Joerg Roedel who is currently in Bilbao has met you and you asked to
reach out to person who could help with OSV.
This would be me, I am overseeing the security automation data
generation at SUSE.
We generate OVAL, CVRF and CSAF and CSAF VEX data at this time.
Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security
SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew McDonald, Werner Knoblich, HRB 36809, AG Nuernberg
This email is confidential. If you are not the right addressee, please inform the sender and please erase this email including any attachments.
I am generating these kind of advisories now for SUSE and openSUSE,
and relation has the CVE lists.
Can be found here:
I would appreciate feedback if something is incorrect or missing.
What I see as gap:
- I cannot add CVSS scores to the advisory style OSV (besides potentially using the vendor specific fields).
- I cannot communicate some form of rating for the advisory (also except vendor specific fields).
On Wed, Nov 08, 2023 at 10:28:40AM +1100, Andrew Pollock wrote:
> On Wed, 8 Nov 2023 at 03:08, Marcus Meissner <meis...@suse.de> wrote:
> > Hi,
> > I am generating these kind of advisories now for SUSE and openSUSE,
> > and relation has the CVE lists.
> > Can be found here:
> > https://ftp.suse.com/pub/projects/security/osv/
> > I would appreciate feedback if something is incorrect or missing.
> Very cool! We'll take a look and collectively give you feedback, rather
> than giving it piecemeal so you can act on it all in one go.
> > What I see as gap:
> > - I cannot add CVSS scores to the advisory style OSV (besides potentially
> > using the vendor specific fields).
> You can, see https://ossf.github.io/osv-schema/#severity-field
> > - I cannot communicate some form of rating for the advisory (also except
> > vendor specific fields).
> Can you elaborate on your needs with this "rating", beyond what
> https://ossf.github.io/osv-schema/#severity-field seeks to achieve?
The thing is that advisories contain 0-n CVEs and usually the CVSS v3
score is associated with a CVE, not with an advisory.
While the severity field could list multiple CVSS_V3 scores, it has no
CVE assocation for them.
Thats why I was also looking at seperate OSV tree, not indexed by
advisory but indexed by CVE. I have attached a sample JSON for this.
The next steps are to get a prefix added to the OSV-Schema, here's a few previous pull requests to look to for inspiration:With the ecosystem field, what we've done with other distributions, and I'd recommend we do here as well, is to have colon delimiting releases or products.
nameis the name of the source package. The ecosystem string might optionally have a
:<RELEASE>suffix to scope the package to a particular Debian release.
<RELEASE>is a numeric version specified in the Debian distro-info-data. For example, the ecosystem string “Debian:7” refers to the Debian 7 (wheezy) release.
You received this message because you are subscribed to the Google Groups "osv-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to osv-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/osv-discuss/CAAJmWJ%2Boxtj%3D%3DRb1P7ReAy8zz%3Dpc56%3DHhizn2Vej2ZHncHZnBQ%40mail.gmail.com.