Define a protocol / conventions for discovery

[oliverchang]

Currently, the way to discover / determine OSV producers is to look at the README.md in this repo.

There should be a more well defined way to do this.

[joshbuker]

Relates to #51, which would allow this type of discovery/determination when looking at individual IDs / entries.

What the schema_format field wouldn't cover is some sort of organic list of the various DBs using OSV. I would love to see a comprehensive list of all the databases out there, and that might be something the GSD project helps put together as we start looking at ingesting said DBs into their respective namespaces in the GSD. With that list, it should be simple to add an additional field to track what format(s) they use/support.

[kurtseifried]

This speaks to having an identifier in the JSON format like CVE does. Then you could trivially:

• search github for
  "data_type": "OSV",
• check if a JSON file is in OSV format trivially
• also ideally we wand out GSD's so easily that people just use us and we don't have to go looking

Do we have any data on producers of OSV data that aren't already well known?

[kurtseifried]

bump: @oliverchang can we please add a

"data_type": "OSV",

like CVE has:

"data_type": "CVE"

and if not why not?