-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Evaluate osv.dev #2
Comments
Here's the docs for the OSV API: https://osv.dev/docs/ |
Also the PyPI API will probably be additional fields on the Release API: https://warehouse.readthedocs.io/api-reference/json.html#release, but you tell me if that makes sense. |
I've spent a bit of time today looking at OSV and playing around with the API. I think the I think all of the information in the vulnerability schema is useful but at a bare minimum we'll need:
Those should give an idea of what the vulnerability is as well as the range of affected versions so that the user can remediate the issue by upgrading or downgrading as needed. As for @di's suggestion that it can be added to the end of the |
Thanks! We'll use this info to design an initial API adaptor. |
One thing that I noticed recently is that the OSV vulnerability schema lists multiple version range. So there can be multiple start version introduced/version fixed pairs for a single vulnerability in the case where the same bug get re-introduced. We'd want the PyPI API to work the same way for those types of vulnerabilities. |
Per @di: The final deliverable version of
pip-audit
will not use osv.dev, but instead should use a (hitherto unimplemented) REST API provided by PyPI.Since we'll need to consume that API, we should evaluate osv.dev and determine what we'd like to be different.
The text was updated successfully, but these errors were encountered: