OSV v3 doc updates#146
Conversation
Still in progress - osv v3 docs Signed-off-by: tazinprogga <tazin.progga@chainguard.dev>
| | Alias field | `related` | `upstream` | | ||
| | Component detail | Not present | Per-advisory data in `ecosystem_specific.components` | | ||
| | Fixed version | Highest version across all advisories for a package | From the advisory's fixed event (no rollup) | | ||
| | Fixed version | Highest version across all advisories for a package | Aggregate fixed version across advisory events for (package, architecture, ecosystem) | |
There was a problem hiding this comment.
This is not accurate. We do roll up in v2 feed, see CGA-5h9m-92rc-6gph where we have many affected entries corresponding to multiple advisories. It looks like we don't aggregate these intelligently though, it seems we just pick the first fix version we encounter (See https://github.com/chainguard-dev/mono/blob/26274fb41ff997a74507c8fa48d1d4e5e51900b4/lifecycle/secfeed/internal/feeds/osv/version/v2/v2.go#L230) so keeping it vague on "aggregates". This is one area v3 is different - there is actually no aggregation since its one entry per advisory / ecosystem
tazinprogga
left a comment
tazinprogga
left a comment
There was a problem hiding this comment.
Looks good, pending the edits I've suggested. Would also highly recommend getting a second set of Eng eyes to review.
Signed-off-by: Zackary Crosley <zackary.crosley@chainguard.dev>
crosleyzack
force-pushed
the
osv-v3-doc-updates
branch
from
b15316f to
b6c68b4
Compare
2 participants
What
Add v3 OSV docs and update v2 docs
Why
Explain differences to partners and customers