several references to "severity" within the
document and no standard way to retrieve this ecosystem severity, since
each publisher is taking a different approach.
Given that severity[] already exists, it would make sense to have an
"ECOSYSTEM" type severity. This is the same type used for providing
version ranges, so this wouldn't be unexpected. A "namespace" optional
field could be used to provide a reference to the meaning of the score
as per the ecosystem, similar to how it's done in CVE records [7].
An example using Red Hat namespace:
"severity": [
{
"type": "ECOSYSTEM",
"score": "Low",
"namespace":
"https://access.redhat.com/security/updates/classification"
}
]
This proposal was developed with feedback from Red Hat and Ubuntu, that
already support this request. We would like to get the opinion from
other publishers and OSV team so we can find a path forward for this issue.
Many thanks,
David.
[1] https://osv.dev/vulnerability/ALSA-2024:10830
[2] https://osv.dev/vulnerability/RLSA-2024:9051
[3] https://osv.dev/vulnerability/ASB-A-317048495
[4] https://osv.dev/vulnerability/UBUNTU-CVE-2024-43498
[5] https://osv.dev/vulnerability/BIT-node-min-2020-10531
[6] https://osv.dev/vulnerability/GHSA-27vq-hv74-7cqp
[7]
https://github.com/CVEProject/cvelistV5/blob/89f4ce2d47457507bd355b354628b30427e66eaa/cves/2023/6xxx/CVE-2023-6110.json#L16C13-L25C19
--
David Fernandez Gonzalez
# Oracle Linux Product Security
Currently, the schema allows CVSS severities under severity[].
Nevertheless, you can find references to other severities under other
areas: on the summary [1][2], per-package under ecosystem_specific
[3][4], or under database_specific [5][6].
It's common practice for security teams to provide a severity related to
the security issue within their ecosystem. The severities previously
mentioned are examples of them. Other publishers have them too but they
are not present on the OSV documents.
This presents a problem within the schema: publishers have the need to
provide this ecosystem severity, but there is no defined way to do so.
This results in having several references to "severity" within the
document and no standard way to retrieve this ecosystem severity, since
each publisher is taking a different approach.
Given that severity[] already exists, it would make sense to have an
"ECOSYSTEM" type severity. This is the same type used for providing
version ranges, so this wouldn't be unexpected. A "namespace" optional
field could be used to provide a reference to the meaning of the score
as per the ecosystem, similar to how it's done in CVE records [7].
An example using Red Hat namespace:
"severity": [
{
"type": "ECOSYSTEM",
"score": "Low",
"namespace":
"https://access.redhat.com/security/updates/classification"
}
]
This proposal was developed with feedback from Red Hat and Ubuntu, that
already support this request. We would like to get the opinion from
other publishers and OSV team so we can find a path forward for this issue.
Many thanks,
David.
[1] https://osv.dev/vulnerability/ALSA-2024:10830
[2] https://osv.dev/vulnerability/RLSA-2024:9051
[3] https://osv.dev/vulnerability/ASB-A-317048495
[4] https://osv.dev/vulnerability/UBUNTU-CVE-2024-43498
[5] https://osv.dev/vulnerability/BIT-node-min-2020-10531
[6] https://osv.dev/vulnerability/GHSA-27vq-hv74-7cqp
[7]
https://github.com/CVEProject/cvelistV5/blob/89f4ce2d47457507bd355b354628b30427e66eaa/cves/2023/6xxx/CVE-2023-6110.json#L16C13-L25C19
--
David Fernandez Gonzalez
# Oracle Linux Product Security
Oliver Chang
Dec 18, 2024, 12:19:22 AM12/18/24
to David Fernandez Gonzalez, [email protected], Denis Pilipchuk
Hi David,
Thank you very much for the proposal. Could I please ask you to file an issue on https://github.com/ossf/osv-schema/issues ? We typically track all schema discussions and proposals there.
Note that given the time in the year and the closeness to holidays, we may not see much movement on this until early next year.
Cheers,
--
Oliver
--
You received this message because you are subscribed to the Google Groups "osv-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion visit https://groups.google.com/d/msgid/osv-discuss/6b139a52-0ce3-4cfc-ade5-ffc57b507b1c%40oracle.com.
David Fernandez Gonzalez
Dec 18, 2024, 1:58:24 PM12/18/24
to Oliver Chang, [email protected], Denis Pilipchuk
Hi Oliver,
Sure thing! I sent the message to this mailing list so I could get
feedback from other publishers too before creating the issue with the
proposal, but I'll go ahead and create that already.
There is no rush from our end, it can wait until after the holidays.
Thanks!
David
On 17/12/24 22:19, Oliver Chang wrote:
> Hi David,
>
> Thank you very much for the proposal. Could I please ask you to file an
> issue on https://github.com/ossf/osv-schema/issues <https://
> urldefense.com/v3/__https://github.com/ossf/osv-schema/issues__;!!
> ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-D_tbbHZ$> ? We typically track all schema
> "https://access.redhat.com/security/updates/classification <https://
> urldefense.com/v3/__https://access.redhat.com/security/updates/
> classification__;!!ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-HLliNKS$>"
> }
> ]
> urldefense.com/v3/__https://osv.dev/vulnerability/
> ALSA-2024:10830__;!!ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-H_EoLOi$>
> [2] https://osv.dev/vulnerability/RLSA-2024:9051 <https://
> urldefense.com/v3/__https://osv.dev/vulnerability/
> RLSA-2024:9051__;!!ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-IWXUGGe$>
> [3] https://osv.dev/vulnerability/ASB-A-317048495 <https://
> urldefense.com/v3/__https://osv.dev/vulnerability/ASB-
> A-317048495__;!!ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-L4Kr45y$>
> [4] https://osv.dev/vulnerability/UBUNTU-CVE-2024-43498 <https://
> urldefense.com/v3/__https://osv.dev/vulnerability/UBUNTU-
> CVE-2024-43498__;!!ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-H7JSYi4$>
> [5] https://osv.dev/vulnerability/BIT-node-min-2020-10531 <https://
> urldefense.com/v3/__https://osv.dev/vulnerability/BIT-node-
> min-2020-10531__;!!ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-MM2X_dC$>
> [6] https://osv.dev/vulnerability/GHSA-27vq-hv74-7cqp <https://
> urldefense.com/v3/__https://osv.dev/vulnerability/GHSA-27vq-
> hv74-7cqp__;!!ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-CKy0k31$>
> [7]
> https://github.com/CVEProject/cvelistV5/
> blob/89f4ce2d47457507bd355b354628b30427e66eaa/cves/2023/6xxx/
> CVE-2023-6110.json#L16C13-L25C19 <https://urldefense.com/v3/
> __https://github.com/CVEProject/cvelistV5/
> blob/89f4ce2d47457507bd355b354628b30427e66eaa/cves/2023/6xxx/
> CVE-2023-6110.json*L16C13-L25C19__;Iw!!ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-FnpnmQ0$>
> urldefense.com/v3/__https://groups.google.com/d/msgid/osv-
> discuss/6b139a52-0ce3-4cfc-ade5-ffc57b507b1c*40oracle.com__;JQ!!
> ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-HkhKuM3$>.
Sure thing! I sent the message to this mailing list so I could get
feedback from other publishers too before creating the issue with the
proposal, but I'll go ahead and create that already.
There is no rush from our end, it can wait until after the holidays.
Thanks!
David
On 17/12/24 22:19, Oliver Chang wrote:
> Hi David,
>
> Thank you very much for the proposal. Could I please ask you to file an
> urldefense.com/v3/__https://github.com/ossf/osv-schema/issues__;!!
> ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-D_tbbHZ$> ? We typically track all schema
> urldefense.com/v3/__https://access.redhat.com/security/updates/
> classification__;!!ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-HLliNKS$>"
> }
> ]
>
> This proposal was developed with feedback from Red Hat and Ubuntu, that
> already support this request. We would like to get the opinion from
> other publishers and OSV team so we can find a path forward for this
> issue.
>
> Many thanks,
> David.
>
> [1] https://osv.dev/vulnerability/ALSA-2024:10830 <https://
> This proposal was developed with feedback from Red Hat and Ubuntu, that
> already support this request. We would like to get the opinion from
> other publishers and OSV team so we can find a path forward for this
> issue.
>
> Many thanks,
> David.
>
> urldefense.com/v3/__https://osv.dev/vulnerability/
> ALSA-2024:10830__;!!ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-H_EoLOi$>
> [2] https://osv.dev/vulnerability/RLSA-2024:9051 <https://
> urldefense.com/v3/__https://osv.dev/vulnerability/
> RLSA-2024:9051__;!!ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-IWXUGGe$>
> [3] https://osv.dev/vulnerability/ASB-A-317048495 <https://
> urldefense.com/v3/__https://osv.dev/vulnerability/ASB-
> A-317048495__;!!ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-L4Kr45y$>
> [4] https://osv.dev/vulnerability/UBUNTU-CVE-2024-43498 <https://
> urldefense.com/v3/__https://osv.dev/vulnerability/UBUNTU-
> CVE-2024-43498__;!!ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-H7JSYi4$>
> [5] https://osv.dev/vulnerability/BIT-node-min-2020-10531 <https://
> urldefense.com/v3/__https://osv.dev/vulnerability/BIT-node-
> min-2020-10531__;!!ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-MM2X_dC$>
> [6] https://osv.dev/vulnerability/GHSA-27vq-hv74-7cqp <https://
> urldefense.com/v3/__https://osv.dev/vulnerability/GHSA-27vq-
> hv74-7cqp__;!!ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-CKy0k31$>
> [7]
> https://github.com/CVEProject/cvelistV5/
> blob/89f4ce2d47457507bd355b354628b30427e66eaa/cves/2023/6xxx/
> CVE-2023-6110.json#L16C13-L25C19 <https://urldefense.com/v3/
> __https://github.com/CVEProject/cvelistV5/
> blob/89f4ce2d47457507bd355b354628b30427e66eaa/cves/2023/6xxx/
> CVE-2023-6110.json*L16C13-L25C19__;Iw!!ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-FnpnmQ0$>
>
> --
> David Fernandez Gonzalez
> # Oracle Linux Product Security
>
> --
> You received this message because you are subscribed to the Google
> Groups "osv-discuss" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to [email protected]
> <mailto:osv-discuss%[email protected]>.
> --
> David Fernandez Gonzalez
> # Oracle Linux Product Security
>
> --
> You received this message because you are subscribed to the Google
> Groups "osv-discuss" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to [email protected]
> To view this discussion visit https://groups.google.com/d/msgid/osv-
> discuss/6b139a52-0ce3-4cfc-ade5-ffc57b507b1c%40oracle.com <https://
> urldefense.com/v3/__https://groups.google.com/d/msgid/osv-
> discuss/6b139a52-0ce3-4cfc-ade5-ffc57b507b1c*40oracle.com__;JQ!!
> ACWV5N9M2RV99hQ!
> MIYqNMwWD9NvyYggTY7OKVMAwKAIIiYGdGCGMzMXvD5En1OrqgCBCjjJUvjg-
> mUnW4Szvw1vafzQaMX6nGbu-HkhKuM3$>.
Andrew Pollock
Feb 17, 2025, 2:21:10 AMFeb 17
to osv-discuss
For anyone else following along at home, this is being tracked in https://github.com/ossf/osv-schema/issues/323
Reply all
Reply to author
Forward
0 new messages