Hello,
Over the past year, OSV has had a big focus on Linux distribution support. As the OSV schema has been adopted by more Linux distributions, we've encountered redundancy in our vulnerability export process to the https://osv-vulnerabilities.storage.googleapis.com bucket. This is because we currently export data for both parent ecosystems (e.g. Debian) and their sub-ecosystems (e.g. Debian:11, Debian:12) as separate directories. For example, /Debian/all.zip contains all vulnerabilities for the Debian ecosystem across all releases, while /Debian:11/all.zip, /Debian:12/all.zip only contain vulnerabilities where that particular release is impacted. This is rather inefficient and leads to significant duplication, particularly as some newer ecosystems, such as SUSE, can have over 300 sub-ecosystems.
To address this, we have made the following decisions:
Deprecation of Sub-ecosystem Exports: We have stopped updating all.zip files for sub-ecosystems like Debian:11 (/Debian:11/all.zip) and Debian:12 (/Debian:12/all.zip). This change is already in effect for new vulnerabilities. The parent ecosystem all.zip (e.g. /Debian/all.zip) remains unchanged and will continue to contain all vulnerabilities for that ecosystem.
Update to ecosystem.txt: To minimize disruption, the names of these sub-ecosystems will remain in the full ecosystem.txt list for the next two weeks (until October 25, 2024), after which we will remove them.
Removal of Sub-ecosystem Directories: These directories (e.g. osv-vulnerabilities/Debian:11) will be completely removed after the changes to ecosystem.txt.
Please ensure that you are not relying on data from the sub-directories mentioned above, as they will be removed shortly. If you have any questions or concerns, please don't hesitate to contact us before the removal of the sub-directories.
We will also soon release a unified all.zip file containing all vulnerabilities from all ecosystems, including those withdrawn from upstream. This unified file will provide a streamlined and comprehensive way to access OSV data.
Best,
Holly on behalf of the OSV team