Getting a vuln's source URL

[nchelluri]

Hi, I am querying the osv.dev API and had a question about the affected[].database_specific field: https://ossf.github.io/osv-schema/#affecteddatabase_specific-field . What I really want is a single source field, for the vuln like I see in the affected[0].database_specific.source field here: https://api.osv.dev/v1/vulns/CVE-2024-38372 . The small handful of other vulns I have queried - from different databases and ecosystems - seem to all have this field present; as far as I can tell, it is a URL for the source of the vuln (and I think/hope it is the same value for all elements in affected).

I wanted to know if I could depend on this behavior.

An alternative I thought of was that described here https://ossf.github.io/osv-schema/#id-modified-fields is a way to assemble the source URL. This is likely workable and I can do that. However, it would require me to maintain a list of the prefixes and databases and URL formats. I am using osv-scanner to query the API. I thought: maybe osv-scanner would have a tool to do that in-built, so that the maintainers could keep such a prefix, DB, and URL list up-to-date. But I don't see that facility in the code, unless I am missing it.

Can anyone advise me on how to proceed? I think if I might just copy whatever way the OSV website calculates the "Import Source" field (I think this is found in source.yaml) then I would likely be okay. But, the schema does say about affected[].database_specific:

The meaning of the values within the object is entirely defined by the database and beyond the scope of this document.

So I don't want to do the wrong thing and have my code break later.

Does anyone have any suggestions? Thank you!

[nchelluri]

Created issue #3046 from this as well.