Version enumeration for Rocky Linux

[Andrew Pollock]

Hi Mustafa, I hope this finds you well.

The fact that there's no version enumeration code for the Rocky Linux ecosystem bubbled back up towards the top of my attention recently, and I thought I'd reach out to discuss a way forward to resolve this.

For context as to the need: while having the records in OSV.dev is great for general searching, and visibility on the website, without having the affected[].versions field populated, the OSV.dev API (and any downstream tooling using it, like OSV-Scanner) cannot determine if a particular package in between the introduced and fixed versions is vulnerable, which limits the utility of the data somewhat.

Do you have any availability this year to contribute the necessary version enumeration code to address this deficiency?

For reference, see https://github.com/google/osv.dev/tree/master/osv/ecosystems, in particular https://github.com/google/osv.dev/blob/master/osv/ecosystems/_ecosystems.py and if an interactive conversation would help, please let me know and we can set up a meeting.

regards

Andrew

--

Andrew Pollock Software Engineer, Google Open Source Security Team | apol...@google.com Google LLC

This email is confidential. If you are not the right addressee, please inform the sender and please erase this email including any attachments.

[Mustafa Gezen]

Hi Andrew,

Sorry for late reply, we currently don't have a plan to introduce this field but we can certainly take a look and see if we can prioritize it. It should be possible for us to provide that info.

Mustafa

[Andrew Pollock]

Hi Mustafa,

To clarify, you don't need to add this field, OSV.dev needs additional code so it can enumerate the versions during record import.

Regards

Andrew

[Mustafa Gezen]

Ah that explains it, so the contribution would be into the osv.dev enumeration code. Thanks for the clarification