google
Records on osv.dev do not meet the published json-schema
Describe the bug I have noticed quite a number of records, particularly the openSUSE records do not conform to the published json schema.
For openSUSE ecosystem on osv.dev I have found around 3,600 records fail the published json schema because the 'URL' field is missing. There are only ~10,0000 so this is impacting a large fraction of records for openSUSE.
To Reproduce
For example, here is an openSUSE OSV record that has a 'reference' with 'ADVISORY' present but no URL is provided, as required per the schema, following the schema validation methods here https://github.com/ossf/osv-schema/tree/main/validation
$ curl https://raw.githubusercontent.com/ossf/osv-schema/refs/heads/main/validation/schema.json -o schema.json
$ curl https://api.osv.dev/v1/vulns/openSUSE-SU-2024:14510-1 -o record.json
$ check-jsonschema --schemafile schema.json record.json
Schema validation errors were encountered.
record.json::$.references[0]: 'url' is a required property
Expected behaviour
I had hoped all the records published on osv.dev followed the published specification. Am I maybe missing something?
Screenshots If applicable, add screenshots to help explain your problem.
Additional context Add any other context about the problem here.
:sparkles: Thank you for your interest in OSV.dev's data quality! :sparkles:
Please review our FAQ entry on how to most efficiently have this addressed.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi, thanks for reporting!
We have JSON schema validation, but haven't really used the results to notify upstream maintainers. We are currently developing OSV-linter to improve our data quality. For this issue, I will reach out to SUSE people. I will update here once fixes have been made.
