Add BellSoft Alpaquita and Hardened Containers ecosystems

README.md

@@ -1,9 +1,10 @@
 # Open Source Vulnerability Schema
 
-The Open Source Vulnerability (OSV) schema provides a human and machine readable data format to describe vulnerabilities in a way that precisely maps to open source package versions or commit hashes. 
+The Open Source Vulnerability (OSV) schema provides a human and machine readable data format to describe vulnerabilities in a way that precisely maps to open source package versions or commit hashes.
 
 This format is currently exported by:
 - [AlmaLinux](https://github.com/AlmaLinux/osv-database)
+- [BellSoft Security Advisory](https://github.com/bell-sw/osv-database)
 - [Bitnami Vulnerability Database](https://github.com/bitnami/vulndb)
 - [Chainguard](https://packages.cgr.dev/chainguard/osv/all.json)
 - [Curl](https://curl.se/docs/vuln.json)
@@ -30,7 +31,9 @@ This format is currently exported by:
 Together, these include vulnerabilities from:
 -   AlmaLinux
 -   Alpine
+-   Alpaquita Linux
 -   Android
+-   BellSoft Hardened Containers
 -   Bitnami
 -   Chainguard
 -   crates.io

bindings/go/osvschema/constants.go

@@ -5,41 +5,43 @@ const SchemaVersion = "1.6.8"
 type Ecosystem string
 
 const (
-	EcosystemAlmaLinux     Ecosystem = "AlmaLinux"
-	EcosystemAlpine        Ecosystem = "Alpine"
-	EcosystemAndroid       Ecosystem = "Android"
-	EcosystemBioconductor  Ecosystem = "Bioconductor"
-	EcosystemBitnami       Ecosystem = "Bitnami"
-	EcosystemChainguard    Ecosystem = "Chainguard"
-	EcosystemConanCenter   Ecosystem = "ConanCenter"
-	EcosystemCRAN          Ecosystem = "CRAN"
-	EcosystemCratesIO      Ecosystem = "crates.io"
-	EcosystemDebian        Ecosystem = "Debian"
-	EcosystemGHC           Ecosystem = "GHC"
-	EcosystemGitHubActions Ecosystem = "GitHub Actions"
-	EcosystemGo            Ecosystem = "Go"
-	EcosystemHackage       Ecosystem = "Hackage"
-	EcosystemHex           Ecosystem = "Hex"
-	EcosystemKubernetes    Ecosystem = "Kubernetes"
-	EcosystemLinux         Ecosystem = "Linux"
-	EcosystemMageia        Ecosystem = "Mageia"
-	EcosystemMaven         Ecosystem = "Maven"
-	EcosystemMinimOS       Ecosystem = "MinimOS"
-	EcosystemNPM           Ecosystem = "npm"
-	EcosystemNuGet         Ecosystem = "NuGet"
-	EcosystemOpenSUSE      Ecosystem = "openSUSE"
-	EcosystemOSSFuzz       Ecosystem = "OSS-Fuzz"
-	EcosystemPackagist     Ecosystem = "Packagist"
-	EcosystemPhotonOS      Ecosystem = "Photon OS"
-	EcosystemPub           Ecosystem = "Pub"
-	EcosystemPyPI          Ecosystem = "PyPI"
-	EcosystemRedHat        Ecosystem = "Red Hat"
-	EcosystemRockyLinux    Ecosystem = "Rocky Linux"
-	EcosystemRubyGems      Ecosystem = "RubyGems"
-	EcosystemSUSE          Ecosystem = "SUSE"
-	EcosystemSwiftURL      Ecosystem = "SwiftURL"
-	EcosystemUbuntu        Ecosystem = "Ubuntu"
-	EcosystemWolfi         Ecosystem = "Wolfi"
+	EcosystemAlmaLinux                  Ecosystem = "AlmaLinux"
+	EcosystemAlpaquita                  Ecosystem = "Alpaquita"
+	EcosystemAlpine                     Ecosystem = "Alpine"
+	EcosystemAndroid                    Ecosystem = "Android"
+	EcosystemBellSoftHardenedContainers Ecosystem = "BellSoft Hardened Containers"
+	EcosystemBioconductor               Ecosystem = "Bioconductor"
+	EcosystemBitnami                    Ecosystem = "Bitnami"
+	EcosystemChainguard                 Ecosystem = "Chainguard"
+	EcosystemConanCenter                Ecosystem = "ConanCenter"
+	EcosystemCRAN                       Ecosystem = "CRAN"
+	EcosystemCratesIO                   Ecosystem = "crates.io"
+	EcosystemDebian                     Ecosystem = "Debian"
+	EcosystemGHC                        Ecosystem = "GHC"
+	EcosystemGitHubActions              Ecosystem = "GitHub Actions"
+	EcosystemGo                         Ecosystem = "Go"
+	EcosystemHackage                    Ecosystem = "Hackage"
+	EcosystemHex                        Ecosystem = "Hex"
+	EcosystemKubernetes                 Ecosystem = "Kubernetes"
+	EcosystemLinux                      Ecosystem = "Linux"
+	EcosystemMageia                     Ecosystem = "Mageia"
+	EcosystemMaven                      Ecosystem = "Maven"
+	EcosystemMinimOS                    Ecosystem = "MinimOS"
+	EcosystemNPM                        Ecosystem = "npm"
+	EcosystemNuGet                      Ecosystem = "NuGet"
+	EcosystemOpenSUSE                   Ecosystem = "openSUSE"
+	EcosystemOSSFuzz                    Ecosystem = "OSS-Fuzz"
+	EcosystemPackagist                  Ecosystem = "Packagist"
+	EcosystemPhotonOS                   Ecosystem = "Photon OS"
+	EcosystemPub                        Ecosystem = "Pub"
+	EcosystemPyPI                       Ecosystem = "PyPI"
+	EcosystemRedHat                     Ecosystem = "Red Hat"
+	EcosystemRockyLinux                 Ecosystem = "Rocky Linux"
+	EcosystemRubyGems                   Ecosystem = "RubyGems"
+	EcosystemSUSE                       Ecosystem = "SUSE"
+	EcosystemSwiftURL                   Ecosystem = "SwiftURL"
+	EcosystemUbuntu                     Ecosystem = "Ubuntu"
+	EcosystemWolfi                      Ecosystem = "Wolfi"
 )
 
 type SeverityType string

docs/schema.md

@@ -8,7 +8,7 @@ aside:
 show_edit_on_github: true
 ---
 
-**Version 1.7.1 (April 29, 2025)**
+**Version 1.7.2 (May 29, 2025)**
 
 Original authors:
 - Oliver Chang (ochang@google.com)
@@ -179,6 +179,17 @@ The defined database prefixes and their "home" databases are:
         </ul>
       </td>
     </tr>
+    <tr>
+      <td><code>BELL-SA</code></td>
+      <td><a href="https://docs.bell-sw.com/security/search/">BellSoft Security Advisory</a></td>
+      <td>
+        <ul>
+          <li>How to contribute: TBD</li>
+          <li>Source URL: <code>https://bell-sw.com/vulnerability-report/</code></li>
+          <li>OSV Formatted URL: <code>N/A</code></li>
+        </ul>
+      </td>
+    </tr>
     <tr>
       <td><code>BIT</code></td>
       <td><a href="https://github.com/bitnami/vulndb">Bitnami Vulnerability Database</a></td>
@@ -757,8 +768,10 @@ The defined ecosystems are:
 | Ecosystem | Description |
 |-----------|-------------|
 | `AlmaLinux` | AlmaLinux package ecosystem; the `name` is the name of the source package. The ecosystem string might optionally have a `:<RELEASE>` suffix to scope the package to a particular AlmaLinux release. `<RELEASE>` is a numeric version. |
+| `Alpaquita` | BellSoft Alpaquita Linux package ecosystem; the `name` is the name of the source package. The ecosystem string has a `:<RELEASE>` suffix to scope the package to a particular Alpaquita Linux release. `<RELEASE>` is the id of the particular Alpaquita Linux release. Examples: `Alpaquita:23`, `Alpaquita:stream`. |
 | `Alpine` | The Alpine package ecosystem; the `name` is the name of the source package. The ecosystem string must have a `:v<RELEASE-NUMBER>` suffix to scope the package to a particular Alpine release branch (the `v` prefix is required). E.g. `v3.16`. |
 | `Android` | The Android ecosystem. Android organizes code using [`repo` tool](https://gerrit.googlesource.com/git-repo/+/HEAD/README.md), which manages multiple git projects under one or more remote git servers, where each project is identified by its name in [repo configuration](https://gerrit.googlesource.com/git-repo/+/HEAD/docs/manifest-format.md#Element-project) (e.g. `platform/frameworks/base`). The `name` field should contain the name of that affected git project/submodule. One exception is when the project contains the Linux kernel source code, in which case `name` field will be `:linux_kernel:`, followed by an optional SoC vendor name e.g. `:linux_kernel:Qualcomm`. The list of recognized SoC vendors is listed in the [Appendix](#android-soc-vendors) |
+| `BellSoft Hardened Containers` | BellSoft Hardened Containers package ecosystem; the `name` is the name of the source package. The ecosystem string has a `:<RELEASE>` suffix to scope the package to a particular Hardened Containers release. `<RELEASE>` is the id of the particular Hardened Containers release. Examples: `Hardened Containers:23`, `Hardened Containers:stream`. |
 | `Bioconductor` | The biological R package ecosystem. The `name` is an R package name. |
 | `Bitnami` | Bitnami package ecosystem; the `name` is the name of the affected component. |
 | `Chainguard` | The Chainguard package ecosystem; the `name` is the name of the package. |

ecosystems.json

@@ -1,7 +1,9 @@
 {
   "AlmaLinux": "AlmaLinux package ecosystem; the `name` is the name of the source package. The ecosystem string might optionally have a `:<RELEASE>` suffix to scope the package to a particular AlmaLinux release. `<RELEASE>` is a numeric version.",
+  "Alpaquita": "BellSoft Alpaquita Linux package ecosystem; the `name` is the name of the source package. The ecosystem string has a `:<RELEASE>` suffix to scope the package to a particular Alpaquita Linux release. `<RELEASE>` is the id of the particular Alpaquita Linux release. Examples: `Alpaquita:23`, `Alpaquita:stream`.",
   "Alpine": "The Alpine package ecosystem; the `name` is the name of the source package. The ecosystem string must have a `:v<RELEASE-NUMBER>` suffix to scope the package to a particular Alpine release branch (the `v` prefix is required). E.g. `v3.16`.",
   "Android": "The Android ecosystem. Android organizes code using [`repo` tool](https://gerrit.googlesource.com/git-repo/+/HEAD/README.md), which manages multiple git projects under one or more remote git servers, where each project is identified by its name in [repo configuration](https://gerrit.googlesource.com/git-repo/+/HEAD/docs/manifest-format.md#Element-project) (e.g. `platform/frameworks/base`). The `name` field should contain the name of that affected git project/submodule. One exception is when the project contains the Linux kernel source code, in which case `name` field will be `:linux_kernel:`, followed by an optional SoC vendor name e.g. `:linux_kernel:Qualcomm`. The list of recognized SoC vendors is listed in the [Appendix](#android-soc-vendors)",
+  "BellSoft Hardened Containers": "BellSoft Hardened Containers package ecosystem; the `name` is the name of the source package. The ecosystem string has a `:<RELEASE>` suffix to scope the package to a particular Hardened Containers release. `<RELEASE>` is the id of the particular Hardened Containers release. Examples: `Hardened Containers:23`, `Hardened Containers:stream`.",
   "Bioconductor": "The biological R package ecosystem. The `name` is an R package name.",
   "Bitnami": "Bitnami package ecosystem; the `name` is the name of the affected component.",
   "Chainguard": "The Chainguard package ecosystem; the `name` is the name of the package.",

validation/schema.json

@@ -330,8 +330,10 @@
       "description": "These ecosystems are also documented at https://ossf.github.io/osv-schema/#affectedpackage-field",
       "enum": [
         "AlmaLinux",
+        "Alpaquita",
         "Alpine",
         "Android",
+        "BellSoft Hardened Containers",
         "Bioconductor",
         "Bitnami",
         "Chainguard",
@@ -374,7 +376,7 @@
       "type": "string",
       "title": "Currently supported ecosystems",
       "description": "These ecosystems are also documented at https://ossf.github.io/osv-schema/#affectedpackage-field",
-      "pattern": "^(AlmaLinux|Alpine|Android|Bioconductor|Bitnami|Chainguard|ConanCenter|CRAN|crates\\.io|Debian|GHC|GitHub Actions|Go|Hackage|Hex|Kubernetes|Linux|Mageia|Maven|MinimOS|npm|NuGet|openSUSE|OSS-Fuzz|Packagist|Photon OS|Pub|PyPI|Red Hat|Rocky Linux|RubyGems|SUSE|SwiftURL|Ubuntu|Wolfi|GIT)(:.+)?$"
+      "pattern": "^(AlmaLinux|Alpaquita|Alpine|Android|BellSoft Hardened Containers|Bioconductor|Bitnami|Chainguard|ConanCenter|CRAN|crates\\.io|Debian|GHC|GitHub Actions|Go|Hackage|Hex|Kubernetes|Linux|Mageia|Maven|MinimOS|npm|NuGet|openSUSE|OSS-Fuzz|Packagist|Photon OS|Pub|PyPI|Red Hat|Rocky Linux|RubyGems|SUSE|SwiftURL|Ubuntu|Wolfi|GIT)(:.+)?$"
     },
     "prefix": {
       "type": "string",