Open Source Software Advisory (OSSA) Schema

A structured format for defining and assessing open-source package advisories.

Schema Overview

The OSSA schema defines the structure for advisory documents, ensuring consistency and compliance.

Field	Type	Description
id	string	Unique identifier (format: OSSA-YYYYMMDD-NNNN)
version	string	Version of the affected package
severity	string (enum)	Severity level: Low, Medium, High, Informational
title	string	Summary of the advisory
package_name	string	Name of the affected package
purls	array	List of Package URLs (PURLs)
references	string \| array	External references (URLs)
licenses	string \| array	SPDX license identifier(s)
approvals	array	Approval status (consumption, externalization, etc.)
artifacts	array	Files related to the advisory with hashes

High: Immediate threat to functionality or business continuity.

Medium: Signs of deprecation or support issues.

Low: Old but stable, migration suggested but not urgent.

Informational: Flagged for awareness, no immediate action required.

To validate an advisory against the schema, use:

python3 tool/validator.py specs/schema-1.5.json examples/OSSA-20241205-0001-ffmpeg.json

This specification is licensed under MIT.