Open
Description
https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html
This new vulnerability schema aims to address some key problems with managing vulnerabilities in open source. We found that there was no existing standard format which:
- Enforces version specification that precisely matches naming and versioning schemes used in actual open source package ecosystems. For instance, matching a vulnerability such as a CVE to a package name and set of versions in a package manager is difficult to do in an automated way using existing mechanisms such as CPEs.
- Can be used to describe vulnerabilities in any open source ecosystem, while not requiring ecosystem-dependent logic to process them.
- Is easy to use by both automated systems and humans.
This is the gist of it:
{
"id": string,
"modified": string,
"published": string,
"withdrawn": string,
"aliases": [ string ],
"related": [ string ],
"package": {
"ecosystem": string,
"name": string,
"purl": string,
},
"summary": string,
"details": string,
"affects": [ {
"ranges": [ {
"type": string,
"repo": string,
"introduced": string,
"fixed": string
} ],
"versions": [ string ]
} ],
"references": [ {
"type": string,
"url": string
} ],
"ecosystem_specific": { see spec },
"database_specific": { see spec },
}
Here is the spec doc: https://docs.google.com/document/d/1sylBGNooKtf220RHQn1I8pZRmqXZQADDQ_TOABrKTpA/edit