Getting a vuln's source URL

[nchelluri]

Hi, I am querying the osv.dev API and had a question about the affected[].database_specific field: https://ossf.github.io/osv-schema/#affecteddatabase_specific-field . What I really want is a single source field, for the vuln like I see in the affected[0].database_specific.source field here: https://api.osv.dev/v1/vulns/CVE-2024-38372 . The small handful of other vulns I have queried - from different databases and ecosystems - seem to all have this field present; as far as I can tell, it is a URL for the source of the vuln (and I think/hope it is the same value for all elements in affected).

I wanted to know if I could depend on this behavior.

An alternative I thought of was that described here https://ossf.github.io/osv-schema/#id-modified-fields is a way to assemble the source URL. This is likely workable and I can do that. However, it would require me to maintain a list of the prefixes and databases and URL formats. I am using osv-scanner to query the API. I thought: maybe osv-scanner would have a tool to do that in-built, so that the maintainers could keep such a prefix, DB, and URL list up-to-date. But I don't see that facility in the code, unless I am missing it.

Can anyone advise me on how to proceed? I think if I might just copy whatever way the OSV website calculates the "Import Source" field (I think this is found in source.yaml) then I would likely be okay. But, the schema does say about affected[].database_specific:

The meaning of the values within the object is entirely defined by the database and beyond the scope of this document.

So I don't want to do the wrong thing and have my code break later.

Does anyone have any suggestions? Thank you!

[nchelluri]

Created issue #3046 from this as well.

[andrewpollock]

Hi @nchelluri

You've already gotten an answer on #3046, but I'll add something here as well...

Firstly, you've talked about what you're trying to achieve, but not the why (see also my favourite https://xyproblem.info/). Could you elaborate on why you need the source record? This FAQ entry discusses what OSV.dev does to records it imports, they're usually superior to the record imported from the home database it originated from.

What I really want is a single source field, for the vuln like I see in the affected[0].database_specific.source field here: https://api.osv.dev/v1/vulns/CVE-2024-38372 . The small handful of other vulns I have queried - from different databases and ecosystems - seem to all have this field present; as far as I can tell, it is a URL for the source of the vuln (and I think/hope it is the same value for all elements in affected).

I think that

osv.dev/osv/models.py

Lines 671 to 672 in aa47853

	if source_link:
	current.database_specific.update({'source': source_link})

is currently doing what it's doing at the wrong level in the record, there's not really any value in repeating this on every entry in .affected[], but at the same time, changing it for the sake of changing it probably isn't ideal either, and it'll be an exercise to reflect the change to all the records in the OSV.dev database.

I wanted to know if I could depend on this behavior.

I think you can safely enough rely on this behaviour, and I'd encourage you to keep an eye on the above code to stay aware of any potential future breakage.

An alternative I thought of was that described here https://ossf.github.io/osv-schema/#id-modified-fields is a way to assemble the source URL.

I don't think this will work reliably. There's also no clear way to link an individual record to the relevant entry in https://github.com/google/osv.dev/blob/master/source.yaml

[pxp928]

Hello @andrewpollock, the reason "why" is being able to site the source of the vulnerability is important for any user if they wanted to validate where this information is coming from and if they can rely on it. That was the original intent, to display the source information in case the user wants to do some manual inspection. Thank You.