Some schema cleanup.

CHANGELOG.md

@@ -0,0 +1,30 @@
+# Change Log
+
+- 2021-03-29 added "withdrawn" field
+- 2021-04-07 changed "details" to Markdown, change "references" to a list of
+  objects with a new "type" field in addition to the URL.
+- 2021-04-23 handful of changes, see Status - 2021-04-23 below for details. Corrected examples.
+- 2021-04-26 changed `database-specific` and `ecosystem-specific` to
+  `database_specific` and `ecosystem_specific` for easier access from languages
+  that access JSON field keys using x.field notation.
+- 2021-06-08 Added "purl" to the "package" field and some minor clarifications.
+- 2021-06-30 Fixed an incorrect/typoed specification for "affects" from an array
+  of objects to an object.
+- 2021-08-17 Support multiple packages per entry by moving `packages`,
+  `ecosystem_specific` and `database_specific` into `affected`. The `affected`
+  field is intentionally named differently to the previous `affects` field to
+  make migration easier. Also use "events" containing single versions to
+  represent affected version ranges instead.
+- 2021-09-08 Promoted schema to 1.0.
+- 2022-01-19 Released version 1.2.0. Includes various changes suggested by
+  GitHub (`schema_version`, top-level `database_specific`, `credits`,
+  `severity`, relaxation of version enumeration requirement).
+- 2022-03-24 Released version 1.3.0. Added `last_affected` event type and
+  `database_specific` to `affected[].ranges[]`.
+  Context: https://github.com/ossf/osv-schema/issues/35.
+- 2023-02-21 Released version 1.4.0. Added per package `severity` and
+  credit types.
+- 2023-04-26 Released version 1.5.0. Added new reference types.
+- 2023-08-11 Released version 1.6.0. Several new databases and clarified
+  definitions of `aliases` and `related`.
+- 2023-11-29 Released version 1.6.1. Some cleanup of the schema layout.

README.md

@@ -1,22 +1,22 @@
 # Open Source Vulnerability Schema
 
-This is the repository for the Open Source Vulnerability schema (OSV-schema), which is currently exported by:
+This is the repository for the Open Source Vulnerability schema (OSV Schema), which is currently exported by:
+- [AlmaLinux](https://github.com/AlmaLinux/osv-database)
+- [Bitnami Vulnerability Database](https://github.com/bitnami/vulndb)
+- [Curl](https://curl.se/docs/vuln.json)
 - [GitHub Security Advisories](https://github.com/github/advisory-database)
-- [PyPI Advisory Database](https://github.com/pypa/advisory-database)
-- [Go Vulnerability Database](https://github.com/golang/vulndb)
-- [Rust Advisory Database](https://github.com/RustSec/advisory-db)
 - [Global Security Database](https://github.com/cloudsecurityalliance/gsd-database)
-- [OSS-Fuzz](https://github.com/google/oss-fuzz-vulns)
+- [Go Vulnerability Database](https://github.com/golang/vulndb)
+- [Haskell Security Advisories](https://github.com/haskell/security-advisories)
 - [LoopBack Advisory Database](https://github.com/loopbackio/security/tree/main/advisories)
+- [OSS-Fuzz](https://github.com/google/oss-fuzz-vulns)
+- [OSV.dev maintained converters](https://github.com/google/osv.dev#current-data-sources) (Debian, Alpine, NVD)
+- [PyPI Advisory Database](https://github.com/pypa/advisory-database)
+- [Python Software Foundation Database](https://github.com/psf/advisory-database)
+- [RConsortium Advisory Database](https://github.com/RConsortium/r-advisory-database)
 - [Rocky Linux](https://distro-tools.rocky.page/apollo/openapi/#osv)
-- [AlmaLinux](https://github.com/AlmaLinux/osv-database)
-- [Haskell Security Advisories](https://github.com/haskell/security-advisories)
-- [Bitnami Vulnerability Database](https://github.com/bitnami/vulndb)
-- [OSV.dev maintained converters](https://github.com/google/osv.dev#current-data-sources)
+- [Rust Advisory Database](https://github.com/RustSec/advisory-db)
 - [VMWare Photon OS](https://github.com/vmware/photon/wiki/Security-Advisories) (unofficial)
-- [RConsortium Advisory Database](https://github.com/RConsortium/r-advisory-database)
-- [Python Software Foundation Database](https://github.com/psf/advisory-database)
-- [Curl](https://curl.se/docs/vuln.json)
 
 Together, these include vulnerabilities from:
 -   AlmaLinux