Hi all,
I'm CCing Irena Bojanova to this mail, she is leading a group at NIST on a project called Bugs Framework Project (BF).
I've been reading some of their work, I like it. I would encourage everyone subscribed to this list to take a look. The data format is incomplete, but being worked on.
This mail is to kill a few birds with one stone.
I put together a file that shows off what I envision adding BF data could look like here
I do not have a JSON-LD context definition yet.
I used Heartbleed as my example because the BF folks have a nice writeup about it here
I am too stupid and lazy to figure out a bug in a reasonable amount of time so I cheated.
Second, everything in that file should conform to the OSV schema (I can't find an actual schema definition to validate, so I can't prove it). I think we can use the current OSV format with a few minor changes to properly support JSON-LD.
Lastly, the BF data format is very descriptive, but I like JSON and wanted to see it described as such, so that's what this file is really meant to show off. I had a chat with Irena and promised such an example this weekend. OSV compatibility was a happy accident.
If we have BF data and a git commit, I believe we could auto generate the description and severity score for most any bug or vulnerability. I need to think about this more though.
Feedback is welcome, thanks in advance.
--
Josh