From nobody Wed Aug 6 13:49:12 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bxs9425fjz63kSf for ; Wed, 06 Aug 2025 13:49:28 +0000 (UTC) (envelope-from emaste@freebsdfoundation.org) Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bxs934Dlhz3m5n for ; Wed, 06 Aug 2025 13:49:27 +0000 (UTC) (envelope-from emaste@freebsdfoundation.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=freebsdfoundation.org header.s=gfnp-20170908 header.b="ebLKq/41"; spf=pass (mx1.freebsd.org: domain of emaste@freebsdfoundation.org designates 2a00:1450:4864:20::52d as permitted sender) smtp.mailfrom=emaste@freebsdfoundation.org; dmarc=pass (policy=none) header.from=freebsdfoundation.org Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-61568fbed16so8824703a12.3 for ; Wed, 06 Aug 2025 06:49:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsdfoundation.org; s=gfnp-20170908; t=1754488164; x=1755092964; darn=freebsd.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=NqRDBCc6aTXHtUAwKlQBy6DsRs9wEnHgk1TIjnLTikw=; b=ebLKq/41xUPM/HhYAh6msGRkoPE+tyUYJobGXeuDfJdf479068tDGl9llz9cMjiTp6 wgIKIzl6PhjI4NIXQQ0CTFln8ZOkC2G8hj51maeX8Zn6fpaMj4e12210/Q7mSNNDzZgJ X/RIIGOYFin6fv5UU7Bupy93Glb0V04DeFx1hCFqjxhl2OjpJGeu6JMQ4R3LxXfc40yT Kbc7TRBX9e/U6I6gqUr2FLf2x7iq7LinsDdhfj3Pwa9qbZMN1bso1uPJlhe8urp4WAMq VAfEoHkdzBHmrCiF0yh7bhWp6KKneoWLoG5/Ik7Hgjb1Ss4yKtyLqm83W6dRi/7cjruj we7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1754488164; x=1755092964; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=NqRDBCc6aTXHtUAwKlQBy6DsRs9wEnHgk1TIjnLTikw=; b=FrazGY2O0SVvQaa2EMf5e1vj7XdvgEwkZSbECefrpwthrX1i8Mc6QdjGGZzqw3gUtW BS8teTKiLeGhmsR+lqfhS+xeCJ6BskFAEk0yF8BnICeMCvFzkK4j0+nWnQgGJC4e/gGV Buw1X2HNjuKdfpas3/onT2sqXpnKY3iPtBaITDWCgB4OvJs+g91CuuEgSW0Uh5XRqTcX cv8doGyAWKnk4wVYcttuX2+I03LxAFOQaksTd6ppkVeDLG+4iWbNz8kY3IV2l7+NdUlF Mhzl1IJYGIrzBzMHQxLg05OhiPidt2ahUyZYk799H0pFGU6kDsajRH8nO8mB8l2XyHM8 X/Wg== X-Gm-Message-State: AOJu0Yw/iwobKc8vKTlCRHCdR1qV4XhMytwS2vKDSk9nlSx9StRg6sQg 9dmBOPSddEzRW44uFXlVkFDt8rSnHSVsiicJ5AjgxIKPU2rEtTEQlHeToSLqczmZkAdiEfjihzk tgPd0QMGFoxF3c0dU6fLAGVpXTqqQu19hk7OFTJTg0/c6dmogjgscjUs5DA== X-Gm-Gg: ASbGnct5LciizkUuMMgP5Ow83/sO9hdVIBrlKdEjrmIdTiz9GqlycM8bATfgB1qDpe1 3A1HK594stF4jHYY61oAfB4Cy5FILq0YJpYy3xLwYGJ1wsCYbMdhLlk/GR8PlBNRI+LbIosYXTw 4KuvKttQW7vOUYpvR9J4+s0cm3xjeqgX4SfuRsmEftaOBqQmU3j9PqC61Dw2knvUxy2bBXjQlGj X5/h7316+qDHJ3GR+G9PKKxXjVIdO4z7v2gNBCHqA== X-Google-Smtp-Source: AGHT+IFG/o1Y9TerdRgbiiCNf+gGPX7bfXHtBNx+Rkryg3R93nIB9Dho46MyL0L4D63695cjoFC5qwCxIQnmK3Bynvo= X-Received: by 2002:a05:6402:5164:b0:611:d10e:ebd7 with SMTP id 4fb4d7f45d1cf-61797d77a20mr2154281a12.19.1754488164505; Wed, 06 Aug 2025 06:49:24 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 From: Ed Maste Date: Wed, 6 Aug 2025 09:49:12 -0400 X-Gm-Features: Ac12FXxqI2tR32O2yePcIgdZaHlLZzJqKvbSAY3YAmw8KqiPHtoXXhch30SZDMw Message-ID: Subject: RFC: Adopting OSV for Vulnerability Database To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org, freebsd-ports@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-3.99 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.991]; DMARC_POLICY_ALLOW(-0.50)[freebsdfoundation.org,none]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; R_DKIM_ALLOW(-0.20)[freebsdfoundation.org:s=gfnp-20170908]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; FREEFALL_USER(0.00)[emaste]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::52d:from]; RCVD_COUNT_ONE(0.00)[1]; MISSING_XM_UA(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; ARC_NA(0.00)[]; TO_DN_NONE(0.00)[]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; DKIM_TRACE(0.00)[freebsdfoundation.org:+] X-Rspamd-Queue-Id: 4bxs934Dlhz3m5n X-Spamd-Bar: --- Hello everyone, The Foundation has been evaluating the benefits of migrating FreeBSD vulnerability data from our bespoke VuXML format to an industry-recognized format. Such a migration would involve some new workflows, tools, processes, and documentation, so I'm sharing this proposal for comments. Adopting an industry-recognized format offers significant benefits as it simplifies how external parties can consume and utilize FreeBSD vulnerability data, and allows us to manage data with a broader range of existing upstream tools, reducing the need for custom development. Providing vulnerability data in a standard format increases the security of the FreeBSD ecosystem by facilitating seamless consumption by a wider array of security tools and services, which will accelerate the detection and mitigation of threats for all users of FreeBSD and its derivatives. Proposed Standard: OSV (Open Source Vulnerability)[1] After evaluating available vulnerability standards, we recommend adopting OSV for the following reasons: - Broad Industry Support: OSV is supported by organizations of all sizes, including AlmaLinux, Android, Debian, GIT, Go, PyPI, and Red Hat. - Existing OSV Databases: Several organizations already generate OSV-compatible vulnerability databases. - Independent Adoption: Organizations don't need to be under the Open Source Vulnerability Database (OSV) umbrella, though there may be future benefits to joining. - Seamless Data Conversion: Bidirectional conversion is possible between VuXML and OSV, without loss of metadata. Implementation Considerations Proof of Concept A proof-of-concept implementation is underway, showcasing various ID-tag examples and potential database arrangements. Ideas for database structure are drawn from projects like the PYPI (Python Package Index) vulnerability database and the openSUSE OSV index. Repository [2]: You can explore the implementation and different ideas in the README.md of this repository: https://github.com/illuusio/vuln-test. This is intended to spark discussion. Alternative Standards Considered We considered other standards but did not pursue them due to their limitations in meeting our expected needs: - CSAF (Common Security Advisory Framework): While backed by OASIS and entities like CISA and Red Hat, CSAF is more complex to implement (e.g., file signing requirements) and has less mature tooling. While OSV and CSAF aren't mutually exclusive, implementing an OSV database first is significantly easier. - OpenVEX (simplified Vulnerability Exploitability eXchange implementation): Different purpose - used to indicate that a vulnerability does not apply in a certain configuration (for example, a feature that is not enabled at compile time). Next Steps We've opened a pull request adding an OSV parser to FreeBSD pkg [3]. We would appreciate your feedback and questions on the following: - The choice of OSV as the standard for FreeBSD vulnerability data. - The current proof-of-concept implementation approach. - Any concerns or suggestions for the proposed migration. Your input will help us refine the implementation before submitting the necessary changes to the FreeBSD tree. Thanks in advance for your time and consideration. Ed Maste [1] OSV Schema: https://ossf.github.io/osv-schema/ [2] OSV FreeBSD POC repo https://github.com/illuusio/vuln-test [3] pkg(8) Parser PR: There's an existing pkg(8) parser pull request: https://github.com/freebsd/pkg/pull/2453