Utkarsh Gupta pushed to branch add-json-api-doc at Debian Security Tracker / security-tracker
Commits: 13fe0c14 by Utkarsh Gupta at 2025-07-17T20:23:31+05:30 Add JSON API documentation to the tracker Closes: #15 - - - - - 1 changed file: - doc/security-team.d.o/security_tracker Changes: ===================================== doc/security-team.d.o/security_tracker ===================================== @@ -811,3 +811,39 @@ You can also add an announce list of type DSAFile to `data/config.json`, and then symlink `bin/gen-DSA` to e.g. `bin/gen-MYSA` and use that to create new advisories under your namespace. For that you will need to add a `data/mysa-needed.txt` file and `doc/MYSA.template`. + +JSON API Documentation +---------------------- + +A machine-readable JSON export of data from the Debian Security Tracker is +available at https://security-tracker.debian.org/tracker/data/json. This export +includes many internal fields — such as `description`, `scope`, `releases`, +`status`, `repositories`, `fixed_version`, and `urgency` — primarily intended +to support tooling related to triage and maintenance workflows. + +The structure of this data is not considered a stable public API and may change +over time. For the most accurate understanding of the available fields and +their meaning, refer to the calculateJson() function in the security_db module +(cf: https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/lib/python/security_db.py), +which defines how this export is generated. + +The following section provides informal documentation for selected fields to +aid understanding. + +### fixed_version + +The `fixed_version` field indicates the source package version in which a specific CVE +(Common Vulnerabilities and Exposures) was fixed. Once the source package is updated +to this version or later, it is no longer affected by the CVE. + +#### Why is fixed_version sometimes "0"? + +When fixed_version is set to "0", it signifies that the CVE does not affect the +source package present in the archive. Since there is no impacted version, no fix is +required — hence, no fixed version is applicable. + +#### Why is another version specified for the releases under the `repositories`? + +The version under the `repositories` tells you the version of the package that +is available in the archive for that particular release. That should not be +confused with the fixed_version. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13fe0c143bed4850f1db1a13d44d9df00c27a1aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13fe0c143bed4850f1db1a13d44d9df00c27a1aa You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
