a Linux OS packages vulnerabilities from OSV database?

[i-bs]

Looking at https://trivy.dev/latest/docs/scanner/vulnerability/ I see that Vulnerability Scanning → OS Packages → Data Sources are different sources but not the OSV (aka Open Source Vulnerabilities). OSV is used as the Data sources for Language-specific Packages only.

Meanwhile OSV covers many OSes (Linux-based and beyond).

I wonder what it takes or how to use the OSV as the data source for a newly added OS? As that OS's security data is (or soon will be) available in OSV-only and no OVAL or self-made formats.

Thanks

[knqyf263]

OS vendors typically provide OVAL or CSAF as the primary data source and convert it into the OSV format. Therefore, we prioritize using the primary data sources. However, if you add a script to vuln-list-update, OSV can also be consumed for OS packages.