Support openEuler datasource

[kirigiricloud]

Hi all,

I'm from openEuler security team. We're an open source community aiming to build a secure and trusted linux distro. We're currently building our security database and exporting security advisories in OSV Schema.

[Edit] Full advisories are now in the openEuler repo: https://repo.openeuler.org/security/data/osv/

We would like OSV to validate and ingest our data, and we're ready to discuss the remaining onboarding steps.

Thanks for your consideration! Any suggestions would be greatly appreciated.

Tony

• Prepare your data - refer to the OSV Schema documentation for information on how to properly format the data so it can be accepted.

• Create a PR to reserve an ID prefix and define a new ecosystem (example). We review the records you start publishing for OSV Schema correctness and quality as part of reviewing and merging this PR. [add openEuler ecosystem ossf/osv-schema#358]

• Prepare and publish your records via a Git repository (example). If this method isn’t ideal, we also support publishing records from REST API endpoints or through a GCS bucket(example). (https://repo.openeuler.org/security/data/osv/)

• To support API querying, please create a PR to extend purl_helpers.py and create a new ecosystem in _ecosystems.py. You can refer to existing examples showing how to implement support for Semver and non-Semver ecosystems. [feat: support openeuler ecosystem #3777 ]

• Create a PR to start importing the records you are publishing into our test instance of OSV.dev and validate everything is working as intended there. [feat: add openEuler to test environment #3779 ]

• Create a PR to start importing the records you are publishing into our production environment [feat: add openEuler to production environment #3778 ]

[hogo6002]

Thanks for contributing! We'll take some time to review the schema change PR. Please let us know if you encounter any issues with the data source adding process.

[kirigiricloud]

Thanks for contributing! We'll take some time to review the schema change PR. Please let us know if you encounter any issues with the data source adding process.

Hi! @hogo6002 @oliverchang

Thanks for reviewing and merging the schema PR, and sorry for the late update. We've just finished testing and our OSV data is now live at https://repo.openeuler.org/security/data/osv/

I've also submitted the remaining PRs. Could you take a look when you get a chance? Thanks!

[another-rex]

Hello, looking at the records in the test instance, we found a few validation errors:

One is that there are a bunch of range entries that are empty, see : https://repo.openeuler.org/security/data/osv/OESA-2025-1068.json

[another-rex]

We are also noticing that there are a bunch of records returned in the all.json endpoint, that does not exist when we try and query them. E.g.

OESA-2025-1991 shows up in all.json, but 404s when we try this link:

https://repo.openeuler.org/security/data/osv/OESA-2025-1991.json

[kirigiricloud]

Hello, looking at the records in the test instance, we found a few validation errors:

One is that there are a bunch of range entries that are empty, see : https://repo.openeuler.org/security/data/osv/OESA-2025-1068.json

Hi there,

Thanks for the feedback and for merging the PRs! There were some issues with the OSV advisories generation tool and publish system - sorry for the chaos this caused.

I've updated the files mentioned and the issues have been resolved. If anything else comes up, feel free to reach out to me again.

[another-rex]

FYI you can see the records populated here in our test instance now: https://test.osv.dev/list?ecosystem=openEuler , please take a look to see if everything looks good to you!

[kirigiricloud]

Hello,

Thanks for the update! The openEuler records in the test instance look good to me. We published some new records last Friday and they're showing up correctly.

We noticed the display issues mentioned in #3812. It seems fixed in #3813 for openEuler now, but the GIT ecosystem records still persist just FYI. For example, CVE-2025-8800.