OSV-format vulnerability records for Homebrew packages. Each record describes a CVE that affected a homebrew-core formula and the Homebrew version+revision at which it was fixed by an applied patch.
This is an early demo. It currently covers only CVEs that a formula's patch block declares (or infers) as resolved, derived from patches[].resolves in brew info --json=v2 (Homebrew 6.0.4+). See Homebrew/discussions#6869 for background and Homebrew/homebrew-brew-vulns#95 for the annotation backfill.
Records follow the OSV schema under a Homebrew ecosystem with pkg:brew/<name> purls and BREW-<formula>-<CVE> ids. The upstream field links to the source CVE; summary, details, severity and references are copied from the upstream OSV record where available. affected[].ecosystem_specific carries the URL and applied-file list of the resolving patch.
{
"schema_version": "1.7.3",
"id": "BREW-lrzsz-CVE-2018-10195",
"upstream": ["CVE-2018-10195"],
"affected": [{
"package": {"ecosystem": "Homebrew", "name": "lrzsz", "purl": "pkg:brew/lrzsz"},
"ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "0"}, {"fixed": "0.12.20_1"}]}],
"ecosystem_specific": {"fix": "patch", "patches": [{"url": "..."}]}
}]
}The fixed boundary is currently the version+revision shipped at generation time, not necessarily the revision that introduced the patch. Tightening that requires git archaeology on homebrew-core and will come later.
Homebrew versions are the upstream version with an optional _N revision suffix; 1.81.6_5 < 1.81.6_6 < 1.82.0.
Records are produced by brew vulns --osv-export and regenerated daily by the Regenerate workflow. Every push is validated against the OSV JSON schema.
Not yet registered with osv.dev. The plan is to transfer this repository into the Homebrew organisation and then open a new data source request.
Upstream registrations needed:
BREW-id prefix andHomebrewecosystem in ossf/osv-schema (the validate workflow patches these into the schema enum until then)pkg:brewpurl type in package-url/purl-spec — proposed in package-url/purl-spec#796, tracked in #254pkg:brewhandling in osv.dev'spurl_helpers.pyand a Homebrew version comparator in_ecosystems.py
Advisory data is released under CC0 1.0.