Introduction

Google recently published it's OSV unified vulnerability schema for open source: https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html

OSV is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source.

For open source maintainers, OSV's automation helps reduce the burden of triage. Each vulnerability undergoes automated bisection and impact analysis to determine precise affected commit and version ranges.

For open source consumers, OSV provides an API that lets users of these projects query whether or not their versions are impacted.

Discussion

It like the idea of having a unified schema for open source vulnerabilities, so I think it would be nice if this repository could adopt the new OSV schema.

I see the following benefits:

• No more discussion about the format (since it now follows a standard)
  Relates to Work with Github to fix their Advisory Database importer? #537, Add level of severity for PHP Security Advisories  #496, Consider adding a vulnerability id for non CVEs #465
• The unified schema will make it easy for other libraries to use this repository as a data-feed, since it follows a schema also used for other languages
  Example: https://github.com/pypa/advisory-db/blob/main/vulns/aiohttp/PYSEC-2021-76.yaml
• This vulnerability feed can be made accessible via https://osv.dev/ API

I'm looking forward for your input.

The format-change should be pretty straight forward. I'll open a PR if this proposal receives positive feedback.