Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: add new severity[].source field #248

Open
marco-silva0000 opened this issue Jun 21, 2024 · 1 comment
Open

Proposal: add new severity[].source field #248

marco-silva0000 opened this issue Jun 21, 2024 · 1 comment

Comments

@marco-silva0000
Copy link

Proposal to add a new optional string field on a severity entry that represents "who" scored or where that scoring came from.

Different entities score vulnerabilities differently and sometimes there are different sources that don't agree on scoring for the same vulnerability, this would allow the schema to support both instead of having to make a decision on which one is best.
@oliverchang
Copy link
Contributor

Hi,

So sorry for missing this issue earlier!

As OSV is a distributed database, where database owners publish their own vulnerability records, the implication is that all values in that record (including severity values) come from the database itself.

For example, if a GHSA advisory has a severity field, then the implication is that this severity comes from GitHub (or at least, GitHub endorses the severity if it came from somewhere else).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oliverchang @marco-silva0000