New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What is the major difference between osv-schema and cve-schema #109
Comments
Indeed we did a bunch of work to align CVE 5.0 with OSV and enable interop. OSV is intended to be a more focused format that treats open source as a first class citizen. As a result, it's a much simpler and easier to read spec and a bit more convenient to use for open source. The interop means that converting between the two should be fairly simple as well, and we hope to collaborate with CVE on this. |
Is there any available tool so far for converting between the two specs? |
Not to our knowledge. See also #7 |
The GSD project will have a tool to convert between OSV 1.x and CVE 4 and 5 at some point. It'll be in our tools repo: https://github.com/cloudsecurityalliance/gsd-tools it'll probably be a few weeks/months before I get around to it. Also, when the CVE schema was designed (by me, sorry about that) it wasn't that Open Source wasn't a first-class citizen, it's that I built what I needed, and I took a more agnostic view of data, e.g., by 3.1 https://github.com/CVEProject/cve-schema/blob/master/schema/v3.1/CVE_JSON_example_full-3.1.json
So you could, for example, put a git commit as a version (indeed some open source projects don't use version numbers, just git commit as the version) and then less than/greater than, the problem is that of course nobody actually filled out their data like this. ¯_(ツ)_/¯ |
@kurtseifried please consider contributing this directly to this repo. I'm of the opinion that all schema-related tooling should live together in this repo. |
It is my understanding that both osv-schema and cve-schema try to describe a vulnerability, and many fields in osv-schema and cve-schema share the same meaning, especially for cve-schema v5.0.
Therefore, I'm now confusing about what is the major difference between the two schemas.
Thank you for your response.
The text was updated successfully, but these errors were encountered: