Add BellSoft Alpaquita and Hardened Containers ecosystems by i-bs · Pull Request #347 · ossf/osv-schema

i-bs · 2025-04-10T16:00:20Z

No description provided.

oliverchang

Thanks! Just a clarifying question

oliverchang · 2025-04-15T23:35:41Z

docs/schema.md

 | `AlmaLinux` | AlmaLinux package ecosystem; the `name` is the name of the source package. The ecosystem string might optionally have a `:<RELEASE>` suffix to scope the package to a particular AlmaLinux release. `<RELEASE>` is a numeric version. |
 | `Alpine` | The Alpine package ecosystem; the `name` is the name of the source package. The ecosystem string must have a `:v<RELEASE-NUMBER>` suffix to scope the package to a particular Alpine release branch (the `v` prefix is required). E.g. `v3.16`. |
 | `Android` | The Android ecosystem. Android organizes code using [`repo` tool](https://gerrit.googlesource.com/git-repo/+/HEAD/README.md), which manages multiple git projects under one or more remote git servers, where each project is identified by its name in [repo configuration](https://gerrit.googlesource.com/git-repo/+/HEAD/docs/manifest-format.md#Element-project) (e.g. `platform/frameworks/base`). The `name` field should contain the name of that affected git project/submodule. One exception is when the project contains the Linux kernel source code, in which case `name` field will be `:linux_kernel:`, followed by an optional SoC vendor name e.g. `:linux_kernel:Qualcomm`. The list of recognized SoC vendors is listed in the [Appendix](#android-soc-vendors) |
+| `BellSoft` | BellSoft Alpaquita Linux package ecosystem; the `name` is the name of the source package. The ecosystem string might optionally have a `:<RELEASE>` suffix to scope the package to a particular Alpaquita Linux release. `<RELEASE>` is a numeric version. |


Is there some documentation we can point to regarding <RELEASE> ? I couldn't find any references to release numbers on https://bell-sw.com/pages/downloads/alpaquita/ or https://bell-sw.com/alpaquita-containers/#docker-hub-images

@oliverchang , thank you for this spot I overlooked. I fixed the description.

Alpaquita Linux has (rolling) Stream and LTS (currently 23-lts) releases.

And you can find the list of Alpaquita releases:

given https://docs.bell-sw.com/security/search/ has the drop-down list;

https://bell-sw.com/pages/downloads/alpaquita/ has download links
and a FAQ answer about the two.

Hope it helps. Thanks.

@oliverchang , anything else I need to do to improve this PR?

thanks.

Thanks for the explanation, can you add an example release name to the doc as well, otherwise it looks good to me!

+1 please include an example release name and/or a link to an authoritative list of the pretty names.

For example, is it "BellSoft:23 LTS", or "BellSoft:LTS" or "BellSoft:23-lts" or some other variation? Similarly, "BellSoft:stream" or "BellSoft:Stream" ?

another-rex · 2025-04-28T01:12:18Z

Sorry for the delay! There's some issues pointed out by the workflows, specifically:

You need to run: python3 ./scripts/update-ecosystems-lists.py
Sign your commits, see the DCO failing check for instructions.

the osv-linter unit test seems to be an issue on our end, I'll ask someone to have a look.

oliverchang · 2025-04-29T03:18:33Z

Also apologies for the delay on this -- our team has been busy with travel in the past few weeks.

andrewpollock · 2025-05-12T06:42:35Z

@i-bs if you're able to address the things pointed out by @another-rex this should be good to merge

i-bs · 2025-05-12T07:03:12Z

Greetings, Andrew, Oliverr! sorry for the delay. We are preparing things for tracking more of our products. I'll push the updated commits soon. Thanks for heads up!

i-bs · 2025-06-03T09:31:52Z

Greetings!
I'm back with the new/updated contents. Please, have a look.
In addition to the links I gave before, there are some more:

Thank you

oliverchang · 2025-06-03T11:12:31Z

ecosystems.json

  "GitHub Actions": "The GitHub Actions ecosystem; the `name` field is the action's repository name with owner e.g. `{owner}/{repo}`.",
  "Go": "The Go ecosystem; the `name` field is a Go module path.",
  "Hackage": "The Haskell package ecosystem. The `name` field is a Haskell package name as published on Hackage.",
+  "Hardened Containers": "BellSoft Hardened Containers package ecosystem; the `name` is the name of the source package. The ecosystem string has a `:<RELEASE>` suffix to scope the package to a particular Hardened Containers release. `<RELEASE>` is the id of the particular Hardened Containers release. Examples: `Hardened Containers:23`, `Hardened Containers:stream`.",


"Hardened Containers" seems rather general.

Could we qualify this with "Bellsoft"? i.e. "BellSoft Hardened Containers" ?

Could we qualify this with "Bellsoft"? i.e. "BellSoft Hardened Containers" ?

Yes, changes applied.

Signed-off-by: Ildar Mulyukov <ildar.mulyukov@bell-sw.com>

i-bs · 2025-06-16T17:05:26Z

Greetings!
Is there anything to be done for this PR? Thanks

Includes: * 1.6.6: ossf/osv-schema#276 * 1.6.7: nothing * 1.7.0: ossf/osv-schema#312 ossf/osv-schema#319 ossf/osv-schema#337 * 1.7.1: nothing * 1.7.2: ossf/osv-schema#351 ossf/osv-schema#347 ossf/osv-schema#358 * 1.7.3: ossf/osv-schema#394 * 1.7.4: ossf/osv-schema#434 ossf/osv-schema#357

Includes: * 1.7.0: ossf/osv-schema#312 (`upstream` field) ossf/osv-schema#319 ossf/osv-schema#337 (`Ubuntu` as `severity` score) * 1.7.1: nothing * 1.7.2: ossf/osv-schema#351 ossf/osv-schema#347 ossf/osv-schema#358 * 1.7.3: ossf/osv-schema#394 * 1.7.4: ossf/osv-schema#434 ossf/osv-schema#357

Includes: * 1.7.0: * ossf/osv-schema#312 (`upstream` field) * ossf/osv-schema#319 * ossf/osv-schema#337 (`Ubuntu` as `severity` score) * 1.7.1: nothing * 1.7.2: * ossf/osv-schema#351 * ossf/osv-schema#347 * ossf/osv-schema#358 * 1.7.3: * ossf/osv-schema#394 * 1.7.4: ossf/osv-schema#434 * ossf/osv-schema#357

i-bs mentioned this pull request Apr 10, 2025

new datasource: Alpaquita Linux google/osv.dev#3263

Closed

oliverchang reviewed Apr 15, 2025

View reviewed changes

i-bs force-pushed the main branch from 49ae082 to 30ca998 Compare April 16, 2025 13:45

i-bs force-pushed the main branch 2 times, most recently from f02e363 to 68226e8 Compare June 3, 2025 08:05

i-bs changed the title ~~Add BellSoft ecosystem~~ Add BellSoft Alpaquita and Hardened Containers ecosystems Jun 3, 2025

oliverchang reviewed Jun 3, 2025

View reviewed changes

Add BellSoft ecosystems: Alpaquita and Hardened Containers

c43bbb7

Signed-off-by: Ildar Mulyukov <ildar.mulyukov@bell-sw.com>

i-bs force-pushed the main branch from 68226e8 to c43bbb7 Compare June 3, 2025 12:05

another-rex approved these changes Jun 20, 2025

View reviewed changes

another-rex requested a review from oliverchang June 20, 2025 00:14

oliverchang approved these changes Jun 23, 2025

View reviewed changes

oliverchang merged commit 5c056e9 into ossf:main Jun 23, 2025
4 checks passed

progval mentioned this pull request Dec 19, 2025

Update from 1.6.7 to 1.7.4 gcmurphy/osv#67

Open

Conversation

i-bs commented Apr 10, 2025

Uh oh!

oliverchang left a comment

Choose a reason for hiding this comment

Uh oh!

oliverchang Apr 15, 2025

Choose a reason for hiding this comment

Uh oh!

i-bs Apr 16, 2025

Choose a reason for hiding this comment

Uh oh!

i-bs Apr 22, 2025

Choose a reason for hiding this comment

Uh oh!

another-rex Apr 28, 2025

Choose a reason for hiding this comment

Uh oh!

oliverchang Apr 29, 2025

Choose a reason for hiding this comment

Uh oh!

another-rex commented Apr 28, 2025

Uh oh!

oliverchang commented Apr 29, 2025

Uh oh!

andrewpollock commented May 12, 2025

Uh oh!

i-bs commented May 12, 2025 via email

Uh oh!

i-bs commented Jun 3, 2025

Uh oh!

oliverchang Jun 3, 2025

Choose a reason for hiding this comment

Uh oh!

i-bs Jun 3, 2025

Choose a reason for hiding this comment

Uh oh!

i-bs commented Jun 16, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants