README
¶
combine-to-osv
What
Combine PackageInfo file fragments into a single OSV record.
Why
To address the generation of CVE records from multiple disparate sources (all requiring a common record prefix):
How
See run_combine_to_osv_convert.sh:
- Reads from
gs://cve-osv-conversion/parts - Merges with CVE data from NVD (obtained from GCS mirror maintained by
download-cves) - Writes an OSV record to
gs://cve-osv-conversion/osv-output- This is the import source for
cve-osv - What gets written can be overridden by OSV records in
gs://cve-osv-conversion/osv-output-overrides
- This is the import source for
Operational matters
- Runs every hour (on the half hour) as a Kubernetes CronJob
Overriding an OSV record
Situation
There's a generated OSV record that contains incorrect information and needs to be overriden (e.g. it is causing false positives)
Possible edits to consider making:
- remove or correct an incorrect
affectedentry - add a
withdrawnfield
Considerations
This statically overrides the record generated, meaning any and all of the inputs for this record will be diregarded. The record will no longer change.
Procedure
gsutil cp gs://cve-osv-conversion/osv-output/CVE-YYYY-NNNN.json- manually edit the file
gsutil cp gs://cve-osv-conversion/osv-output-overrides/CVE-YYYY-NNNN.json
Documentation
¶
There is no documentation for this package.
Source Files
Click to show internal directories.
Click to hide internal directories.