|
| 1 | +# Guiding principles |
| 2 | + |
| 3 | +Changes to the OSV (Open Source Vulnerability) schema are evaluated against |
| 4 | +several core principles: |
| 5 | + |
| 6 | +## 1. Focus on Core Use Cases |
| 7 | + |
| 8 | +The primary goal driving the OSV schema's design is to **enable software |
| 9 | +developers to accurately identify and remediate all known vulnerabilities |
| 10 | +within their applications' open source dependencies**. |
| 11 | + |
| 12 | +To achieve this, the schema specifically supports two core use cases: |
| 13 | +1. For Vulnerability **Databases**: Make it easy for any vulnerability database |
| 14 | + to adopt and export the format, so that we have comprehensive coverage. |
| 15 | +2. For Vulnerability **Scanners**: Create a format that vulnerability scanners |
| 16 | + can use to produce **accurate** and **actionable** vulnerability scanning |
| 17 | + results. |
| 18 | + |
| 19 | +This focus means that there may be some use cases of vulnerability data that |
| 20 | +are out of scope, such as: |
| 21 | +- Detailed historical analysis of vulnerability trends. |
| 22 | +- Tracking metadata about vulnerabilities that may be interesting but otherwise |
| 23 | + not useful for automatic vulnerability matching and remediation (e.g. |
| 24 | + individual timelines of vulnerabilities, or detailed relationship graphs |
| 25 | + between vulnerabilities). |
| 26 | + |
| 27 | +While these aren't the primary focus, the OSV schema might still be useful for |
| 28 | +these secondary purposes if the required data fields overlap with those needed |
| 29 | +for its core use cases. |
| 30 | + |
| 31 | +## 2. Simplicity |
| 32 | + |
| 33 | +A well-defined set of use cases allows the schema to remain concise and |
| 34 | +minimal. This simplicity makes the schema easier for consumers (like scanners) |
| 35 | +to understand and easier for producers (like databases) to adopt. |
| 36 | + |
| 37 | +Each field should serve a distinct purpose directly linked to the core use cases. |
| 38 | +There must also be a practical way for vulnerability data producers to supply |
| 39 | +the data for each field. Aspirational fields, which cannot be realistically |
| 40 | +populated by vulnerability databases or realistically used by consumers, must |
| 41 | +be avoided. |
| 42 | + |
| 43 | +Where possible, there should be a data-driven justification with clear evidence |
| 44 | +of demand (from both producers/consumers) when adding a new field. |
| 45 | + |
| 46 | +## 3. Correctness and Consistency |
| 47 | + |
| 48 | +OSV schema fields must promote data correctness and consistency. |
| 49 | + |
| 50 | +Fields require unambiguous rules for encoding values, including specifics like |
| 51 | +casing and formatting. |
| 52 | + |
| 53 | +Where the schema refers to specific software ecosystems (e.g., package |
| 54 | +managers), its rules must align precisely with that ecosystem's specifications. |
| 55 | +For instance, package names and version ordering for the "PyPI" ecosystem must |
| 56 | +adhere strictly to PyPI's official rules. |
| 57 | + |
| 58 | +Where possible these rules should should be enforceable via the OSV JSON Schema |
| 59 | +and linter. |
| 60 | + |
| 61 | +## 4. Prioritizing Open Source |
| 62 | + |
| 63 | +While the OSV schema can represent vulnerabilities in closed-source software, |
| 64 | +its primary focus and design considerations prioritize open source software |
| 65 | +ecosystems. |
| 66 | + |
| 67 | +## 5. Federated Database Model |
| 68 | + |
| 69 | +The OSV schema promotes a distributed model of "home" vulnerability databases, |
| 70 | +maintained by the relevant communities or organizations. |
| 71 | + |
| 72 | +For example, the Go community maintains a database using the `GO-` prefix, |
| 73 | +while the Rust community maintains one using `RUSTSEC-`. |
| 74 | + |
| 75 | +This means vulnerability records are ideally owned and published by the most |
| 76 | +relevant upstream source for that ecosystem. |
| 77 | + |
| 78 | +Consequently, metadata originating by definition from separate, centralized |
| 79 | +authorities (like EPSS scores or CISA KEV status), doesn't belong directly |
| 80 | +within the core OSV record itself, as it's not authored by the record's "home" |
| 81 | +database. |
| 82 | + |
| 83 | +## 6. Backwards Compatibility |
| 84 | + |
| 85 | +The OSV schema is considered stable with no breaking changes expected. OSV |
| 86 | +records target a specific |
| 87 | +[`schema_version`](https://ossf.github.io/osv-schema/#schema_version-field), |
| 88 | +with the expectation that future versions of the schema will maintain backwards |
| 89 | +compatibility: |
| 90 | + |
| 91 | +- Existing clients supporting an older version of the schema don’t have to update |
| 92 | + their behaviour to consume records targeting newer versions. |
| 93 | +- Clients that support a newer version of the schema don’t need special |
| 94 | + behaviour to account for older versions of the schema. They can treat each |
| 95 | + record as if it was targeting the latest version of the schema. |
| 96 | + |
| 97 | +In practice, this means: |
| 98 | + |
| 99 | +- Fields are never removed. |
| 100 | +- The meaning or interpretation of existing fields can be broadened, but never |
| 101 | + changed in a way that breaks older clients. |
| 102 | +- Clients must be able to safely ignore fields or values introduced in newer |
| 103 | + schema versions that they don't understand. |
| 104 | + |
| 105 | +This commitment of backwards compatibility means that there is a large cost |
| 106 | +associated with adding a new field to the schema. While it may seem simple to |
| 107 | +add a new field, its permanence increases the schema's complexity over time. |
0 commit comments