Skip to content

Add Root as official data source with ROOT-OS and ROOT-APP prefixes #459

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
chait-slim wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add Root as official data source with ROOT-OS and ROOT-APP prefixes #459

chait-slim wants to merge 2 commits into from

Conversation

@chait-slim
Copy link

@chait-slim chait-slim commented Nov 25, 2025
edited
Loading

Root provides security advisories for container images with patched vulnerabilities across multiple ecosystems including Alpine, Debian, Ubuntu, npm, PyPI, and Go modules.

This PR reserves two database-specific prefixes:

  • ROOT-OS-: For OS-level package vulnerabilities (Alpine, Debian, Ubuntu, etc.)
  • ROOT-APP-: For application-level package vulnerabilities (npm, PyPI, Go, etc.)

Root uses existing ecosystems and does not introduce a new ecosystem.

Changes:

  • Add Root to README.md data sources list
  • Add ROOT-OS and ROOT-APP prefix entries to docs/schema.md
  • Update validation/schema.json prefix pattern to include ROOT-OS and ROOT-APP

osv.dev issue
osv.dev PR

@chait-slim chait-slim mentioned this pull request Nov 25, 2025
Open
another-rex
another-rex reviewed Nov 25, 2025
View reviewed changes
Copy link
Collaborator

@another-rex another-rex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR! Please update the ecosystems.json file and run ./scripts/update-ecosystem-lists.py to generate the required changes.

README.md
- [RConsortium Advisory Database](https://github.com/RConsortium/r-advisory-database)
- [Red Hat](https://security.access.redhat.com/data)
- [Rocky Linux](https://distro-tools.rocky.page/apollo/openapi/#osv)
- [Root](https://api.root.io/external/osv/all.json)
Copy link
Collaborator

@another-rex another-rex Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be linking to a human readable documentation or webpage.

Copy link
Author

@chait-slim chait-slim Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you elaborate on this please? Looking at other entries here like: MinimOS, Chainguard and Echo, it looks like they have the same type of link, but I might be missing the intention here

Copy link
Collaborator

@another-rex another-rex Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not a strict requirement, but most links here links to a readme or intro of some kind that's more human friendly so that if folks are interested in a project, they can click on the link and see what they are and how they are publishing OSVs. If you folks do not have this kind of page, feel free to leave it as is.

@chait-slim
Copy link
Author

chait-slim commented Nov 26, 2025

Thanks for the PR! Please update the ecosystems.json file and run ./scripts/update-ecosystem-lists.py to generate the required changes.

Thanks! updated

another-rex
another-rex approved these changes Dec 8, 2025
View reviewed changes
Copy link
Collaborator

@another-rex another-rex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clarification, LGTM.

README.md
- [RConsortium Advisory Database](https://github.com/RConsortium/r-advisory-database)
- [Red Hat](https://security.access.redhat.com/data)
- [Rocky Linux](https://distro-tools.rocky.page/apollo/openapi/#osv)
- [Root](https://api.root.io/external/osv/all.json)
Copy link
Collaborator

@another-rex another-rex Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not a strict requirement, but most links here links to a readme or intro of some kind that's more human friendly so that if folks are interested in a project, they can click on the link and see what they are and how they are publishing OSVs. If you folks do not have this kind of page, feel free to leave it as is.

@another-rex
Copy link
Collaborator

another-rex commented Dec 8, 2025

Can you have a look at the DCO check and resolve that, plus the merge conflicts? Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@another-rex another-rex another-rex approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chait-slim @another-rex