Upcoming change to OSV API format

[Oliver Chang]

Dear OSV users,

If you do not rely on the OSV API result format, you can stop reading here.

This is an announcement that we will be making some minor breaking changes to the format of the vulnerabilities returned by https://api.osv.dev/v1 on March 9 2021 12PM PT.

The new format of Vulnerabilities returned is described here: https://osv.dev/docs/#tag/vulnerability_schema

A summary of the changes:

- The "affects.ranges" field is flattened for a less repetitive definition and to allow for SEMVER ranges.

- The "cves" field is generalized to "aliases".

- The "packageEcosystemMetadata" field (which was always empty before) field is split out into "ecosystemSpecific" and "databaseSpecific". 

- A "lastModified" field is added (output-only).

These changes are live today at https://api.osv.dev/v1new for migration and testing. After March 9, "v1" will begin to serve the new format. On March 16, "v1new" will be shut down.

The rationale for this change is that we want the Vulnerability schema we've defined to be more widely adopted as a vulnerability interchange format, and these changes were necessary to make this more generalizable. 

We apologize for any inconvenience this may cause. Since OSV has only been released for a month, we decided to incorporate the changes into our "v1" endpoint while our number of clients are fairly small and to avoid fragmentation.

Please let me know if you have questions or feedback about this migration. Getting everyone to agree on a format is difficult, but we hope to minimize any further backwards incompatible changes in the future.

Sorry for the inconvenience and thanks for your interest in OSV!

--

Oliver Chang, OSV developer.