Skip to content

docs: Update foundational concepts #110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
xnox wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

docs: Update foundational concepts #110

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 3 additions & 5 deletions docs/foundational_concepts.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,7 @@ Chainguard continuously publishes data about software vulnerabilities for Wolfi

Chainguard staff members carefully review potential vulnerabilities in our public and private packages. This analysis is captured as **advisory data**, which serves as the _source of truth_ for all vulnerability investigations and conclusions.

In its raw form, advisory data is stored as YAML and version-controlled using git. We operate on the data using [wolfictl](https://github.com/wolfi-dev/wolfictl). The [Wolfi advisory data repository](https://github.com/wolfi-dev/advisories) is public, while the repository for Chainguard's enterprise packages is not public.

We can use advisory data to produce different kinds of downstream data. The primary downstream use of this data is our security feeds, intended for consumption by vulnerability scanners.
The primary downstream use of this data is our security feeds, intended for consumption by vulnerability scanners.

### Security feeds

Expand All @@ -56,7 +54,7 @@ An index of Chainguard's OSV data is located at `https://packages.cgr.dev/chaing

Each individual Chainguard advisory is represented as its own file, where the advisory ID (prefixed with `CGA-`) replaces the "all" in the URL above. For example, the advisory CGA-2226-2498-2frm is located at `https://packages.cgr.dev/chainguard/osv/CGA-2226-2498-2frm.json`.

This OSV feed is licensed under [Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)](https://creativecommons.org/licenses/by-nc-nd/4.0/?ref=chooser-v1), provided, however, the Chainguard License for Commercial Scanners shall apply to Commercial Scanners available at https://www.chainguard.dev/legal/chainguard-license-for-commercial-scanners, as such terms are defined therein.
This OSV feed is licensed under [Apache License 2.0](https://github.com/chainguard-dev/vulnerability-scanner-support/blob/main/LICENSE).

#### The secdb (Deprecated)

Expand All @@ -70,7 +68,7 @@ The "Wolfi secdb" is located at `https://packages.wolfi.dev/os/security.json`.

The "Chainguard secdb" is located at `https://packages.cgr.dev/chainguard/security.json`.

The Wolfi secdb and Chainguard secdb are each licensed under [Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)](https://creativecommons.org/licenses/by-nc-nd/4.0/?ref=chooser-v1), provided, however, the Chainguard License for Commercial Scanners shall apply to Commercial Scanners available at https://www.chainguard.dev/legal/chainguard-license-for-commercial-scanners, as such terms are defined therein.
The Wolfi secdb and Chainguard secdb are each licensed under [Apache License 2.0](https://github.com/chainguard-dev/vulnerability-scanner-support/blob/main/LICENSE).

##### Interpreting secdb data

Expand Down
Loading