potiuk opened a new issue, #311: URL: https://github.com/apache/airflow-steward/issues/311
Add `tools/osv/` as a read-only bridge to **OSV.dev** (Google's open-source vulnerability database). Complements the existing `tools/cve-org/` and `tools/vulnogram/` by providing OSV's per-ecosystem (PyPI, npm, Maven, Go, RubyGems, crates.io, Packagist, …) vulnerability records. **Suggested capabilities:** - `query --package <name> --ecosystem <pypi|npm|maven|...>` — list known vulns for a package - `query --commit <sha> --repo <url>` — does a commit fix or introduce a known vuln? - `vuln <OSV-ID>` — full record (references, affected ranges, fix commits, aliases including CVE/GHSA) - `aliases <id>` — cross-walk CVE ↔ GHSA ↔ OSV (the alias graph is the most valuable single piece of OSV) **Why:** During `security-issue-triage`, before allocating a CVE, it's high-value to check whether OSV already has a record — to detect duplicates, to find the matching GHSA, and to find which downstream consumers are already warned. OSV is the **best machine-readable vulnerability cross-reference** available, and integrates cleanly with the existing CVE workflow. Concrete consumers: - `security-issue-triage` — early dedupe against the known-vuln set - `security-issue-deduplicate` — alias resolution before merging trackers - `security-cve-allocate` — sanity check that no existing OSV/GHSA already covers the report **Reference:** - OSV API: https://google.github.io/osv.dev/api/ - Existing CVE / vulnerability tooling: [`tools/cve-org/`](../tree/main/tools/cve-org/), [`tools/vulnogram/`](../tree/main/tools/vulnogram/) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
