From 9835c5b8367705d8c8ef1f1258826482e04fd173 Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Wed, 4 Dec 2024 15:04:09 +0400 Subject: [PATCH] Add Kubernetes ecosystem Signed-off-by: knqyf263 --- docs/schema.md | 14 +++++++++++++- tools/osv-linter/internal/pkgchecker/ecosystems.go | 2 ++ validation/schema.json | 3 ++- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/docs/schema.md b/docs/schema.md index 705a59e..a6777ac 100644 --- a/docs/schema.md +++ b/docs/schema.md @@ -8,7 +8,7 @@ aside: show_edit_on_github: true --- -**Version 1.6.7 (Sep 16, 2024)** +**Version 1.6.8 (Dec 4, 2024)** Original authors: - Oliver Chang (ochang@google.com) @@ -288,6 +288,17 @@ The defined database prefixes and their "home" databases are: + + KUBE + Kubernetes Official CVE Feed + + + + LBSEC LoopBack Advisory Database @@ -706,6 +717,7 @@ The defined ecosystems are: | `Go` | The Go ecosystem; the `name` field is a Go module path. | | `Hackage` | The Haskell package ecosystem. The `name` field is a Haskell package name as published on Hackage. | | `Hex` | The package manager for the Erlang ecosystem; the `name` is a Hex package name. | +| `Kubernetes` | The Kubernetes ecosystem; the `name` field is a Kubernetes component name. | | `Linux` | The Linux kernel. The only supported `name` is `Kernel`. | | `Mageia` | The Mageia Linux package ecosystem; the `name` is the name of the source package. The ecosystem string must have a `:` suffix to scope the package to a particular Mageia release. Eg `Mageia:9`. | | `Maven` | The Maven Java package ecosystem. The `name` field is a Maven package name in the format `groupId:artifactId`. The ecosystem string might optionally have a `:` suffix to denote the remote repository URL that best represents the source of truth for this package, without a trailing slash (e.g. `Maven:https://maven.google.com`). If this is omitted, this is assumed to be the Maven Central repository (`https://repo.maven.apache.org/maven2`). | diff --git a/tools/osv-linter/internal/pkgchecker/ecosystems.go b/tools/osv-linter/internal/pkgchecker/ecosystems.go index ed6beea..349fb88 100644 --- a/tools/osv-linter/internal/pkgchecker/ecosystems.go +++ b/tools/osv-linter/internal/pkgchecker/ecosystems.go @@ -55,6 +55,8 @@ func ExistsInEcosystem(pkg string, ecosystem string) bool { return true case "Hex": return true + case "Kubernetes": + return true case "Linux": return true case "Maven": diff --git a/validation/schema.json b/validation/schema.json index ab82fc7..29a459e 100644 --- a/validation/schema.json +++ b/validation/schema.json @@ -316,6 +316,7 @@ "Go", "Hackage", "Hex", + "Kubernetes", "Linux", "Mageia", "Maven", @@ -350,7 +351,7 @@ "type": "string", "title": "Currently supported home database identifier prefixes", "description": "These home databases are also documented at https://ossf.github.io/osv-schema/#id-modified-fields", - "pattern": "^(ASB-A|PUB-A|ALSA|ALBA|ALEA|BIT|CGA|CURL|CVE|DSA|DLA|ELA|DTSA|GHSA|GO|GSD|HSEC|LBSEC|MAL|OSV|openSUSE-SU|PHSA|PSF|PYSEC|RHBA|RHEA|RHSA|RLSA|RXSA|RSEC|RUSTSEC|SUSE-[SRFO]U|UBUNTU|USN)-" + "pattern": "^(ASB-A|PUB-A|ALSA|ALBA|ALEA|BIT|CGA|CURL|CVE|DSA|DLA|ELA|DTSA|GHSA|GO|GSD|HSEC|KUBE|LBSEC|MAL|OSV|openSUSE-SU|PHSA|PSF|PYSEC|RHBA|RHEA|RHSA|RLSA|RXSA|RSEC|RUSTSEC|SUSE-[SRFO]U|UBUNTU|USN)-" }, "severity": { "type": [