Requesting for New datasource: CleanStart Security Advisory

[cleanstart-community-admin]

Hello there,
OSV.

CleanStart is (https://www.cleanstart.com/) comprehensive software supply chain security solution designed to address the most critical challenges facing modern container deployments. At its core, CleanStart provides hardened, vulnerability-free container images built on our proprietary glibc-compatible base.

‍CleanStart provides comprehensive security advisories for zero-day vulnerabilities, delivering clear, actionable information that enables informed response decisions. These advisories include multiple information elements including vulnerability description, affected components, exploitation status, actual risk assessment, available mitigations, and remediation guidance with complete details rather than vague summaries.

We are looking forward to contribute to global vulnerability data. On behalf of the company, I am requesting to have CleanStart as recognized ecosystem in OSV database, and guide us to contribute as per the OSV standard.

Ecosystem: CLEANSTART
ID Format: CLEANSTART-YYYY-AZNNNNN
CleanStart Security Advisory Repository: https://github.com/cleanstart-dev/cleanstart-security-advisories
CleanStart Community Images: https://hub.docker.com/u/cleanstart

Thank you,
CleanStart Security.
https://www.cleanstart.com/

Status check of actionable items:

• [Done] Prepare your data - refer to the OSV Schema documentation for information on how to properly format the data so it can be accepted.

• [PR Sent] Create a PR to reserve an ID prefix and define a new ecosystem (example). We review the records you start publishing for OSV Schema correctness and quality as part of reviewing and merging this PR.

• [Done] Prepare and publish your records via a Git repository (example). If this method isn’t ideal, we also support publishing records from REST API endpoints or through a GCS bucket(example).

• To support API querying, please create a PR to extend purl_helpers.py and create a new ecosystem in _ecosystems.py. You can refer to existing examples showing how to implement support for Semver and non-Semver ecosystems.

• Create a PR to start importing the records you are publishing into our test instance of OSV.dev and validate everything is working as intended there.

• Create a PR to start importing the records you are publishing into our production environment

[cleanstart-community-admin]

May I get any update on the request generated above?

[another-rex]

Please link the PRs sent to this issue (or from this issue).

[PR Sent] Create a PR to reserve an ID prefix and define a new ecosystem (ossf/osv-schema#219). We review the records you start publishing for OSV Schema correctness and quality as part of reviewing and merging this PR.

I'm not seeing this PR?

CleanStart Security Advisory Repository: https://github.com/cleanstart-dev/cleanstart-security-advisories

Thanks! Looks pretty good, just one change, instead of putting the CVE and PSF records in aliases, they should go in the upstream field. You can also safely exclude the Bitnami records from the alias field (or keep them, both should compute to the same result).

[cleanstart-community-admin]

Hello @another-rex ,
From CleanStart we appreciate your efforts for the review and reply.

Please find PR as requested: ossf/osv-schema#447

Also we have updated the CleanStart Security Advisory Repository as per your suggestions. Please find it at https://github.com/cleanstart-dev/cleanstart-security-advisories

Please review our request again, and revert.

Thank you,
CleanStart Security.

[cleanstart-community-admin]

May I get any update on the changes made as requested?

[cuixq]

Hi @cleanstart-community-admin ! @another-rex is currently OOO and expect to be back next week - your changes will be reviewed once he is back.

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

[cleanstart-community-admin]

We are currently working on the required changes to support API querying as discussed. A PR has already been created to extend purl_helpers.py and add the new ecosystem in _ecosystems.py.

ossf/osv-schema#474

We are currently waiting for your approval on this PR. Once it is approved, we will proceed with creating the JSON files according to your guidelines and expectations.

Kindly review and approve the PR so we can move forward.

[cleanstart-community-admin]

@another-rex ossf/osv-schema#474 is merged now. thank you for reviewing it.

Meanwhile, please review the OSV files generated on our packaging system at https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2025 . Do you need to review them? We are in the process to generate 100+ advisories for OSV.

Now, reviewing "Status check of actionable items", I found 4th, 5th and 6th are pending. Please help me out on how do we take the steps?

[another-rex]

Had a quick look at the advisories, there's a few issues:

• Instead of aliases, it should be using the upstream field to specify that these are upstream vulnerabilities.
  • Should be as simple as replacing "aliases" with "upstream"
• OSV IDs are case sensitive, so GHSA-f6x5-jh6r-wrfv needs to be GHSA-f6x5-jh6r-wrfv to be valid.
• These links 404, I don't think nvd contains any GHSAs: https://nvd.nist.gov/vuln/detail/GHSA-F6X5-JH6R-WRFV
• These links also have case sensitivity issues on the GHSA as well: https://osv.dev/vulnerability/GHSA-J5W8-Q4QC-RX2X
• The purls technically are not valid, as Cleanstart is not a valid type.
  • I suggest just removing the purl from the record, as we don't actually need it to match anything.
  • Unless it's something people are commonly using to query?

Now, reviewing "Status check of actionable items", I found 4th, 5th and 6th are pending. Please help me out on how do we take the steps?

4. If the purl is removed, you can skip the purl helper step. You would still need to add an entry to _ecosystems.py to define how versions are compared. Is it similar/identical to alpine versions? If so you can just use the APK class (like Alpaquita for example)
5. Should be pretty quick, just copy an entry (suggest the GHSA entry, as they also use git) in https://github.com/google/osv.dev/blob/master/source_test.yaml and fill out the fields with the relevant links. (type: 0 is git repos).
6. Copy and paste it into the source.yaml file.

Let me know if you have any additional questions!

[cleanstart-community-admin]

Dear @another-rex ,
Thank you for your review.
We have fixed the parts on our advisory repositories. Feel free to review at https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2025

FYI, Regarding 4,5,6 points, we have generated PR, but it has failed due to google-CLA mismatch.
Refer: #4627 .
We have singed CLA from another email id, than we are using in GitHub. We are working on it. Hopefully we can fix it in a day or so.