Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Systemic issue with OSV JSON Schema compliance #2135

Open
andrewpollock opened this issue Nov 15, 2024 · 5 comments
Open

Systemic issue with OSV JSON Schema compliance #2135

andrewpollock opened this issue Nov 15, 2024 · 5 comments

Comments

@andrewpollock
Copy link

Hi,

By the looks of it, there's a systemic issue with how OSV records are being generated (invalid schema_version field).

OSV.dev would like to start validating OSV records imported both against the JSON Schema and (separately) the Properties of a High Quality OSV Record so it would be good to address this issue in the short term.

We'll be in touch separately about any other problems we identify with your records.

/cc @hogo6002
@Shnatsel
Copy link
Member

Ah, this appears to be a regression. I've opened a PR to fix this: rustsec/rustsec#1287

@Shnatsel Shnatsel mentioned this issue Nov 15, 2024
Merged
@andrewpollock
Copy link
Author

Could you also include OSV JSON Schema validation into your existing record linting workflow?

@andrewpollock
Copy link
Author

When do you anticipate republishing the records using code that incorporates #1287 ?
Ideally, the modified field should be updated to reflect the records have changed to assist with successful automatic updating by OSV.dev.

@Shnatsel
Copy link
Member

I'll try to deploy the update in the next few days. That should apply the change to all new files being published.

Updating the modified field is trickier. We need to either bump the modification time on all the original advisories in the database (not in the OSV export branch) with some sort of no-op commit, like adding and removing a newline at the end of file, or hardcode in the exporter that modification times before today-ish get automatically bumped to today, and I don't love either option.

Any thoughts from the other maintainers?

@tarcieri
Copy link
Member

tarcieri commented Dec 1, 2024

No-op commit(s) sound fine to me

andrewpollock added a commit to andrewpollock/osv.dev that referenced this issue Dec 1, 2024
@andrewpollock
feat: pilot enabling strict mode on all JSON Schema compliant sources
c355aa3 
This enables strict mode in the OSV.dev staging environment for all
sources in staging that have been deemed already be publishing 100% OSV
JSON Schema compliant records already, with the notable exception of the
RustSec Advisory Database due to rustsec/advisory-db#2135

Part of google#2188
@andrewpollock andrewpollock mentioned this issue Dec 1, 2024
Merged
andrewpollock added a commit to google/osv.dev that referenced this issue Dec 2, 2024
@andrewpollock
feat: pilot enabling strict mode on all JSON Schema compliant sources (
da895ff 
…#2943)

This enables strict mode in the OSV.dev staging environment for all
sources in staging that have been deemed already be publishing 100% OSV
JSON Schema compliant records, with the notable exception of the RustSec
Advisory Database due to
rustsec/advisory-db#2135 and the inclusion of
PyPA despite pypa/advisory-database#217
(because of pypa/advisory-database#208)

Part of #2188
@andrewpollock andrewpollock mentioned this issue Dec 2, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tarcieri @Shnatsel @andrewpollock