Requesting for New datasource: CleanStart Security Advisory

[cleanstart-community-admin]

Hello there,
OSV.

CleanStart is (https://www.cleanstart.com/) comprehensive software supply chain security solution designed to address the most critical challenges facing modern container deployments. At its core, CleanStart provides hardened, vulnerability-free container images built on our proprietary glibc-compatible base.

‍CleanStart provides comprehensive security advisories for zero-day vulnerabilities, delivering clear, actionable information that enables informed response decisions. These advisories include multiple information elements including vulnerability description, affected components, exploitation status, actual risk assessment, available mitigations, and remediation guidance with complete details rather than vague summaries.

We are looking forward to contribute to global vulnerability data. On behalf of the company, I am requesting to have CleanStart as recognized ecosystem in OSV database, and guide us to contribute as per the OSV standard.

Ecosystem: CLEANSTART
ID Format: CLEANSTART-YYYY-AZNNNNN
CleanStart Security Advisory Repository: https://github.com/cleanstart-dev/cleanstart-security-advisories
CleanStart Community Images: https://hub.docker.com/u/cleanstart

Thank you,
CleanStart Security.
https://www.cleanstart.com/

Status check of actionable items:

• [Done] Prepare your data - refer to the OSV Schema documentation for information on how to properly format the data so it can be accepted.

• [PR Sent] Create a PR to reserve an ID prefix and define a new ecosystem (example). We review the records you start publishing for OSV Schema correctness and quality as part of reviewing and merging this PR.

• [Done] Prepare and publish your records via a Git repository (example). If this method isn’t ideal, we also support publishing records from REST API endpoints or through a GCS bucket(example).

• To support API querying, please create a PR to extend purl_helpers.py and create a new ecosystem in _ecosystems.py. You can refer to existing examples showing how to implement support for Semver and non-Semver ecosystems.

• Create a PR to start importing the records you are publishing into our test instance of OSV.dev and validate everything is working as intended there.

• Create a PR to start importing the records you are publishing into our production environment

[cleanstart-community-admin]

May I get any update on the request generated above?

[another-rex]

Please link the PRs sent to this issue (or from this issue).

[PR Sent] Create a PR to reserve an ID prefix and define a new ecosystem (ossf/osv-schema#219). We review the records you start publishing for OSV Schema correctness and quality as part of reviewing and merging this PR.

I'm not seeing this PR?

CleanStart Security Advisory Repository: https://github.com/cleanstart-dev/cleanstart-security-advisories

Thanks! Looks pretty good, just one change, instead of putting the CVE and PSF records in aliases, they should go in the upstream field. You can also safely exclude the Bitnami records from the alias field (or keep them, both should compute to the same result).

[cleanstart-community-admin]

Hello @another-rex ,
From CleanStart we appreciate your efforts for the review and reply.

Please find PR as requested: ossf/osv-schema#447

Also we have updated the CleanStart Security Advisory Repository as per your suggestions. Please find it at https://github.com/cleanstart-dev/cleanstart-security-advisories

Please review our request again, and revert.

Thank you,
CleanStart Security.

[cleanstart-community-admin]

May I get any update on the changes made as requested?

[cuixq]

Hi @cleanstart-community-admin ! @another-rex is currently OOO and expect to be back next week - your changes will be reviewed once he is back.