Skip to content

Root data source #4397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jess-lowe merged 6 commits into from
Jan 4, 2026
Merged

Root data source #4397

jess-lowe merged 6 commits into from
Jan 4, 2026
+177 −1

Conversation

@chait-slim
Copy link
Contributor

@chait-slim chait-slim commented Nov 25, 2025
edited
Loading

Relevant tickets for reference:
#4396 (comment)
#3937

@google-cla
Copy link

google-cla bot commented Nov 25, 2025

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

This was referenced Nov 25, 2025
Open
Merged
@cuixq cuixq requested a review from another-rex November 25, 2025 23:30
@chait-slim chait-slim force-pushed the master branch 2 times, most recently from 6f013a8 to 0b38054 Compare December 1, 2025 07:08
another-rex
another-rex reviewed Dec 8, 2025
View reviewed changes
source.yaml
Copy link
Contributor

@another-rex another-rex Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These source and source_test.yaml should be done in separate PRs, as they are imported immediately after being merged.

Copy link
Contributor Author

@chait-slim chait-slim Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. The other PR: #4548

@chait-slim chait-slim mentioned this pull request Dec 23, 2025
Closed
another-rex
another-rex previously approved these changes Dec 28, 2025
View reviewed changes
Copy link
Contributor

@another-rex another-rex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@another-rex
Copy link
Contributor

another-rex commented Dec 28, 2025

/gcbrun

@another-rex
Copy link
Contributor

another-rex commented Dec 28, 2025

Please have a look at the linting errors. (You can run this locally with make lint)

@another-rex
Copy link
Contributor

another-rex commented Dec 28, 2025

Also, tests seem to be failing:

OK
+ poetry run python -m unittest osv.purl_helpers_test
.F
======================================================================
FAIL: tests_package_to_purl (osv.purl_helpers_test.PurlHelpersTest.tests_package_to_purl)
Test PURL generation.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/workspace/osv/purl_helpers_test.py", line 140, in tests_package_to_purl
    self.assertEqual('pkg:generic/root/%40root%2Flodash',
    ~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                     purl_helpers.package_to_purl('Root', '@root/lodash'))
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AssertionError: 'pkg:generic/root/%40root%2Flodash' != 'pkg:generic/root/%40root/lodash'
- pkg:generic/root/%40root%2Flodash
?                         ^^^
+ pkg:generic/root/%40root/lodash
?                         ^

you can run it locally with the poetry run python -m unittest osv.purl_helpers_test , or with make all-tests

@chait-slim
Copy link
Contributor Author

chait-slim commented Dec 29, 2025
edited
Loading

@another-rex

  1. Fixed lint issues (ran make lint locally to verify)
  2. Fixed failing tests (ran make all-tests locally). This required a change in the purl_helpers.py file. The issue is that that Root is first ecosystem with a namespace + slash in the PURL.

@chait-slim chait-slim mentioned this pull request Dec 29, 2025
Merged
@chait-slim
Copy link
Contributor Author

chait-slim commented Dec 29, 2025

Opened:
#4558
#4559
For the source files as requested

another-rex
another-rex approved these changes Dec 30, 2025
View reviewed changes
Copy link
Contributor

@another-rex another-rex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@another-rex
Copy link
Contributor

another-rex commented Dec 30, 2025

/gcbrun

@chait-slim
Copy link
Contributor Author

chait-slim commented Dec 30, 2025

@another-rex I see tests failing but not sure how to see which are failing and why, since locally make all-tests passed

another-rex pushed a commit to ossf/osv-schema that referenced this pull request Dec 30, 2025
@chait-slim
Add Root as official data source with ROOT-OS and ROOT-APP prefixes (#…
88c4875 
…459)

Root provides security advisories for container images with patched
vulnerabilities across multiple ecosystems including Alpine, Debian,
Ubuntu, npm, PyPI, and Go modules.

This PR reserves two database-specific prefixes:
- ROOT-OS-: For OS-level package vulnerabilities (Alpine, Debian,
Ubuntu, etc.)
- ROOT-APP-: For application-level package vulnerabilities (npm, PyPI,
Go, etc.)

Root uses existing ecosystems and does not introduce a new ecosystem.

Changes:
 - Add Root to README.md data sources list
 - Add ROOT-OS and ROOT-APP prefix entries to docs/schema.md
- Update validation/schema.json prefix pattern to include ROOT-OS and
ROOT-APP
 
[osv.dev
issue](google/osv.dev#4396 (comment))
 [osv.dev PR](google/osv.dev#4397)

Co-authored-by: Chai Tadmor <chai.tadmor@root.io>
@another-rex
Copy link
Contributor

another-rex commented Dec 30, 2025

All good, it's just we haven't updated the schema yet, I've merged the osv-schema PR in and I'll update it on this repo, which should fix this.

@jess-lowe
Copy link
Contributor

jess-lowe commented Jan 4, 2026

/gcbrun

@jess-lowe
Copy link
Contributor

jess-lowe commented Jan 4, 2026

/gcbrun

@jess-lowe
Copy link
Contributor

jess-lowe commented Jan 4, 2026

/gcbrun

@jess-lowe jess-lowe merged commit be7af62 into google:master Jan 4, 2026
20 checks passed
jess-lowe added a commit that referenced this pull request Jan 4, 2026
@chait-slim @jess-lowe
feat(source): Add Root source test (#4558)
91c3ca1 
Should be merged after: #4397

---------

Signed-off-by: Chai Tadmor <chai.tadmor@root.io>
Co-authored-by: Chai Tadmor <chai.tadmor@root.io>
Co-authored-by: Jess Lowe <86962800+jess-lowe@users.noreply.github.com>
@michaelkedar michaelkedar mentioned this pull request Jan 6, 2026
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@another-rex another-rex another-rex approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chait-slim @another-rex @jess-lowe