diff --git a/templates/security/osv.html b/templates/security/osv.html new file mode 100644 index 0000000000..62ebbff02f --- /dev/null +++ b/templates/security/osv.html @@ -0,0 +1,236 @@ +{% extends 'security/base_security.html' %} + +{% from '_macros/vf_hero.jinja' import vf_hero %} +{% from "_macros/vf_rich-vertical-list.jinja" import vf_rich_vertical_list %} + +{% block title %}Track vulnerability data in OSV format | Open Source Vulnerabilities{% endblock %} + +{% block meta_description %} + Learn how Ubuntu vulnerability data in OSV format can help you enhance and simplify your vulnerability management. +{% endblock %} + +{% block meta_copydoc %} + https://docs.google.com/document/d/1pWZXod5oXtI5In9FHnM0gBs1OY8g7J_3ioeivBZ6KZA/edit?tab=t.0 +{% endblock %} + +{% block content %} +
+
+ +
+
+
+ + {% call(slot) vf_hero( + title_text='Ubuntu OSV data feed', + layout='50/50' + ) -%} + {%- if slot == 'description' -%} +

+ Consume vulnerability data in OSV format to get a structured, human, and machine-readable description of known vulnerabilities and available security patches for all supported Ubuntu releases. +

+ {%- endif -%} + + {% endcall -%} + +
+
+
+
+

OSV — an open format for vulnerability management

+
+
+
+
+ {{ image(url="https://assets.ubuntu.com/v1/dc01a986-osv.png", + alt="OSV", + width="1200", + height="800", + hi_def=True, + loading="auto") | safe + }} +
+
+

+ Open Source Vulnerabilities (OSV) is a JSON schema that provides a human and machine readable data format to describe vulnerabilities in a way that precisely maps to open source package versions. This schema is developed and maintained by the Open Source Security Foundation (OSSF). OSV also consists of a reference infrastructure and tooling (OSV-Scanner). +

+
+
+
+ +
+
+
+
+
+
+ {{ image(url="https://assets.ubuntu.com/v1/783924cf-when-to-use-updated.png", + alt="", + width="1200", + height="1800", + hi_def=True, + loading="lazy") | safe + }} +
+
+
+
+
+

When to use OSV?

+
+

OSV helps with:

+
+
    + +
  • + Vulnerability management: Consolidating vulnerability data into a centralized database, which makes it easier to find and resolve issues in deployments. +
    • + +
  • + Automated alerts: Developers and organizations can receive automated alerts when vulnerabilities are found in the open source software they use. +
    • + +
  • + Integration with tools: OSV can integrate with other tools, such as dependency management tools, to identify affected packages automatically. +
    • +
+
+

+ In summary, OSV is an initiative focused on helping manage vulnerabilities in open source software to improve security. +

+
+
+
+ +
+
+
+
+

What types of Ubuntu OSV data are available?

+
+
+

Currently, Ubuntu’s Security Team produces OSV data for three different types of vulnerability data:

+
+
    +
  • + Ubuntu Security Notices: Announcements about fixed vulnerabilities in Ubuntu. +
    • + +
  • + Ubuntu CVEs: Vulnerabilities that affect packages in the Ubuntu archive. +
    • + +
  • + Livepatch Security Notices: announcements about fixed vulnerabilities available through Livepatch. +
    • +
+
+
+
+ +
+
+
+
+

Where can I get OSV data?

+
+
+

Ubuntu OSV data is available through:

+
+ +
+
+
+ +
+
+
+
+

+ Which tools and APIs +
+ are available for OSV data? +

+
+
+

+ Currently, the osv.dev database provides an API to query OSV data. +

+

+ For tools, there's the official osv-scanner, as well as some additional community maintained tools. +

+
+
+
+ +
+
+
+
+

+ Is severity classification +
+ available in OSV? +

+
+
+

+ Yes, Ubuntu includes both NVD’s CVSS scores as well as Ubuntu’s priority. +

+
+
+
+ +
+
+
+
+

More resources

+
+
+
+
+

+ Ubuntu CVE reports +

+
+
+

Access an overview of common vulnerabilities and exposures.

+
+
+
+
+
+

+ Security features in Ubuntu +

+
+
+

Learn more about Ubuntu security maintenance and platform security features.

+
+
+
+
+
+{% endblock %}