From 951b0d3c4fa0385b8e791c53f0bf48afabd9b5ca Mon Sep 17 00:00:00 2001 From: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com> Date: Wed, 5 Mar 2025 16:49:17 -0500 Subject: [PATCH 1/9] Create initial draft of OSV application Signed-off-by: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com> --- .../osv-schema_graduation_stage.md | 92 +++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 process/project-lifecycle-documents/osv-schema_graduation_stage.md diff --git a/process/project-lifecycle-documents/osv-schema_graduation_stage.md b/process/project-lifecycle-documents/osv-schema_graduation_stage.md new file mode 100644 index 00000000..93dcd734 --- /dev/null +++ b/process/project-lifecycle-documents/osv-schema_graduation_stage.md @@ -0,0 +1,92 @@ +## Project graduation application + +### Project has met all Incubating requirements + * n/a + +### List of project maintainers +The project must have maintainers with a minimum of five different contributors from three different organizational affiliations. + * Oliver Chang, Google, @oliverchang + * Andrew Pollock, Google, @andrewpollock + +OSV Schema has had 62 contributors from 18 different organizations. + +Note: need to add a CONTRIBUTING.md doc to the project repo. + +### Mission of the project +The project must be aligned with the OpenSSF mission and either be a novel approach for existing areas, address an unfulfilled need, or be code needed to deliver OpenSSF WG work. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project. + * The mission of OSV is to develop a standard interchange format for describing vulnerabilities in open source packages. + * The OSV schema provides a human and machine readable data format to describe vulnerabilities in a way that precisely maps to open source package versions or commit hashes. + +### Project adoption +The project must be able to show adoption by multiple parties, which could be production deployments or substantial use by established open source communities, and demonstrate the value of that adoption to either the end users or the open source community. + +The OSV Schema is currently exported by: +- [AlmaLinux](https://github.com/AlmaLinux/osv-database) +- [Bitnami Vulnerability Database](https://github.com/bitnami/vulndb) +- [Chainguard](https://packages.cgr.dev/chainguard/osv/all.json) +- [Curl](https://curl.se/docs/vuln.json) +- [GitHub Security Advisories](https://github.com/github/advisory-database) +- [Global Security Database](https://github.com/cloudsecurityalliance/gsd-database) +- [Go Vulnerability Database](https://github.com/golang/vulndb) +- [Haskell Security Advisories](https://github.com/haskell/security-advisories) +- [LoopBack Advisory Database](https://github.com/loopbackio/security/tree/main/advisories) +- [Malicious Packages Repository](https://github.com/ossf/malicious-packages) +- [Mageia Advisories](https://advisories.mageia.org/) +- [OSS-Fuzz](https://github.com/google/oss-fuzz-vulns) +- [OSV.dev maintained converters](https://github.com/google/osv.dev#current-data-sources) (Debian, Alpine, NVD) +- [PyPI Advisory Database](https://github.com/pypa/advisory-database) +- [Python Software Foundation Database](https://github.com/psf/advisory-database) +- [RConsortium Advisory Database](https://github.com/RConsortium/r-advisory-database) +- [Red Hat](https://security.access.redhat.com/data) +- [Rocky Linux](https://distro-tools.rocky.page/apollo/openapi/#osv) +- [Rust Advisory Database](https://github.com/RustSec/advisory-db) +- [SUSE](https://www.suse.com/support/security/) +- [Ubuntu](https://github.com/canonical/ubuntu-security-notices/) +- [VMWare Photon OS](https://github.com/vmware/photon/wiki/Security-Advisories) (unofficial) + +### Release cadence +The project must be able to show a consistent release cadence. + * https://github.com/ossf/osv-schema/releases + +### Governance +Projects must have documented project governance and be able to demonstrate that governance in action. + * https://github.com/ossf/osv-schema/blob/main/CHARTER.md + +Have a defined and documented roadmap and annual goals for the project + * "link to roadmap and goals" + +Project has met at least 4 times over a period of at least 2 months since becoming incubating + * The project has a standing agenda item in the Vulnerability Disclosures Working Group meetings. [Meeting Notes](https://docs.google.com/document/d/1TdxiFofLOfpHUEQILlKq7qkjSsRXVab0uApSDJ8c5rI/edit?tab=t.0) + +Implements, practices, and refines mature software development and release practices, such as adherence to semantic versioning, and having a declared policy for stable releases and backported fixes. + * "link to policy for (or describe here) software development and release practices" + +Projects should harden their build systems in accordance with the SLSA Framework + * "link to policy for (or describe here) hardened build system" + +### Security audit +When applicable, projects must have completed a security audit through a third party and addressed audit findings and recommendations. + * "link to results of security audit" + +### Security Baseline + +The project meets all applicable Security Baseline requirements: + * [ ] [Security Baseline - Once Sandbox](https://github.com/ossf/tac/blob/main/process/security_baseline.md#security-baseline---once-sandbox) + * [ ] [Security Baseline - To Become Incubating](https://github.com/ossf/tac/blob/main/process/security_baseline.md#security-baseline---to-become-incubating) + * [ ] [Security Baseline - Once incubating](https://github.com/ossf/tac/blob/main/process/security_baseline.md#security-baseline---once-incubating) + * [ ] [Security Baseline - To Become Graduated](https://github.com/ossf/tac/blob/main/process/security_baseline.md#security-baseline---to-become-graduated) + +### Project References +The project must provide a list of existing resources with links to the repository, website, a roadmap, contributing guide, demos and walkthroughs, and any other material to showcase the existing breadth, maturity, and direction of the project. + + Reference | URL | +|-----------------------|-----| +| Repo | https://github.com/ossf/osv-schema | +| Website | https://ossf.github.io/osv-schema/ | +| Contributing guide | | +| Security.md | https://github.com/ossf/osv-schema?tab=security-ov-file#readme | +| Roadmap | | +| Demos | | +| Best Practices Badge | | +| Scorecard integration | | +| Other | [Tools (converters)](https://github.com/ossf/osv-schema/tree/main/tools) | From cab00d8765cb2c1ba86890e3b3804bc25dec9b77 Mon Sep 17 00:00:00 2001 From: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com> Date: Thu, 24 Apr 2025 11:11:02 -0400 Subject: [PATCH 2/9] Update process/project-lifecycle-documents/osv-schema_graduation_stage.md Co-authored-by: Andrew Pollock Signed-off-by: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com> --- .../osv-schema_graduation_stage.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/process/project-lifecycle-documents/osv-schema_graduation_stage.md b/process/project-lifecycle-documents/osv-schema_graduation_stage.md index 93dcd734..aa17cd4e 100644 --- a/process/project-lifecycle-documents/osv-schema_graduation_stage.md +++ b/process/project-lifecycle-documents/osv-schema_graduation_stage.md @@ -6,7 +6,10 @@ ### List of project maintainers The project must have maintainers with a minimum of five different contributors from three different organizational affiliations. * Oliver Chang, Google, @oliverchang - * Andrew Pollock, Google, @andrewpollock + * Andrew Pollock, Independent, @andrewpollock + * Madison Oliver, GitHub, @taladrane + * Jason Shepherd, Red Hat, @jasinner + * Christopher 'CRob' Robinson, OpenSSF, @SecurityCRob OSV Schema has had 62 contributors from 18 different organizations. From 940511f16fae4e147be2150ad744d705b45df091 Mon Sep 17 00:00:00 2001 From: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com> Date: Thu, 24 Apr 2025 11:11:58 -0400 Subject: [PATCH 3/9] Update process/project-lifecycle-documents/osv-schema_graduation_stage.md Co-authored-by: Andrew Pollock Signed-off-by: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com> --- .../project-lifecycle-documents/osv-schema_graduation_stage.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/process/project-lifecycle-documents/osv-schema_graduation_stage.md b/process/project-lifecycle-documents/osv-schema_graduation_stage.md index aa17cd4e..2d88d3b1 100644 --- a/process/project-lifecycle-documents/osv-schema_graduation_stage.md +++ b/process/project-lifecycle-documents/osv-schema_graduation_stage.md @@ -13,8 +13,6 @@ The project must have maintainers with a minimum of five different contributors OSV Schema has had 62 contributors from 18 different organizations. -Note: need to add a CONTRIBUTING.md doc to the project repo. - ### Mission of the project The project must be aligned with the OpenSSF mission and either be a novel approach for existing areas, address an unfulfilled need, or be code needed to deliver OpenSSF WG work. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project. * The mission of OSV is to develop a standard interchange format for describing vulnerabilities in open source packages. From 5d818c13ae892834097f00ffc3c117a937897bd5 Mon Sep 17 00:00:00 2001 From: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com> Date: Thu, 24 Apr 2025 11:12:22 -0400 Subject: [PATCH 4/9] Update process/project-lifecycle-documents/osv-schema_graduation_stage.md Co-authored-by: Andrew Pollock Signed-off-by: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com> --- .../project-lifecycle-documents/osv-schema_graduation_stage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/project-lifecycle-documents/osv-schema_graduation_stage.md b/process/project-lifecycle-documents/osv-schema_graduation_stage.md index 2d88d3b1..e807c32b 100644 --- a/process/project-lifecycle-documents/osv-schema_graduation_stage.md +++ b/process/project-lifecycle-documents/osv-schema_graduation_stage.md @@ -34,7 +34,7 @@ The OSV Schema is currently exported by: - [Malicious Packages Repository](https://github.com/ossf/malicious-packages) - [Mageia Advisories](https://advisories.mageia.org/) - [OSS-Fuzz](https://github.com/google/oss-fuzz-vulns) -- [OSV.dev maintained converters](https://github.com/google/osv.dev#current-data-sources) (Debian, Alpine, NVD) +- [OSV.dev maintained converters](https://google.github.io/osv.dev/data/#converted-data) (Debian, Alpine, NVD) - [PyPI Advisory Database](https://github.com/pypa/advisory-database) - [Python Software Foundation Database](https://github.com/psf/advisory-database) - [RConsortium Advisory Database](https://github.com/RConsortium/r-advisory-database) From 600c67c0e646850298e7c56642a0c61f9074e2b4 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 24 Apr 2025 18:00:21 -0400 Subject: [PATCH 5/9] Update process/project-lifecycle-documents/osv-schema_graduation_stage.md Co-authored-by: Andrew Pollock Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- .../project-lifecycle-documents/osv-schema_graduation_stage.md | 1 - 1 file changed, 1 deletion(-) diff --git a/process/project-lifecycle-documents/osv-schema_graduation_stage.md b/process/project-lifecycle-documents/osv-schema_graduation_stage.md index e807c32b..8912ea83 100644 --- a/process/project-lifecycle-documents/osv-schema_graduation_stage.md +++ b/process/project-lifecycle-documents/osv-schema_graduation_stage.md @@ -43,7 +43,6 @@ The OSV Schema is currently exported by: - [Rust Advisory Database](https://github.com/RustSec/advisory-db) - [SUSE](https://www.suse.com/support/security/) - [Ubuntu](https://github.com/canonical/ubuntu-security-notices/) -- [VMWare Photon OS](https://github.com/vmware/photon/wiki/Security-Advisories) (unofficial) ### Release cadence The project must be able to show a consistent release cadence. From 704a5baa5de3c3796380eaf84d6b839b73b61c96 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 24 Apr 2025 18:02:33 -0400 Subject: [PATCH 6/9] Update osv-schema_graduation_stage.md updating based on Oliver's feedback Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- .../osv-schema_graduation_stage.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/process/project-lifecycle-documents/osv-schema_graduation_stage.md b/process/project-lifecycle-documents/osv-schema_graduation_stage.md index 8912ea83..6fd01841 100644 --- a/process/project-lifecycle-documents/osv-schema_graduation_stage.md +++ b/process/project-lifecycle-documents/osv-schema_graduation_stage.md @@ -62,11 +62,11 @@ Implements, practices, and refines mature software development and release pract * "link to policy for (or describe here) software development and release practices" Projects should harden their build systems in accordance with the SLSA Framework - * "link to policy for (or describe here) hardened build system" + * N/A this is a specification, no build artifiacts are delivered. ### Security audit When applicable, projects must have completed a security audit through a third party and addressed audit findings and recommendations. - * "link to results of security audit" + * N/A this is a specification, no security audit required. ### Security Baseline From e7f7d7b26dff4015ef2f372b669023e00562cd3a Mon Sep 17 00:00:00 2001 From: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com> Date: Thu, 24 Jul 2025 18:14:18 -0400 Subject: [PATCH 7/9] Update process/project-lifecycle-documents/osv-schema_graduation_stage.md Co-authored-by: Andrew Pollock Signed-off-by: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com> --- .../project-lifecycle-documents/osv-schema_graduation_stage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/project-lifecycle-documents/osv-schema_graduation_stage.md b/process/project-lifecycle-documents/osv-schema_graduation_stage.md index 6fd01841..f5ab2089 100644 --- a/process/project-lifecycle-documents/osv-schema_graduation_stage.md +++ b/process/project-lifecycle-documents/osv-schema_graduation_stage.md @@ -53,7 +53,7 @@ Projects must have documented project governance and be able to demonstrate that * https://github.com/ossf/osv-schema/blob/main/CHARTER.md Have a defined and documented roadmap and annual goals for the project - * "link to roadmap and goals" + * https://github.com/ossf/osv-schema/projects?query=is%3Aopen Project has met at least 4 times over a period of at least 2 months since becoming incubating * The project has a standing agenda item in the Vulnerability Disclosures Working Group meetings. [Meeting Notes](https://docs.google.com/document/d/1TdxiFofLOfpHUEQILlKq7qkjSsRXVab0uApSDJ8c5rI/edit?tab=t.0) From e5a1bf50d38f3363eea4dcc09bc6a75c1b70e033 Mon Sep 17 00:00:00 2001 From: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com> Date: Thu, 18 Dec 2025 15:27:02 -0500 Subject: [PATCH 8/9] Update process/project-lifecycle-documents/osv-schema_graduation_stage.md Co-authored-by: Andrew Pollock Signed-off-by: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com> --- .../project-lifecycle-documents/osv-schema_graduation_stage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/project-lifecycle-documents/osv-schema_graduation_stage.md b/process/project-lifecycle-documents/osv-schema_graduation_stage.md index f5ab2089..19d67a53 100644 --- a/process/project-lifecycle-documents/osv-schema_graduation_stage.md +++ b/process/project-lifecycle-documents/osv-schema_graduation_stage.md @@ -83,7 +83,7 @@ The project must provide a list of existing resources with links to the reposito |-----------------------|-----| | Repo | https://github.com/ossf/osv-schema | | Website | https://ossf.github.io/osv-schema/ | -| Contributing guide | | +| Contributing guide | https://github.com/ossf/osv-schema/blob/main/CONTRIBUTING.md | | Security.md | https://github.com/ossf/osv-schema?tab=security-ov-file#readme | | Roadmap | | | Demos | | From 127cbd68d230931d190fbd10e7ad9090ff73f37f Mon Sep 17 00:00:00 2001 From: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com> Date: Thu, 18 Dec 2025 15:27:53 -0500 Subject: [PATCH 9/9] Update process/project-lifecycle-documents/osv-schema_graduation_stage.md Co-authored-by: Andrew Pollock Signed-off-by: Jeff Diecks <55294502+GeauxJD@users.noreply.github.com> --- .../project-lifecycle-documents/osv-schema_graduation_stage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/project-lifecycle-documents/osv-schema_graduation_stage.md b/process/project-lifecycle-documents/osv-schema_graduation_stage.md index 19d67a53..dddd757c 100644 --- a/process/project-lifecycle-documents/osv-schema_graduation_stage.md +++ b/process/project-lifecycle-documents/osv-schema_graduation_stage.md @@ -59,7 +59,7 @@ Project has met at least 4 times over a period of at least 2 months since becomi * The project has a standing agenda item in the Vulnerability Disclosures Working Group meetings. [Meeting Notes](https://docs.google.com/document/d/1TdxiFofLOfpHUEQILlKq7qkjSsRXVab0uApSDJ8c5rI/edit?tab=t.0) Implements, practices, and refines mature software development and release practices, such as adherence to semantic versioning, and having a declared policy for stable releases and backported fixes. - * "link to policy for (or describe here) software development and release practices" + * https://github.com/ossf/osv-schema/blob/main/RELEASING.md Projects should harden their build systems in accordance with the SLSA Framework * N/A this is a specification, no build artifiacts are delivered.