So here is an example of of a Red Hat Security Advisory that has an update for a security update to tcp_wrappers package :
https://access.redhat.com/errata/RHBA-2007:0565Red Hat also publishes an OVAL for it:
https://www.redhat.com/security/data/oval/com.redhat.rhba-20070565.xml And while the format is XML based, it is fairly similar to the OSV format. The format isn't quite as clean, however I think if you view this section:
```
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.rhba:tst:20070565004"/>
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhba:tst:20070565003"/>
<criterion comment="tcp_wrappers is earlier than 0:7.6-40.4.el5" test_ref="oval:com.redhat.rhba:tst:20070565001"/>
<criterion comment="tcp_wrappers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhba:tst:20070565002"/>
</criteria>
</criteria>
```
That can likely be translated to the OSV `affected.ranges` syntax. And I think the references and similar things have similar issues. There are some extra controls in the OVAL format to help better handle alternative package repositories, different OS releases (RHEL5, vs 6, vs 7 etc...). The Ubuntu/Debian formats are a little less uniform; but that might be doable still.
It just seems very challenging to get organizations who've never seem to be a big fan of OVAL to also publish in another security format.
CRH