CONTRIBUTING.md references OSV schema while the actual repo/PR builds reject valid JSON

[daniel-beck]

From docs:

Here are a few things you can do that will increase the likelihood of your pull request being accepted:

• Follow the OSSF OSV schema.

But then…

Specifying more than one introduced event type per affected package is not currently supported

Limitations beyond the schema such as the inability to specify nontrivial version ranges should be documented in a manner accessible before doing the work.

[KateCatlin]

Hi Daniel,

Thank you for your input! Unfortunately, our internal use case conflicts with OSV's in such a way that we cannot make this possible right now.

OSV's purpose is to provide a single-direction deterministic report, whereas we need to encode advisories in two directions: to OSV when we publish advisory reports and from OSV when we gather community input. Combining overlapping event types into a single affected package would disrupt our ability to parse community contributions into something suitable for our internal format in a lossless way. We've brainstormed various ways to address this issue, but there's no clear path forward at the moment.

That being said, I acknowledge the concern, and I will keep this issue open in case others want to share similar concerns.

[daniel-beck]

Unfortunately, our internal use case conflicts with OSV's in such a way that we cannot make this possible right now.

To clarify, I am asking for documentation, not to allow all OSV legal content. Or are you saying the way all of this works makes documenting additional limitations impossible?

[KateCatlin]

Ah, I'm clarifying why we can't fix the issue, but we can definitely update docs to note that not all OSV content is applicable. I'll circle back to this issue when we've updated this!