From d4b9abc29c7f37d49dc8cd10dcf992ab638cff40 Mon Sep 17 00:00:00 2001
From: Jason Shepherd <jason@jasonshepherd.net>
Date: Wed, 28 Aug 2024 14:13:14 +1000
Subject: [PATCH] Add Red Hat ecosystem (#257)

Add the `Red Hat` ecosystem, see
https://github.com/google/osv.dev/issues/1404

---------

Signed-off-by: Jason Shepherd <jshepher@redhat.com>
Signed-off-by: Andrew Pollock <andrewpollock@users.noreply.github.com>
Co-authored-by: Andrew Pollock <andrewpollock@users.noreply.github.com>
---
 README.md              |  2 ++
 docs/schema.md         | 12 ++++++++++++
 validation/schema.json |  4 ++--
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index ff0c326a..55023fed 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,7 @@ This is the repository for the Open Source Vulnerability schema (OSV Schema), wh
 - [PyPI Advisory Database](https://github.com/pypa/advisory-database)
 - [Python Software Foundation Database](https://github.com/psf/advisory-database)
 - [RConsortium Advisory Database](https://github.com/RConsortium/r-advisory-database)
+- [Red Hat](https://security.access.redhat.com/data)
 - [Rocky Linux](https://distro-tools.rocky.page/apollo/openapi/#osv)
 - [Rust Advisory Database](https://github.com/RustSec/advisory-db)
 - [Ubuntu](https://github.com/canonical/ubuntu-security-notices/)
@@ -46,6 +47,7 @@ Together, these include vulnerabilities from:
 -   PyPI
 -   Python
 -   R (CRAN and Bioconductor)
+-   Red Hat
 -   Rocky Linux
 -   RubyGems
 -   Ubuntu
diff --git a/docs/schema.md b/docs/schema.md
index 2b283b60..4bdefd04 100644
--- a/docs/schema.md
+++ b/docs/schema.md
@@ -343,6 +343,17 @@ The defined database prefixes and their "home" databases are:
         </ul>
       </td>
     </tr>
+    <tr>
+      <td><code>Red Hat</code></td>
+      <td><a href="https://security.access.redhat.com/data">Red Hat Security Data</a></td>
+      <td>
+        <ul>
+          <li>How to contribute: <a href="https://access.redhat.com/security/team/contact/">https://access.redhat.com/security/team/contact/</a></li>
+          <li>Source URL: <code>https://access.redhat.com/security/security-updates/security-advisories</code></li>
+          <li>OSV Formatted URL: <code>https://security.access.redhat.com/data/osv/</code></li>
+        </ul>
+      </td>
+    </tr>
     <tr>
       <td><code>RLSA</code>/<code>RXSA</code></td>
       <td><a href="https://errata.rockylinux.org">Rocky Linux Security Advisory Database</a></td>
@@ -667,6 +678,7 @@ The defined ecosystems are:
 | `Photon OS` | The Photon OS package ecosystem; the `name` is the name of the RPM package. The ecosystem string must have a `:<RELEASE-NUMBER>` suffix to scope the package to a particular Photon OS release. Eg `Photon OS:3.0`. |
 | `Pub` | The package manager for the Dart ecosystem; the `name` field is a Dart package name. |
 | `PyPI` | the Python PyPI ecosystem; the `name` field is a [normalized](https://www.python.org/dev/peps/pep-0503/#normalized-names) PyPI package name.  |
+| `Red Hat` | The Red Hat package ecosystem; the `name` field is the name of a binary or source RPM. The ecosystem string has a `:<CPE>` suffix to scope the RPM to a specific Red Hat product stream. `<CPE>` is a translation of a Red Hat [Common Platform Enumerations](https://cpe.mitre.org/) (CPE) with the `cpe/:[oa]:(redhat):` prefix removed (for example, `Red Hat:rhel_aus:8.4::appstream` translates to `cpe:/a:redhat:rhel_aus:8.4::appstream`). Red Hat ecosystem identifiers can be used to identify vulnerable RPMs installed on a Red Hat system as explained [here](https://www.redhat.com/en/blog/how-accurately-match-oval-security-data-installed-rpms).  |
 | `Rocky Linux` | The Rocky Linux package ecosystem; the `name` is the name of the source package. The ecosystem string might optionally have a `:<RELEASE>` suffix to scope the package to a particular Rocky Linux release. `<RELEASE>` is a numeric version.
 | `RubyGems` | The RubyGems ecosystem; the `name` field is a gem name.  |
 | `SwiftURL` | The Swift Package Manager ecosystem. The `name` is a Git URL to the source of the package. Versions are Git tags that comform to [SemVer 2.0](https://docs.swift.org/package-manager/PackageDescription/PackageDescription.html#version). |
diff --git a/validation/schema.json b/validation/schema.json
index 1b6fb76e..1b60bba7 100644
--- a/validation/schema.json
+++ b/validation/schema.json
@@ -300,13 +300,13 @@
       "type": "string",
       "title": "Currently supported ecosystems",
       "description": "These ecosystems are also documented at https://ossf.github.io/osv-schema/#affectedpackage-field",
-      "pattern": "^(AlmaLinux|Alpine|Android|Bioconductor|Bitnami|ConanCenter|CRAN|crates.io|Debian|GHC|GitHub Actions|GIT|Go|Hackage|Hex|Linux|Maven|npm|NuGet|OSS-Fuzz|Packagist|Photon OS|Pub|PyPI|Rocky Linux|RubyGems|SwiftURL|Ubuntu)(:[[:digit:]]+)?"
+      "pattern": "^(AlmaLinux|Alpine|Android|Bioconductor|Bitnami|ConanCenter|CRAN|crates.io|Debian|GHC|GitHub Actions|GIT|Go|Hackage|Hex|Linux|Maven|npm|NuGet|OSS-Fuzz|Packagist|Photon OS|Pub|PyPI|Red Hat|Rocky Linux|RubyGems|SwiftURL|Ubuntu)(:[[:digit:]]+)?"
     },
     "prefix": {
       "type": "string",
       "title": "Currently supported home database identifier prefixes",
       "description": "These home databases are also documented at https://ossf.github.io/osv-schema/#id-modified-fields",
-      "pattern": "^(ASB-A|PUB-A|ALSA|ALBA|ALEA|BIT|CURL|CVE|DSA|DLA|DTSA|GHSA|GO|GSD|HSEC|LBSEC|MAL|OSV|PHSA|PSF|PYSEC|RLSA|RXSA|RSEC|RUSTSEC|USN)-"
+      "pattern": "^(ASB-A|PUB-A|ALSA|ALBA|ALEA|BIT|CURL|CVE|DSA|DLA|DTSA|GHSA|GO|GSD|HSEC|LBSEC|MAL|OSV|PHSA|PSF|PYSEC|RHSA|RLSA|RXSA|RSEC|RUSTSEC|USN)-"
     },
     "severity": {
       "type": [