- Issue created by @cmlara
- πΊπΈUnited States Owen Barton
Adding this related issue, which is a suggestion to add Open Source Vulnerability (OSV) format vulnerability advisories - I think there is quite a bit in common with the CVE schema and perhaps there is a way to do both.
I guess if we are planning to get official CVEs submitted for all vulnerabilities, then OSV may not strictly be necessary (since they would be aggregated by the various libraries scanners use).
On the other hand, if there are some that may not get assigned CVEs, or if we are concerned about CVE capacity/delays (which I think has been an issue recently), having vulnerabilities in OSV format would still be worthwhile.
I also came across this post describing how CPython handles this which includes a handy script to generate an OSV from a CVE.