Comments (7)
Hi @pombredanne , just following up on this issue.
Our data is now available at https://github.com/google/oss-fuzz-vulns under the CC-BY-4.0 License.
Users can also submit changes to these files and have them reflect in OSV (i.e. they are the source of truth).
from osv.dev.
As part of #44 the source of truth for our data will live in various repos.
If that repo happens to be part of OSV / OSS-Fuzz / Something else controlled by us, it'll be whatever license that repo is licensed under, which is most likely Apache 2.0.
Would that work for you?
from osv.dev.
As part of #44 the source of truth for our data will live in various repos.
If that repo happens to be part of OSV / OSS-Fuzz / Something else controlled by us, it'll be whatever license that repo is licensed under, which is most likely Apache 2.0.
Would that work for you?
Thanks. Any license is better than no license, Apache is fine, although not a license designed for data and therefore likely not the best pick. As for the API-accessible data today, what would the license be?
BTW, your API requires an API key but your web site does not. So why an extra layer of auth? Implicitly you are encouraging users (me) to build a web scraper rather than to use your API to avoid the hassle of API key management.
from osv.dev.
Thanks. Any license is better than no license, Apache is fine, although not a license designed for data and therefore likely not the best pick. As for the API-accessible data today, what would the license be?
I don't know the answer for the API-accessible data. I can find out and get back to you. I don't expect this to be an issue.
BTW, your API requires an API key but your web site does not. So why an extra layer of auth? Implicitly you are encouraging users (me) to build a web scraper rather than to use your API to avoid the hassle of API key management.
Thanks for the feedback.
The API key requirement is an unfortunate requirement but it's necessary for the higher QPS allowed by the API and to prevent abuse. The web UI has a lower QPS and serves a different purpose. The web UI primary serves the pagination/search and viewing individual Vulnerability data by a human while the API is mostly for querying by commit or version for automation.
from osv.dev.
Thanks. Any license is better than no license, Apache is fine, although not a license designed for data and therefore likely not the best pick. As for the API-accessible data today, what would the license be?
I don't know the answer for the API-accessible data. I can find out and get back to you. I don't expect this to be an issue.
Following up on this, may I recommend just waiting for our officially supported data dump (#44) to starting dumping OSS-Fuzz vulnerabilities? The license will also likely be something that's friendly for datasets. This will be available very soon.
from osv.dev.
Following up on this, may I recommend just waiting for our officially supported data dump (#44) to starting dumping OSS-Fuzz vulnerabilities? The license will also likely be something that's friendly for datasets. This will be available very soon.
@oliverchang sure thing and thank you for the reply. We have had a pending ticket to include and scrape OSS-Fuzz data for about 1.5 years at nexB/vulnerablecode#117 so we can wait alright and there is no rush!
We will not write a scraper for now.
from osv.dev.
@oliverchang Thank you ++ for following through! I am closing this then. We will report any issues we face and find.
from osv.dev.
Related Issues (20)
- CVE-2022-30187 is not reported for java and Python SDKs HOT 3
- Does OSV report vulns in PHP? HOT 2
- CVE-2023-48023 is missing for ray (Python) HOT 4
- "Unable to get vulns for dependencies in 30076ms: timeout" HOT 10
- Data quality issue with CVE-2023-50298 HOT 2
- Add a link to OSV.dev docs on the top bar of osv.dev.
- Separate out OSS-Fuzz bisection infrastructure.
- Regular releases of the osv PyPI package
- Missing aliases in some OSV records HOT 5
- API timed out again HOT 2
- Parity mismatch between API and zip HOT 5
- Improve exporter performance
- Data quality issue with CVE-2020-27388 HOT 1
- Incorrect separator in package name in Packagist ecosystem HOT 2
- Details Page Does Not Display Vulnerability Summary HOT 2
- OSS-Fuzz bisection: comment on issue with results
- Surface all OSV schema fields on vulnerability details. HOT 3
- Add `osv-scanner fix` and GitHub actions to osv.dev home page. HOT 4
- Support Maven registries in OSV entries
- Mageia vulnerabilities available in OSV HOT 16
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from osv.dev.