data duplication in Downstream database records #4243
Description
Describe the bug
When Upstream/Downstream relations in records were introduced potential inconsistency appeared: Downstream records should or should not have own Summary and Description fields.
The OSV-Schema doesn't give explicit guidelines.
If a Downstream record has these fields:
- Pros:
- Everything works as expected
- Cons:
- Data is duplicated. If the data is different it's undetermined how a user should interpret the difference
If a Downstream record has NONE of these fields:
- Pros:
- Database is consistent. Data may be found from the Upstream fields
- Cons:
- The records has no Summary and Description so database entry is not informative. Also OSV-Scanner doesn't extract this information.
To Reproduce
- https://osv.dev/vulnerability/BELL-CVE-2025-40000 is the example of the record having empty fields
- https://osv.dev/vulnerability/UBUNTU-CVE-2025-40000 is the example where the fields are copied but with the messed up formatting.
Expected behaviour
Consistent database and all the fields available in Downsteam records.
Additional context
The best solution I see is:
- propagate the missing info from Upstream record.
- Make apps like OSV-scanner do the same.
Metadata
Metadata
Assignees
Labels
No labels