add initial reference for CGA (chainguard)

Signed-off-by: cpanato <[email protected]>
ossf · Jun 6, 2024 · fc5bb76 · fc5bb76
1 parent d4b266d
commit fc5bb76
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -3,6 +3,7 @@
 This is the repository for the Open Source Vulnerability schema (OSV Schema), which is currently exported by:
 - [AlmaLinux](https://github.com/AlmaLinux/osv-database)
 - [Bitnami Vulnerability Database](https://github.com/bitnami/vulndb)
+- [Chainguard](https://packages.cgr.dev/chainguard/osv/all.json)
 - [Curl](https://curl.se/docs/vuln.json)
 - [GitHub Security Advisories](https://github.com/github/advisory-database)
 - [Global Security Database](https://github.com/cloudsecurityalliance/gsd-database)
@@ -26,6 +27,7 @@ Together, these include vulnerabilities from:
 -   Alpine
 -   Android
 -   Bitnami
+-   Chainguard
 -   crates.io
 -   Debian GNU/Linux
 -   GitHub Actions

diff --git a/docs/schema.md b/docs/schema.md
@@ -387,6 +387,17 @@ The defined database prefixes and their "home" databases are:
         </ul>
       </td>
     </tr>
+    <tr>
+      <td><code>CGA</code></td>
+      <td><a href="https://packages.cgr.dev/chainguard/osv/all.json">Chainguard Security Notices</a></td>
+      <td>
+        <ul>
+          <li>How to contribute: TBD</li>
+          <li>Source URL: TBD</li>
+          <li>OSV Formatted URL: <code>https://packages.cgr.dev/chainguard/osv/&lt;ID&gt;.json</code></li>
+        </ul>
+      </td>
+    </tr>
     <tr>
       <td>Your database here</td>
       <td colspan="2"><a href="https://github.com/ossf/osv-schema/compare">Send us a PR</a></td>
@@ -635,6 +646,7 @@ The defined ecosystems are:
 | `Android`  | The Android ecosystem. Android organizes code using [`repo` tool](https://gerrit.googlesource.com/git-repo/+/HEAD/README.md), which manages multiple git projects under one or more remote git servers, where each project is identified by its name in [repo configuration](https://gerrit.googlesource.com/git-repo/+/HEAD/docs/manifest-format.md#Element-project) (e.g. `platform/frameworks/base`). The `name` field should contain the name of that affected git project/submodule. One exception is when the project contains the Linux kernel source code, in which case `name` field will be `:linux_kernel:`, followed by an optional SoC vendor name e.g. `:linux_kernel:Qualcomm`. The list of recognized SoC vendors is listed in the [Appendix](#android-soc-vendors) |
 | `Bioconductor` | The biological R package ecosystem. The `name` is an R package name. |
 | `Bitnami` | Bitnami package ecosystem; the `name` is the name of the affected component. |
+| `Chainguard` | The Chainguard package ecosystem; the `name` is the name of the package. |
 | `ConanCenter` | The ConanCenter ecosystem for C and C++; the `name` field is a Conan package name.  |
 | `CRAN` | The R package ecosystem. The `name` is an R package name. |
 | `crates.io` | The crates.io ecosystem for Rust; the `name` field is a crate name.  |