Update schema to match documentation and require schema_version #132
Conversation
Signed-off-by: Josh Buker <crypto@joshbuker.com>
|
Hey, thanks for this change! However, we can't do this, because the intention of the schema validator is to provide a single schema that can validate all OSV schema versions up to the given version (Because of our backwards compatibiltiy guarantees -- see #116 (comment)). That's not to say we shouldn't validate this, and I think we should address this as part of a tool instead, which can be a bit smarter about knowing when |
|
Can this be distinguished with a "rolling" schema, and a versioned schema? In v1.4.0 and above, schema_version is required. That should be reflected in the schema... If it's not, then it's not truly required. |
|
the schema_version has always been required > 1.0.0, we just haven't had the chance to implement the proposed tool to check this. We just made the text a bit clearer in the 1.4.0 version. Having two schemas to maintain sounds like a fair bit of maintenance burden, when I think the correct approach to go with is having a smart tool that can handle all of this and more. |
|
Also, it shouldn't cause any issues for those producing osv < 1.4.0, as those versions of the schema don't require it. Only those complying to future versions would need to include it. |
Using proper semver and the built-in required properties field is low maintenance and solves the issue with existing tooling like python-jsonschema/jsonschema. Those producing osv versions before this would be unaffected, as they would point to a version of the schema without said requirement...Unless they're pointing at main, which implies they're using the latest anyway. Those who don't specify schema_version being implied to be v1.0.0 would mean they point at https://raw.githubusercontent.com/ossf/osv-schema/v1.0.0/validation/schema.json, which...404's. There should be a tag added for v1.0.0 so that resolves properly. Created #139 to track this. But those pointing at https://raw.githubusercontent.com/ossf/osv-schema/v1.0.0/validation/schema.json would not require schema_version as it wasn't introduced as being required yet. This is a non-blocker for maintaining backwards compatibility for anyone using the appropriate schema and semver. |
|
We've tried to avoid requiring tooling to have to understand multiple copies of the OSV schema, because that inevitably lead to a fair bit of complexity. A client consuming OSV shouldn't have to maintain several copies of the schema to validate/understand. They should just be able to rely on the latest and expect that to validate older versions as well. Our backwards compatibility guarantees are (from the schema documentation for
Thanks for catching #139 ! |
|
Would this not work by parsing >=1.0.0 && < 2.0.0? The client parsing would be able to either pull dynamically via the canonical URL combined with the SEMVER provided in schema_version (or 1.0.0 if null), or simply use the latest schema they have compatibility with. This is what we're doing with GSD for example, as @kurtseifried can elaborate. |
Per ossf#132 (comment), OSV uses a rolling release that is fully backwards compatible, preventing the use of SEMVER for versioning. Updating $id to reflect this, as there will not be a v2 pushed to main, and all future versions are defined as backwards compatible with older versions. Signed-off-by: Josh Buker <crypto@joshbuker.com>
Fixes #52 Per #132 (comment), the OSV schema must be fully backwards interoperable, meaning using main instead of a specific version tag is the sanest option. --------- Signed-off-by: Josh Buker <crypto@joshbuker.com>
Per https://github.com/ossf/osv-schema/blob/main/docs/schema.md?plain=1#L185 and #122
schema_version is required, which should be reflected in the schema for versions 1.4.0 and above.