Currently there are alot of "unreviewed" advisories sitting in this repository that represent very real and known vulnerabilities in potential ecosystems but who currently cannot be represented in the OSV specification as they don't map to a defined ecosystem.

This has already created a "chicken vs egg" situation because in order to remain valid to the specification these advisories don't have anyaffected details which means while tools likeosv-detector can load them, there's nothing for it to compare against - however it's a lot harder to propose a new ecosystem if we can't do any analysis or prototyping.

I want to propose that GitHubdeliberately violate the OSV specification for those advisories in favor of attempting to include as much affected information as possible in the unreviewed advisories so that folks can more easily try and find patterns in these advisories that could lead to new ecosystems being proposed for the specification.

I think there's a number of forms this could actually take and that ultimately its probably for GitHub to decide what works best for them and how far they want to take it - I personally would probably start by ensuring as much of the version-based information is present, ignoring/dropping theecosystem property for now (i.e. rather than picking experimental or arbitrary ecosystem names), and start with a sort of high-level based tagging.

This probably won't work nicely for every single unreviewed advisory, but that's also part of the point of this: currently the amount of advisories is huge, so we want to try and sort through them to identity the more complex advisories by reducing the number of completely unreviewed advisories.

The example I've been thinking about is WordPress plugins: I know there are unreviewed advisories for WordPress plugins, so they could be tagged with something that identified them as that and then people could exclude/include those depending on what they're wanting (e.g. my place of work is very interested in that because we have some WordPress sites, so if we could pick outjust WP plugin advisories and they had at least someaffected information we could explore that further; whereas other people who are trying to pick out some potential new ecosystems could exclude WP plugin advisories since they're already "tagged")