Utkarsh Gupta pushed to branch add-json-api-doc at Debian Security Tracker / security-tracker
Commits: 633b79c0 by Utkarsh Gupta at 2025-07-17T20:30:23+05:30 Add JSON API documentation to the tracker Closes: #15 - - - - - 1 changed file: - doc/security-team.d.o/security_tracker Changes: ===================================== doc/security-team.d.o/security_tracker ===================================== @@ -811,3 +811,40 @@ You can also add an announce list of type DSAFile to `data/config.json`, and then symlink `bin/gen-DSA` to e.g. `bin/gen-MYSA` and use that to create new advisories under your namespace. For that you will need to add a `data/mysa-needed.txt` file and `doc/MYSA.template`. + +JSON API Documentation +---------------------- + +A machine-readable JSON export of data from the Debian Security Tracker is +available at https://security-tracker.debian.org/tracker/data/json. This export +includes many internal fields — such as `description`, `scope`, `releases`, +`status`, `repositories`, `fixed_version`, and `urgency` — primarily intended +to support tooling related to triage and maintenance workflows. + +The structure of this data is not considered a stable public API and may change +over time. For the most accurate understanding of the available fields and +their meaning, refer to the calculateJson() function in the security_db module +(cf: https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/lib/python/security_db.py), +which defines how this export is generated. + +The following section provides informal documentation for selected fields to +aid understanding. + +### fixed_version + +The `fixed_version` field indicates the source package version in which a +specific CVE (Common Vulnerabilities and Exposures) was fixed. Once the source +package is updated to this version or later, it is no longer affected by the +CVE. + +#### Why is fixed_version sometimes "0"? + +When fixed_version is set to "0", it signifies that the CVE does not affect the +source package present in the archive. Since there is no impacted version, no +fix is required — hence, no fixed version is applicable. + +#### Why is another version specified for the releases under the `repositories`? + +The version under the `repositories` tells you the version of the package that +is available in the archive for that particular release. That should not be +confused with the fixed_version. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/633b79c095dfea452e983e8f84ac43332e10795b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/633b79c095dfea452e983e8f84ac43332e10795b You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
