The Bugs Framework data format, OSV, and JSON-LD

Skip to first unread message

Josh Bressers

Sep 11, 2021, 9:54:53 PM9/11/21
Hi all,

I'm CCing Irena Bojanova to this mail, she is leading a group at NIST on a project called Bugs Framework Project (BF).

I've been reading some of their work, I like it. I would encourage everyone subscribed to this list to take a look. The data format is incomplete, but being worked on.

This mail is to kill a few birds with one stone.

I put together a file that shows off what I envision adding BF data could look like here
I do not have a JSON-LD context definition yet.

I used Heartbleed as my example because the BF folks have a nice writeup about it here
I am too stupid and lazy to figure out a bug in a reasonable amount of time so I cheated.

Second, everything in that file should conform to the OSV schema (I can't find an actual schema definition to validate, so I can't prove it). I think we can use the current OSV format with a few minor changes to properly support JSON-LD.

Lastly, the BF data format is very descriptive, but I like JSON and wanted to see it described as such, so that's what this file is really meant to show off. I had a chat with Irena and promised such an example this weekend. OSV compatibility was a happy accident.

If we have BF data and a git commit, I believe we could auto generate the description and severity score for most any bug or vulnerability. I need to think about this more though.

Feedback is welcome, thanks in advance.


Oliver Chang

Sep 13, 2021, 2:38:41 AM9/13/21
to Josh Bressers,,
Thanks for sharing this Josh! This looks really interesting. 

Re OSV schema validator, we have a pull request with a JSON schema definition here: 

You received this message because you are subscribed to the Google Groups "UVI Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to

Bojanova, Irena V. (Fed)

Oct 3, 2021, 11:59:36 PM10/3/21
to Oliver Chang, Josh Bressers,
Josh and Oliver,

Please see here ( an updated BF Hearbleed description in XML format. (The schema only for the BF class definition is defined for now. I will have the vulnerability descriptions schema soon.)

I did this in XML, as I use XSLT and XPath to generate visualizations. It should be easily to translate this to JSON.

Please let me know what you think.


From: Oliver Chang <>
Sent: Monday, September 13, 2021 2:38 AM
To: Josh Bressers <>
Cc: Bojanova, Irena V. (Fed) <>; <>
Subject: Re: The Bugs Framework data format, OSV, and JSON-LD

Kurt Seifried

Oct 4, 2021, 12:00:51 AM10/4/21
to Bojanova, Irena V. (Fed), Oliver Chang, Josh Bressers,
Can you make this document public? Thanks.

Kurt Seifried (He/Him)
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance

Kurt Seifried

Oct 12, 2021, 1:50:29 PM10/12/21
to Bojanova, Irena V. (Fed),, Josh Bressers
Took a quick look at:

Question: the definitions of words e.g.:

    <Value>Under Bounds</Value>
<Value>Untrusted Pointer</Value>
<Value>Wrong Position</Value>
<Value>Casted Pointer</Value>

are from CWE, or?

Kurt Seifried (He/Him)
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance

On Sun, Oct 3, 2021 at 10:19 PM Bojanova, Irena V. (Fed) <> wrote:

I will share it with you. It's on the NIST Drive, so it cannot be made public.
I will put the files on GitHub once we double-check them.


From: Kurt Seifried <>
Sent: Monday, October 4, 2021 12:00 AM
To: Bojanova, Irena V. (Fed) <>
Cc: Oliver Chang <>; Josh Bressers <>; <>
This e-mail account is used only for work-related purposes; it is not guaranteed that any correspondence sent to this address will be read by the addressee only, as it may be necessary, under certain circumstances, for third parties appointed by the Cloud Security Alliance to access this e-mail account. Please do not send any messages of a personal nature to this address.
Reply all
Reply to author
0 new messages