https://packages.broadcom.com/photon/photon_cve_metadata schema was changed

[DmitriyLewen]

Describe the bug

Hello!

We use advisories from https://packages.broadcom.com/photon/photon_cve_metadata/cve_data_photon<ver>.json (where ver we take from the photon_versions.json file).
Yesterday changes occurred in the repository:

• The photon_versions.json file was deleted.
• Instead of a file with advisories for a specific release (for example, cve_data_photon5.0.json), there's a cve folder. The information in these advisories doesn't include:
  • release number
  • cve_score

Are these expected changes?
If yes, are you planning to somehow enrich these advisories with the data that was "lost"?
Or perhaps you have another source to get CVE lists in machine-readable format.

Thanks in advance for your response!
Regards, Dmitriy

Reproduction steps

1. Check photon_versions.json and cve_data_photon<ver>.json files in https://packages.broadcom.com/photon/photon_cve_metadata.

Expected behavior

The existence of photon_versions.json and cve_data_photon<ver>.json files

Additional context

No response

[dcasota]

Hi,
as helper before the Photon OS team clarifies the future Broadcom VEX aligned structure, you could let create your own cve_data_photon5.0.json creator using a passive agent skill, e.g. photon-cve-aggregator.md. As example, set your NVD_API_KEY and run photon_cve_aggregator.py. See passiv sample output SAMPLE_cve_data_photon5.0.json. Hope this helps.

[DmitriyLewen]

And one question about OVAL:
I'm trying to parse OVAL definitions, but found a problem with Advisory IDs.
OVAL definition uses another PHSA-ID in the title.

Take a look at this example:
Take a look at this advisory - https://github.com/vmware/photon/wiki/Security-Update-5.0-719. This page contains Advisory Id : PHSA-2025-5.0-0719.
But OVAL contains other IDs:

• PHSA-2026:02322 from the title.
• PHSA:02322:5.0:719 from the reference.

    <definition class="patch" id="oval:com.vmware.phsa:def:2026502322" version="1">
      <metadata>
        <title>PHSA-2026:02322 linux Security Update. (Important)</title>
        <affected family="unix">
          <platform>Photon 5</platform>
        </affected>
        <reference ref_id="PHSA:02322:5.0:719" ref_url="https://github.com/vmware/photon/wiki/Security-Updates-5.0-719" source="PHSA"/>
        <reference ref_id="CVE:02322:CVE-2025-40362" ref_url="https://nvd.nist.gov/vuln/detail?vulnId=CVE-2025-40362" source="CVE"/>
        <description>This update upgrade linux to 6.1.159-5.ph5 #Fixes {'CVE-2025-40362'}</description>
        <advisory from="photon_security@vmware.com">
          <severity>Important</severity>
          <rights>Copyright 2026 VMware Inc.</rights>
          <issued date="2025-12-24"/>
          <updated date="2025-12-24"/>
          <cve>CVE-2025-40362</cve>
        </advisory>
      </metadata>

Is this a mistake?
If no, is there a rule to convert ID(s) from OVAL to ID from wiki (if this is correct)?

Thanks for your answers!
Regards, Dmitriy!

UPD:
I found mistakes in some references.
e.g. "https://github.com/vmware/photon/wiki/Security-Updates-5.0-719" should be "https://github.com/vmware/photon/wiki/Security-Update-5.0-719" (without s)

[dcasota]

Hi Dmitriy,
Good question. Having configured Factory Droid with Opus 4.6 as AI assistant to double check your question, it is not a mistake. The OVAL uses three distinct numbering systems that are intentionally different from the wiki advisory ID:

   Field         │ Example                               │ Meaning
   --------------+---------------------------------------+------------------------------------------------------
   Definition ID │ `oval:com.vmware.phsa:def:2026502322` │ `2026` + `5` (Photon ver) + `02322` (global sequence)
   Title         │ `PHSA-2026:02322`                     │ `PHSA-{generation_year}:{sequence}`
   PHSA ref_id   │ `PHSA:02322:5.0:719`                  │ `PHSA:{sequence}:{photon_ver}:{advisory_number}`
   Wiki ID       │ `PHSA-2025-5.0-0719`                  │ `PHSA-{issued_year}-{photon_ver}-{advisory_padded}`

The 02322 is a per-package sequential OVAL definition counter, not the advisory number. Advisory 719 spawns definitions 02322 through 02330 (one per affected package: linux, linux-docs, linux-devel, etc.).

The conversion rule from OVAL to wiki advisory ID:

1. Parse the PHSA ref_id: PHSA:{seq}:{photon_ver}:{advisory_num} -- take the last field (719)
2. Get the year from -- take the year (2025)
3. Wiki advisory ID: PHSA-{year}-{photon_ver}-{advisory_num zero-padded to 4} = PHSA-2025-5.0-0719
4. Wiki URL: https://github.com/vmware/photon/wiki/Security-Update-{photon_ver}-{advisory_num} = Security-Update-5.0-719

Note: the OVAL ref_url says Security-Updates-5.0-719 (plural) while the actual wiki page is Security-Update-5.0-719 (singular) -- that's a minor inconsistency in the OVAL data, but GitHub wiki likely handles both.
Same as before, here an example of a passive agent skill:

• photon-oval-aggregator.md
• photon_oval_aggregator.py
• sample oval_data_photon5.0.json

Please consider to wait for the Photon OS team clarification about future partner api collaboration. This may take a few days but the answer will help.

For the sake of completeness, here is the difference between OVAL and VEX.

Feature	OVAL (Open Vulnerability and Assessment Language)	VEX (Vulnerability Exploitability eXchange)
Purpose	Detects if a component is present and vulnerable.	Determines if that vulnerability is actually exploitable.
Output	Lists affected versions.	Provides "affected" or "not affected" status.
Use Case	Patching and vulnerability scanning.	Risk management and reducing false positives.

Hope this helps. Kind Regards, Daniel

[DmitriyLewen]

Get the year from -- take the year (2025)

I have a question about the year (to get the correct advisory ID).
I can't take the year from the title.
I thought we could take the year from "issued date"?
How "safe" is this? (for example, if the issue date is 12/31/2025, but the number was assigned in 2026)

[beltran-rubo]

@DmitriyLewen that was a temporary issue and the Photon json has been already restored. Currently there is no plans to deprecate it but having both approaches available for thirdparty tools.

[DmitriyLewen]

Hi @beltran-rubo ,
Thanks for the quick response.
As an alternative, we're still considering OVAL:

presence of PHSA-ID
severity for the entire CVE from PHSA (we sometimes get questions - why is one severity indicated on the advisory page, but you showed a different one)

If you have time to review my questions above (this isn't urgent, as we're not planning the transition in the near future):

• different PHSA-IDs from OVAL
• correct year for PHSA-IDs (from OVAL)
• wrong refs

Thanks in advance!

[dcasota]

I apologize for any confusion regarding the conversion rule 2 "Get the year from -- take the year (2025)". Extract the year from the advisory's issued date attribute (issued date="YYYY-MM-DD"), using the year (2025) specified therein. Please do not reference the year from the title (PHSA-2026:...) - it pertains to the OVAL document generation year. The issued date represents when VMware's security team published the advisory and released the corresponding fix.