From 53f7470895708e979046c32461198f95a7d1765f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Eric=20Meadows-J=C3=B6nsson?= Date: Tue, 19 May 2026 18:52:19 +0200 Subject: [PATCH 1/3] Add aliases, published_at, modified_at, references to SecurityAdvisory --- registry/package.proto | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/registry/package.proto b/registry/package.proto index 8d4c9c5..10cfe8a 100644 --- a/registry/package.proto +++ b/registry/package.proto @@ -58,6 +58,19 @@ message SecurityAdvisory { optional float cvss_score = 5; // OSV API URL for the advisory required string api_url = 6; + // Other identifiers for the same vulnerability (e.g. a CVE id when the + // primary id is a GHSA, or vice versa). Used by clients to deduplicate + // advisories that describe the same vulnerability from different sources. + repeated string aliases = 7; + // First publication timestamp from the advisory source. Optional for + // backwards compatibility — clients treat absence as "no information". + optional Timestamp published_at = 8; + // Last modification timestamp from the advisory source. Optional for + // backwards compatibility. + optional Timestamp modified_at = 9; + // External references describing the advisory (links to vendor fix PRs, + // CVE write-ups, blog posts, etc.). + repeated AdvisoryReference references = 10; } enum AdvisorySeverity { @@ -68,6 +81,13 @@ enum AdvisorySeverity { SEVERITY_CRITICAL = 4; } +message AdvisoryReference { + // OSV reference type, e.g. "WEB", "ADVISORY", "FIX", "REPORT" + required string type = 1; + // Reference URL + required string url = 2; +} + message Dependency { // Package name of dependency required string package = 1; From 844ba754c8dd27b3003ccf395fa1d2d0ddac1252 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Eric=20Meadows-J=C3=B6nsson?= Date: Tue, 19 May 2026 21:33:12 +0200 Subject: [PATCH 2/3] Polish advisory proto field comments --- registry/package.proto | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/registry/package.proto b/registry/package.proto index 10cfe8a..424cce8 100644 --- a/registry/package.proto +++ b/registry/package.proto @@ -59,14 +59,13 @@ message SecurityAdvisory { // OSV API URL for the advisory required string api_url = 6; // Other identifiers for the same vulnerability (e.g. a CVE id when the - // primary id is a GHSA, or vice versa). Used by clients to deduplicate - // advisories that describe the same vulnerability from different sources. + // primary id is a GHSA id, or vice versa). repeated string aliases = 7; // First publication timestamp from the advisory source. Optional for // backwards compatibility — clients treat absence as "no information". optional Timestamp published_at = 8; // Last modification timestamp from the advisory source. Optional for - // backwards compatibility. + // backwards compatibility — clients treat absence as "no information". optional Timestamp modified_at = 9; // External references describing the advisory (links to vendor fix PRs, // CVE write-ups, blog posts, etc.). From fff2b67fefaf578bdea358551096739dd1544d0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Eric=20Meadows-J=C3=B6nsson?= Date: Tue, 19 May 2026 22:38:00 +0200 Subject: [PATCH 3/3] Drop unused timestamp and references fields from SecurityAdvisory --- registry/package.proto | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/registry/package.proto b/registry/package.proto index 424cce8..3e4da51 100644 --- a/registry/package.proto +++ b/registry/package.proto @@ -61,15 +61,6 @@ message SecurityAdvisory { // Other identifiers for the same vulnerability (e.g. a CVE id when the // primary id is a GHSA id, or vice versa). repeated string aliases = 7; - // First publication timestamp from the advisory source. Optional for - // backwards compatibility — clients treat absence as "no information". - optional Timestamp published_at = 8; - // Last modification timestamp from the advisory source. Optional for - // backwards compatibility — clients treat absence as "no information". - optional Timestamp modified_at = 9; - // External references describing the advisory (links to vendor fix PRs, - // CVE write-ups, blog posts, etc.). - repeated AdvisoryReference references = 10; } enum AdvisorySeverity { @@ -80,13 +71,6 @@ enum AdvisorySeverity { SEVERITY_CRITICAL = 4; } -message AdvisoryReference { - // OSV reference type, e.g. "WEB", "ADVISORY", "FIX", "REPORT" - required string type = 1; - // Reference URL - required string url = 2; -} - message Dependency { // Package name of dependency required string package = 1;