Release 1.6.1

CHANGELOG.md

@@ -0,0 +1,30 @@
+# Change Log
+
+- 2021-03-29 added "withdrawn" field
+- 2021-04-07 changed "details" to Markdown, change "references" to a list of
+  objects with a new "type" field in addition to the URL.
+- 2021-04-23 handful of changes, see Status - 2021-04-23 below for details. Corrected examples.
+- 2021-04-26 changed `database-specific` and `ecosystem-specific` to
+  `database_specific` and `ecosystem_specific` for easier access from languages
+  that access JSON field keys using x.field notation.
+- 2021-06-08 Added "purl" to the "package" field and some minor clarifications.
+- 2021-06-30 Fixed an incorrect/typoed specification for "affects" from an array
+  of objects to an object.
+- 2021-08-17 Support multiple packages per entry by moving `packages`,
+  `ecosystem_specific` and `database_specific` into `affected`. The `affected`
+  field is intentionally named differently to the previous `affects` field to
+  make migration easier. Also use "events" containing single versions to
+  represent affected version ranges instead.
+- 2021-09-08 Promoted schema to 1.0.
+- 2022-01-19 Released version 1.2.0. Includes various changes suggested by
+  GitHub (`schema_version`, top-level `database_specific`, `credits`,
+  `severity`, relaxation of version enumeration requirement).
+- 2022-03-24 Released version 1.3.0. Added `last_affected` event type and
+  `database_specific` to `affected[].ranges[]`.
+  Context: https://github.com/ossf/osv-schema/issues/35.
+- 2023-02-21 Released version 1.4.0. Added per package `severity` and
+  credit types.
+- 2023-04-26 Released version 1.5.0. Added new reference types.
+- 2023-08-11 Released version 1.6.0. Several new databases and clarified
+  definitions of `aliases` and `related`.
+- 2023-11-29 Released version 1.6.1. Some cleanup of the schema layout.

README.md

@@ -1,39 +1,52 @@
-# Open Source Vulnerability Schema 
+# Open Source Vulnerability Schema
 
-This is the repository for the Open Source Vulnerability schema, which is currently exported by:
+This is the repository for the Open Source Vulnerability schema (OSV Schema), which is currently exported by:
+- [AlmaLinux](https://github.com/AlmaLinux/osv-database)
+- [Bitnami Vulnerability Database](https://github.com/bitnami/vulndb)
+- [Curl](https://curl.se/docs/vuln.json)
 - [GitHub Security Advisories](https://github.com/github/advisory-database)
-- [PyPI Advisory Database](https://github.com/pypa/advisory-database)
-- [Go Vulnerability Database](https://github.com/golang/vulndb)
-- [Rust Advisory Database](https://github.com/RustSec/advisory-db)
 - [Global Security Database](https://github.com/cloudsecurityalliance/gsd-database)
-- [OSS-Fuzz](https://github.com/google/oss-fuzz-vulns)
+- [Go Vulnerability Database](https://github.com/golang/vulndb)
+- [Haskell Security Advisories](https://github.com/haskell/security-advisories)
 - [LoopBack Advisory Database](https://github.com/loopbackio/security/tree/main/advisories)
+- [OSS-Fuzz](https://github.com/google/oss-fuzz-vulns)
+- [OSV.dev maintained converters](https://github.com/google/osv.dev#current-data-sources) (Debian, Alpine, NVD)
+- [PyPI Advisory Database](https://github.com/pypa/advisory-database)
+- [Python Software Foundation Database](https://github.com/psf/advisory-database)
+- [RConsortium Advisory Database](https://github.com/RConsortium/r-advisory-database)
 - [Rocky Linux](https://distro-tools.rocky.page/apollo/openapi/#osv)
-- [AlmaLinux](https://github.com/AlmaLinux/osv-database)
-- [OSV.dev maintained converters](https://github.com/google/osv.dev#current-data-sources)
+- [Rust Advisory Database](https://github.com/RustSec/advisory-db)
+- [VMWare Photon OS](https://github.com/vmware/photon/wiki/Security-Advisories) (unofficial)
 
 Together, these include vulnerabilities from:
 -   AlmaLinux
 -   Alpine
 -   Android
+-   Bitnami
 -   crates.io
 -   Debian GNU/Linux
 -   GitHub Actions
 -   Go
+-   Haskell
 -   Hex
 -   Linux kernel
 -   Maven
 -   npm
 -   NuGet
 -   OSS-Fuzz
 -   Packagist
+-   Photon OS
 -   Pub
 -   PyPI
+-   Python
+-   R (CRAN and Bioconductor)
 -   Rocky Linux
 -   RubyGems
 
-These vulnerabilites are aggregated by https://osv.dev.
+These vulnerabilites are aggregated by <https://osv.dev>.
 
 Reference tooling (e.g. converters) can be found in the [tools/](tools) directory
 
-The current version of spec is rendered [here](https://ossf.github.io/osv-schema/).
+The current version of the specification is rendered [here](https://ossf.github.io/osv-schema/).
+
+The OSV-Schema specification and the tools here are maintained by the [Open Source Security Foundation (OpenSSF)](https://openssf.org/) [Vulnerability Disclosures Working Group (WG)](https://github.com/ossf/wg-vulnerability-disclosures).

docs/Gemfile

@@ -1,5 +1,8 @@
 source "https://rubygems.org"
 
-gem "jekyll-github-metadata"
-gem "jekyll-text-theme"
-gem "github-pages", group: :jekyll_plugins
+gem "github-pages", "~> 228", group: :jekyll_plugins
+group :jekyll_plugins do
+  gem "jekyll-feed", "~> 0.12"
+end
+
+gem "webrick", "~> 1.7"

docs/Gemfile.lock

@@ -1,63 +1,42 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (6.0.4.4)
+    activesupport (7.0.6)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
-    addressable (2.8.0)
-      public_suffix (>= 2.0.2, < 5.0)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+    addressable (2.8.4)
+      public_suffix (>= 2.0.2, < 6.0)
     coffee-script (2.4.1)
       coffee-script-source
       execjs
     coffee-script-source (1.11.1)
     colorator (1.1.0)
-    commonmarker (0.17.13)
-      ruby-enum (~> 0.5)
-    concurrent-ruby (1.1.9)
-    dnsruby (1.61.9)
-      simpleidn (~> 0.1)
+    commonmarker (0.23.9)
+    concurrent-ruby (1.2.2)
+    dnsruby (1.70.0)
+      simpleidn (~> 0.2.1)
     em-websocket (0.5.3)
       eventmachine (>= 0.12.9)
       http_parser.rb (~> 0)
-    ethon (0.15.0)
+    ethon (0.16.0)
       ffi (>= 1.15.0)
     eventmachine (1.2.7)
     execjs (2.8.1)
-    faraday (1.9.3)
-      faraday-em_http (~> 1.0)
-      faraday-em_synchrony (~> 1.0)
-      faraday-excon (~> 1.1)
-      faraday-httpclient (~> 1.0)
-      faraday-multipart (~> 1.0)
-      faraday-net_http (~> 1.0)
-      faraday-net_http_persistent (~> 1.0)
-      faraday-patron (~> 1.0)
-      faraday-rack (~> 1.0)
-      faraday-retry (~> 1.0)
+    faraday (2.7.8)
+      faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
-    faraday-em_http (1.0.0)
-    faraday-em_synchrony (1.0.0)
-    faraday-excon (1.1.0)
-    faraday-httpclient (1.0.1)
-    faraday-multipart (1.0.3)
-      multipart-post (>= 1.2, < 3)
-    faraday-net_http (1.0.1)
-    faraday-net_http_persistent (1.2.0)
-    faraday-patron (1.0.0)
-    faraday-rack (1.0.0)
-    faraday-retry (1.0.3)
+    faraday-net_http (3.0.2)
     ffi (1.15.5)
     forwardable-extended (2.6.0)
     gemoji (3.0.1)
-    github-pages (223)
+    github-pages (228)
       github-pages-health-check (= 1.17.9)
-      jekyll (= 3.9.0)
+      jekyll (= 3.9.3)
       jekyll-avatar (= 0.7.0)
       jekyll-coffeescript (= 1.1.1)
-      jekyll-commonmark-ghpages (= 0.1.6)
+      jekyll-commonmark-ghpages (= 0.4.0)
       jekyll-default-layout (= 0.1.4)
       jekyll-feed (= 0.15.1)
       jekyll-gist (= 1.5.0)
@@ -71,7 +50,7 @@ GEM
       jekyll-relative-links (= 0.6.1)
       jekyll-remote-theme (= 0.4.3)
       jekyll-sass-converter (= 1.5.2)
-      jekyll-seo-tag (= 2.7.1)
+      jekyll-seo-tag (= 2.8.0)
       jekyll-sitemap (= 1.4.0)
       jekyll-swiss (= 1.0.0)
       jekyll-theme-architect (= 0.2.0)
@@ -89,12 +68,12 @@ GEM
       jekyll-theme-time-machine (= 0.2.0)
       jekyll-titles-from-headings (= 0.5.3)
       jemoji (= 0.12.0)
-      kramdown (= 2.3.1)
+      kramdown (= 2.3.2)
       kramdown-parser-gfm (= 1.1.0)
-      liquid (= 4.0.3)
+      liquid (= 4.0.4)
       mercenary (~> 0.3)
       minima (= 2.5.1)
-      nokogiri (>= 1.12.5, < 2.0)
+      nokogiri (>= 1.13.6, < 2.0)
       rouge (= 3.26.0)
       terminal-table (~> 1.4)
     github-pages-health-check (1.17.9)
@@ -103,17 +82,17 @@ GEM
       octokit (~> 4.0)
       public_suffix (>= 3.0, < 5.0)
       typhoeus (~> 1.3)
-    html-pipeline (2.14.0)
+    html-pipeline (2.14.3)
       activesupport (>= 2)
       nokogiri (>= 1.4)
     http_parser.rb (0.8.0)
-    i18n (0.9.5)
+    i18n (1.14.1)
       concurrent-ruby (~> 1.0)
-    jekyll (3.9.0)
+    jekyll (3.9.3)
       addressable (~> 2.4)
       colorator (~> 1.0)
       em-websocket (~> 0.5)
-      i18n (~> 0.7)
+      i18n (>= 0.7, < 2)
       jekyll-sass-converter (~> 1.0)
       jekyll-watch (~> 2.0)
       kramdown (>= 1.17, < 3)
@@ -127,13 +106,13 @@ GEM
     jekyll-coffeescript (1.1.1)
       coffee-script (~> 2.2)
       coffee-script-source (~> 1.11.1)
-    jekyll-commonmark (1.3.1)
-      commonmarker (~> 0.14)
-      jekyll (>= 3.7, < 5.0)
-    jekyll-commonmark-ghpages (0.1.6)
-      commonmarker (~> 0.17.6)
-      jekyll-commonmark (~> 1.2)
-      rouge (>= 2.0, < 4.0)
+    jekyll-commonmark (1.4.0)
+      commonmarker (~> 0.22)
+    jekyll-commonmark-ghpages (0.4.0)
+      commonmarker (~> 0.23.7)
+      jekyll (~> 3.9.0)
+      jekyll-commonmark (~> 1.4.0)
+      rouge (>= 2.0, < 5.0)
     jekyll-default-layout (0.1.4)
       jekyll (~> 3.0)
     jekyll-feed (0.15.1)
@@ -164,17 +143,11 @@ GEM
       rubyzip (>= 1.3.0, < 3.0)
     jekyll-sass-converter (1.5.2)
       sass (~> 3.4)
-    jekyll-seo-tag (2.7.1)
+    jekyll-seo-tag (2.8.0)
       jekyll (>= 3.8, < 5.0)
     jekyll-sitemap (1.4.0)
       jekyll (>= 3.7, < 5.0)
     jekyll-swiss (1.0.0)
-    jekyll-text-theme (2.2.6)
-      jekyll (>= 3.6, < 5.0)
-      jekyll-feed (~> 0.1)
-      jekyll-paginate (~> 1.1)
-      jekyll-sitemap (~> 1.0)
-      jemoji (~> 0.8)
     jekyll-theme-architect (0.2.0)
       jekyll (> 3.5, < 5.0)
       jekyll-seo-tag (~> 2.0)
@@ -223,39 +196,36 @@ GEM
       gemoji (~> 3.0)
       html-pipeline (~> 2.2)
       jekyll (>= 3.0, < 5.0)
-    kramdown (2.3.1)
+    kramdown (2.3.2)
       rexml
     kramdown-parser-gfm (1.1.0)
       kramdown (~> 2.0)
-    liquid (4.0.3)
-    listen (3.7.1)
+    liquid (4.0.4)
+    listen (3.8.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
     mercenary (0.3.6)
-    mini_portile2 (2.7.1)
+    mini_portile2 (2.8.2)
     minima (2.5.1)
       jekyll (>= 3.5, < 5.0)
       jekyll-feed (~> 0.9)
       jekyll-seo-tag (~> 2.1)
-    minitest (5.15.0)
-    multipart-post (2.1.1)
-    nokogiri (1.13.1)
-      mini_portile2 (~> 2.7.0)
+    minitest (5.18.1)
+    nokogiri (1.15.2)
+      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    octokit (4.22.0)
-      faraday (>= 0.9)
-      sawyer (~> 0.8.0, >= 0.5.3)
+    octokit (4.25.1)
+      faraday (>= 1, < 3)
+      sawyer (~> 0.9)
     pathutil (0.16.2)
       forwardable-extended (~> 2.6)
-    public_suffix (4.0.6)
-    racc (1.6.0)
-    rb-fsevent (0.11.0)
+    public_suffix (4.0.7)
+    racc (1.7.1)
+    rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
     rexml (3.2.5)
     rouge (3.26.0)
-    ruby-enum (0.9.0)
-      i18n
     ruby2_keywords (0.0.5)
     rubyzip (2.3.2)
     safe_yaml (1.0.5)
@@ -264,31 +234,30 @@ GEM
     sass-listen (4.0.0)
       rb-fsevent (~> 0.9, >= 0.9.4)
       rb-inotify (~> 0.9, >= 0.9.7)
-    sawyer (0.8.2)
+    sawyer (0.9.2)
       addressable (>= 2.3.5)
-      faraday (> 0.8, < 2.0)
+      faraday (>= 0.17.3, < 3)
     simpleidn (0.2.1)
       unf (~> 0.1.4)
     terminal-table (1.8.0)
       unicode-display_width (~> 1.1, >= 1.1.1)
-    thread_safe (0.3.6)
     typhoeus (1.4.0)
       ethon (>= 0.9.0)
-    tzinfo (1.2.9)
-      thread_safe (~> 0.1)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
     unf (0.1.4)
       unf_ext
-    unf_ext (0.0.8)
+    unf_ext (0.0.8.2)
     unicode-display_width (1.8.0)
-    zeitwerk (2.5.4)
+    webrick (1.8.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  github-pages
-  jekyll-github-metadata
-  jekyll-text-theme
+  github-pages (~> 228)
+  jekyll-feed (~> 0.12)
+  webrick (~> 1.7)
 
 BUNDLED WITH
    2.1.4