This schema makes use of advanced keywords that prevents us from rendering pretty documentation for it. Showing the full schema as a fallback for now!
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://schemas.intelligence.ai/ossf/osv/v1.6.3/schema.json",
"title": "Open Source Vulnerability",
"description": "A schema for describing a vulnerability in an open source package.",
"type": "object",
"required": [
"id",
"modified"
],
"properties": {
"id": {
"type": "string"
},
"affected": {
"type": [
"array",
"null"
],
"items": {
"type": "object",
"properties": {
"database_specific": {
"type": "object"
},
"ecosystem_specific": {
"type": "object"
},
"package": {
"type": "object",
"required": [
"ecosystem",
"name"
],
"properties": {
"ecosystem": {
"type": "string"
},
"name": {
"type": "string"
},
"purl": {
"type": "string"
}
}
},
"ranges": {
"type": "array",
"items": {
"type": "object",
"allOf": [
{
"if": {
"properties": {
"type": {
"const": "GIT"
}
}
},
"then": {
"required": [
"repo"
]
}
},
{
"if": {
"properties": {
"events": {
"contains": {
"required": [
"last_affected"
]
}
}
}
},
"then": {
"not": {
"properties": {
"events": {
"contains": {
"required": [
"fixed"
]
}
}
}
}
}
}
],
"required": [
"type",
"events"
],
"properties": {
"type": {
"type": "string",
"enum": [
"GIT",
"SEMVER",
"ECOSYSTEM"
]
},
"database_specific": {
"type": "object"
},
"events": {
"type": "array",
"minItems": 1,
"contains": {
"required": [
"introduced"
]
},
"items": {
"type": "object",
"oneOf": [
{
"type": "object",
"required": [
"introduced"
],
"properties": {
"introduced": {
"type": "string"
}
}
},
{
"type": "object",
"required": [
"fixed"
],
"properties": {
"fixed": {
"type": "string"
}
}
},
{
"type": "object",
"required": [
"last_affected"
],
"properties": {
"last_affected": {
"type": "string"
}
}
},
{
"type": "object",
"required": [
"limit"
],
"properties": {
"limit": {
"type": "string"
}
}
}
]
}
},
"repo": {
"type": "string"
}
}
}
},
"severity": {
"$ref": "#/$defs/severity"
},
"versions": {
"type": "array",
"items": {
"type": "string"
}
}
}
}
},
"aliases": {
"type": [
"array",
"null"
],
"items": {
"type": "string"
}
},
"credits": {
"type": "array",
"items": {
"type": "object",
"required": [
"name"
],
"properties": {
"type": {
"type": "string",
"enum": [
"FINDER",
"REPORTER",
"ANALYST",
"COORDINATOR",
"REMEDIATION_DEVELOPER",
"REMEDIATION_REVIEWER",
"REMEDIATION_VERIFIER",
"TOOL",
"SPONSOR",
"OTHER"
]
},
"contact": {
"type": "array",
"items": {
"type": "string"
}
},
"name": {
"type": "string"
}
}
}
},
"database_specific": {
"type": "object"
},
"details": {
"type": "string"
},
"modified": {
"$ref": "#/$defs/timestamp"
},
"published": {
"$ref": "#/$defs/timestamp"
},
"references": {
"type": [
"array",
"null"
],
"items": {
"type": "object",
"required": [
"type",
"url"
],
"properties": {
"type": {
"type": "string",
"enum": [
"ADVISORY",
"ARTICLE",
"DETECTION",
"DISCUSSION",
"REPORT",
"FIX",
"INTRODUCED",
"GIT",
"PACKAGE",
"EVIDENCE",
"WEB"
]
},
"url": {
"type": "string",
"format": "uri"
}
}
}
},
"related": {
"type": "array",
"items": {
"type": "string"
}
},
"schema_version": {
"type": "string"
},
"severity": {
"$ref": "#/$defs/severity"
},
"summary": {
"type": "string"
},
"withdrawn": {
"$ref": "#/$defs/timestamp"
}
},
"additionalProperties": false,
"$defs": {
"severity": {
"type": [
"array",
"null"
],
"items": {
"type": "object",
"required": [
"type",
"score"
],
"properties": {
"type": {
"type": "string",
"enum": [
"CVSS_V2",
"CVSS_V3",
"CVSS_V4"
]
},
"score": {
"type": "string"
}
}
}
},
"timestamp": {
"type": "string",
"pattern": "[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(\\.[0-9]+)?Z",
"format": "date-time"
}
}
}