tools: import a conversion tool to and from VuXML #237
Conversation
khorben
force-pushed
the
khorben/vuxml
branch
from
60797b2 to
b7ea020
Compare
|
Hi @khorben, this is exciting progress. I can review this from the OSV side of things, is there a VuXML SME who can review that side of things? Also, if you look at tools/redhat for inspiration, having some test data to validate behaviour is also helpful. |
|
Hi Andrew, sorry for the late answer. I suppose by SME you meant "Subject Matter Expert", in which case I think FreeBSD's ports-secteam@ (https://wiki.freebsd.org/PortsSecteam) might be the best point of contact. |
khorben
force-pushed
the
khorben/vuxml
branch
3 times, most recently
from
4bd95a4 to
8614a9b
Compare
|
Would you mind addressing the DCO check failure? |
andrewpollock
left a comment
andrewpollock
left a comment
There was a problem hiding this comment.
I'm confused by the UBUNTU-CVE-2025-3454 test files?
I think it'll be a no-op change, but it'd be good to update the schema version in the test OSV records to the current version.
khorben
force-pushed
the
khorben/vuxml
branch
2 times, most recently
from
3e0b468 to
d3c580a
Compare
Thanks for the heads up, I think this should be addressed now. |
I have organised the test data as follows:
Should I change or clarify anything in the commits? |
khorben
force-pushed
the
khorben/vuxml
branch
2 times, most recently
from
18503b2 to
44d9763
Compare
Oh do you mean that you expected test files about FreeBSD? First, IIRC VuXML is distribution-agnostic, and not tied to a specific ecosystem. Likewise, it can be useful to convert VuXML data into OSV for the preparation work mentioned above. However, this still requires the corresponding ecosystem for FreeBSD, and choosing its exact name(s) might still be tricky: there is the base system, to distinguish from the third-party ports, and soon also from the packages for the base system.
I have now updated the schema version in the output to OSV as 1.7.0. |
|
When turning off DTD validation then it works ( |
|
I would also add purl for packages when ecosystem have package manager it's nice addition to information |
|
When Output directory is issued then (if I understand correctly) naming should something like: |
|
It seems that |
| @@ -0,0 +1,271 @@ | |||
| #!/usr/bin/env python | |||
| # | |||
There was a problem hiding this comment.
Just suggesting to have SPDX-header for license also
There was a problem hiding this comment.
Thank you for the suggestion, I have now added the SPDX headers.
There was a problem hiding this comment.
SPDX header seems to be correct
oliverchang
left a comment
oliverchang
left a comment
There was a problem hiding this comment.
thank you very much for working on this, and for adding the tests! (and apologies for the delay in reviewing)
| @@ -0,0 +1,42 @@ | |||
| { | |||
| "schema_version": "1.7.0", | |||
| "id": "409206f6-25e6-11f0-9360-b42e991fc52e", | |||
There was a problem hiding this comment.
this needs to have a FREEBSD- or some other prefix so it's clear it comes from the FreeBSD database.
Please also define the chosen prefix in https://ossf.github.io/osv-schema/#id-modified-fields
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "FreeBSD:ports", |
There was a problem hiding this comment.
In a separate PR, could you please add a ecosystem definition to https://ossf.github.io/osv-schema/#affectedpackage-field ?
There was a problem hiding this comment.
Sorry about the late answer from my side as well. The choice of ecosystem definition is a bit complicated on FreeBSD, notably because of the distinction between the base system and the software packages. No decision has been made yet AFAIK, but I will bring it up again internally.
|
@khorben I see some exciting progress with the latest release of the OSV Schema, and thought I'd check in on progress on this PR? |
This is relevant to FreeBSD's ports. Note that: * There is no official ecosystem for FreeBSD ports yet * A few elements of the VuXML DTD are not covered (e.g., \<uscertsa>, \<uscertta>) * Cancelled VuXML events are not represented, for lack of information (withdrawal date...) * Some versions do not match reality and need a correct increment (\<gt>) Sponsored by: The FreeBSD Foundation Signed-off-by: Pierre Pronchery <[email protected]>
This is relevant to FreeBSD's ports. Sponsored by: The FreeBSD Foundation Signed-off-by: Pierre Pronchery <[email protected]>
XXX this only happens when outputting to the standard output. This is relevant to FreeBSD's ports. Sponsored by: The FreeBSD Foundation Signed-off-by: Pierre Pronchery <[email protected]>
This is relevant to FreeBSD's ports. Sponsored by: The FreeBSD Foundation Signed-off-by: Pierre Pronchery <[email protected]>
Sponsored by: The FreeBSD Foundation Signed-off-by: Pierre Pronchery <[email protected]>
khorben
force-pushed
the
khorben/vuxml
branch
from
62ccc24 to
8d9615b
Compare
khorben
force-pushed
the
khorben/vuxml
branch
3 times, most recently
from
7986c4b to
de0e650
Compare
|
I just rebased the changes on top of the latest |
Sponsored by: The FreeBSD Foundation Signed-off-by: Pierre Pronchery <[email protected]>
khorben
force-pushed
the
khorben/vuxml
branch
from
de0e650 to
9f4a519
Compare
4 participants
This is relevant to FreeBSD's ports, and possibly to any other project using the VuXML format in order to track vulnerabilities. (http://vuxml.freebsd.org)
The objective is to help FreeBSD offer security advisories in the OSV format, for ports first but possibly also for base components in the future. The corresponding ecosystem string (most likely
FreeBSD) will be requested in a dedicated pull request.Sponsored by: The FreeBSD Foundation