Support for Google OSV database #931
Comments
|
Good suggestion. It's unfortunate osv doesn't support Package URL. I'd recommend creating a ticket for them to support it. Relying on 'name' and 'ecosystem' is fragile and going to be unpredictable. Once osv supports Package URL, I'd be happy to add support for it. |
stevespringett
added
on hold
p2
|
@stevespringett OSV now supports PURL. Please find the below links for more details https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html |
|
|
|
@VinodAnandan FWIW, |
|
Thanks @pombredanne |
|
@VinodAnandan sure thing! ... note that when VulnerableCode will be ready for usage, it will also have OSV content and everything is keyed by Package URL there... so this could be come a natural additional data source for DT |
|
The purl issue has been fixed. Thanks to @oliverchang " |
|
OSV maintains GCS bucket with all aggregated vulnerabilities which can be scheduled and mirrored in dependency-track database https://github.com/google/osv/blob/master/README.md#data-dumps |
|
Draft PR for discussion -> #1703 |
|
Implemented in #1703. Thanks @sahibamittal! 🥳 |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Current Behavior:
The tool doesn't have support for Google open source vulnerability database
https://osv.dev/list
Proposed Behavior:
The tool should be able to get data from Google osv database.
The text was updated successfully, but these errors were encountered: