Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove example collection URLs from the CVE schema file #361

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

darakian
Copy link

Kicking up a minimal PR to make the schema file itself a little easier to parse (for a human). The examples seem like they are not relevant for a machine, but please correct me if I'm wrong in that assumption. Open to changing where the documentation for the examples goes, fleshing out the new markdown file more, or whatever else seems like a good idea prior to merging this PR. Let me know what you all think and/or if this is a bad idea and we can close it out without merge too :)

Kicking up a minimal PR to make the schema file itself a little easier to parse (for a human). The examples seem like they are not relevant for a machine, but please correct me if I'm wrong in that assumption.
Open to changing where the documentation for the examples goes, fleshing out the new markdown file more, or whatever else seems like a good idea prior to merging this PR.
Let me know what you all think and/or if this is a bad idea and we can close it out without merge too :)
@mprpic
Copy link
Contributor

mprpic commented Nov 13, 2024

While the examples are not overly useful in the schema itself when used for validation, the browseable web UI version of the schema is quite readable for a human and probably benefits from having the examples listed: https://cveproject.github.io/cve-schema/schema/docs/#oneOf_i0_containers_cna_affected_items_collectionURL

I personally would prefer to keep the examples within the schema.

@darakian
Copy link
Author

Interesting. I guess that webui is generated from the schema file itself?

@mprpic
Copy link
Contributor

mprpic commented Nov 13, 2024

@darakian
Copy link
Author

I see. Sorry I wasn't aware. Do you think this PR might still be worth discussing as a reduction in the number of examples instead of outright removing the full set?

@mprpic
Copy link
Contributor

mprpic commented Nov 14, 2024

@darakian I think it's important to have the full set somewhere (doesn't have to be in schema examples, I suppose), but what I would actually prefer to have is a mapping of collectionUrls to purl types to get rid of the "yet another way to identify component types" nature of these URLs.

@darakian
Copy link
Author

I would actually prefer to have is a mapping of collectionUrls to purl types

Is that even possible? collectionUrls seem to just be arbitrary urls as far as I can tell.

@mprpic
Copy link
Contributor

mprpic commented Nov 15, 2024

@darakian I don't see it as something enforceable by a schema (unless we truly switch to purl-based component identification), more of a side mapping. And while it is a relatively random collection of URLs, you can note that most of them relate to specific package types and specific package indexes or vendors that publish them.

@darakian
Copy link
Author

I don't see it as something enforceable by a schema

Not sure I follow. Are you saying that the mapping of collection urls to purls can't be enforced or something else?

And while it is a relatively random collection of URLs, you can note that most of them relate to specific package types and specific package indexes or vendors that publish them.

Most is not all though. Having a long list of example arbitrary urls is a bit strange to me.

fwiw I understand the value of a collection url to be something for a human who when given the (url, id) tuple will be able to make sense of it. Please correct me if I'm wrong in that understanding.

Copy link

@MakotoGew MakotoGew left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants