-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document version of OSV schema #113
Comments
In the absence of an explicit value, the value is assumed to be "1.0.0" per https://ossf.github.io/osv-schema/#schema_version-field, which predates the addition of this field. The OSV schema is intended to be backwards compatible, in that newer versions do not change the meaning of existing fields. |
That said, we can very easily update the schema_versions here, we just haven't had the need to adopt the newer fields added since 1.0.0 yet. |
Can I suggest that PyPa document this in the README.md? E.g. "We use OSV 1.0.0 in YAML format for the files" and if you ever change you can update the docs. Thanks |
I'd merge a PR with this change. I've updated the issue title accordingly. Thanks! |
The confusion here is why ossf/osv-schema#131 and ossf/osv-schema#132 would be useful to include. |
So other OSV based YAML vuln databases include the schema_version tag (e.g. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/antlr4-java/OSV-2022-667.yaml), which version of the OSV schema is PyPa currently using?
The only reference I found was in #73 which points to the current OSV schema file (which doesn't require the schema_version tag, but it's something I've suggested in ossf/osv-schema#116)
The text was updated successfully, but these errors were encountered: