feat(test): add BellSoft Security Advisory feed to test environment (… #3608
Conversation
…oogle#3263) Ecosystems: - Alpaquita Linux - BellSoft Hardened Containers Signed-off-by: Ildar Mulyukov <ildar.mulyukov@bell-sw.com>
|
It looks like the records that are in that repository has IDs starting with CVE, but all the records has to being with the prefix defined in the schema: BELL-SA We would also prefer the filename to also start with BELL-SA, but that's technically optional, but the record ID itself definitely has to start with BELL-SA. |
|
thank you for your guidance.
I see. Then e.g. for CVE-2025-48060 we'll have our packages visible at URL https://osv.dev/vulnerability/BELL-SA-2025-48060 , not https://osv.dev/vulnerability/CVE-2025-48060 (with Alpine and Debian packages) ? If so what can be done for having our packages in https://osv.dev/vulnerability/CVE-2025-48060 ?
we can change it, yes. Also you didn't notice the wrong |
That is correct. We're looking to actually move the Alpine and Debian packages away from this main CVE ID, and move them to their own records, so the CVE-ID version will only involve data ingested directly from NVD/CVEList. The logic behind this on our end is that there are too many trackers and ecosystems referencing the same vulns to meanfully display them in one record, and not all users will need information from multiple distros. This will also allow better clarity around where we get our data from. Instead, please put the reference to the CVE-ID you are addressing in the 'upstream' field (this takes an array). On the frontend, all of the 'downstream' vulnerability references will be computed and shown like so on the 'upsteam' CVE ID entry: |
|
@jess-lowe , thank you so much for the detailed explanation. Then before I fix the things you're pointing at, I need this to be checked and merged: ossf/osv-schema#361 Thanks. |
|
Awesome, I will nudge the relevant reviewers for you :) |
…#3263)
Ecosystems:
ref: #3263