diff --git a/README.md b/README.md
index 7322676d..c21642a8 100644
--- a/README.md
+++ b/README.md
@@ -45,6 +45,7 @@ There are many home databases publishing OSV-format advisories or maintain conve
- [Malicious Packages Repository](https://github.com/ossf/malicious-packages)
- [Mageia Advisories](https://advisories.mageia.org/)
- [MinimOS](https://packages.mini.dev/advisories/osv/all.json)
+- [OCaml](https://github.com/ocaml/security-advisories)
- [openEuler](https://repo.openeuler.org/security/data)
- [OSS-Fuzz](https://github.com/google/oss-fuzz-vulns)
- [OSV.dev maintained converters](https://github.com/google/osv.dev#current-data-sources) (Debian, Alpine, NVD)
@@ -85,6 +86,7 @@ Together, these include vulnerabilities from:
- MinimOS
- npm
- NuGet
+- OCaml
- openEuler
- openSUSE
- OSS-Fuzz
diff --git a/bindings/go/osvconstants/constants.go b/bindings/go/osvconstants/constants.go
index 8f3a462f..a5e86c11 100644
--- a/bindings/go/osvconstants/constants.go
+++ b/bindings/go/osvconstants/constants.go
@@ -35,6 +35,7 @@ const (
EcosystemMinimOS Ecosystem = "MinimOS"
EcosystemNPM Ecosystem = "npm"
EcosystemNuGet Ecosystem = "NuGet"
+ EcosystemOpam Ecosystem = "opam"
EcosystemOpenEuler Ecosystem = "openEuler"
EcosystemOpenSUSE Ecosystem = "openSUSE"
EcosystemOSSFuzz Ecosystem = "OSS-Fuzz"
diff --git a/docs/schema.md b/docs/schema.md
index 183d171c..23d627e5 100644
--- a/docs/schema.md
+++ b/docs/schema.md
@@ -465,6 +465,17 @@ The defined database prefixes and their "home" databases are:
+
+ OSEC |
+ OCaml Security Advisory Database |
+
+
+ |
+
OSV |
Advisories allocated by OSV.dev (currently only from OSS-Fuzz) |
@@ -894,6 +905,7 @@ The defined ecosystems are:
| `MinimOS` | The MinimOS package ecosystem; the `name` is the name of the package. |
| `npm` | The NPM ecosystem; the `name` field is an NPM package name. |
| `NuGet` | The NuGet package ecosystem. The `name` field is a NuGet package name. |
+| `opam` | The OCaml package manager ecosystem. The `name` field is an opam package name. |
| `openEuler` | The openEuler ecosystem; The `name` field is the name of the source RPM. The ecosystem string has a `` suffix, specifying a particular openEuler LTS Release.`` is numeric (YY.MM) version maintained in our [archive list](https://www.openeuler.org/en/download/?archive=true). Here, `LTS` stands for long term support and `SP` stands for service pack which offers extensions and enhancements of the major LTS version. Note innovation versions (those without `LTS`) are out of our security advisories' scope. The `ecosystem_specific` field contains all updated packages, including src rpm and binaries of different architectures. For more information, please refer to our [vulnerability disclosure policy](https://gitee.com/openeuler/security-committee/blob/master/docs/en/vulnerability-management-process/security-disclosure-en.md) and this [example](https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1612) of a source security advisory. |
| `openSUSE` | The openSUSE ecosystem; The ecosystem string has a `:` suffix presenting the marketing name of the openSUSE distribution. `` matches the value in the `/etc/os-release` `PRETTY_NAME` field. The `name` field is the name of the source RPM and accompanied by a purl. There is an `ecosystem_specific` specific array `binaries` of the associated RPM binary packages in this specific openSUSE distribution. The ECOSYSTEM version ordering is the RPM versioncompare ordering, and the database uses the `introduced` and `fixed` boundaries. |
| `OSS-Fuzz` | For reports from the OSS-Fuzz project that have no more appropriate ecosystem; the `name` field is the name assigned by the OSS-Fuzz project, as recorded in the submitted fuzzing configuration. |
diff --git a/ecosystems.json b/ecosystems.json
index da2a6ba7..8fedddf9 100644
--- a/ecosystems.json
+++ b/ecosystems.json
@@ -28,6 +28,7 @@
"MinimOS": "The MinimOS package ecosystem; the `name` is the name of the package.",
"npm": "The NPM ecosystem; the `name` field is an NPM package name.",
"NuGet": "The NuGet package ecosystem. The `name` field is a NuGet package name.",
+ "opam": "The OCaml package manager ecosystem. The `name` field is an opam package name.",
"openEuler": "The openEuler ecosystem; The `name` field is the name of the source RPM. The ecosystem string has a `` suffix, specifying a particular openEuler LTS Release.`` is numeric (YY.MM) version maintained in our [archive list](https://www.openeuler.org/en/download/?archive=true). Here, `LTS` stands for long term support and `SP` stands for service pack which offers extensions and enhancements of the major LTS version. Note innovation versions (those without `LTS`) are out of our security advisories' scope. The `ecosystem_specific` field contains all updated packages, including src rpm and binaries of different architectures. For more information, please refer to our [vulnerability disclosure policy](https://gitee.com/openeuler/security-committee/blob/master/docs/en/vulnerability-management-process/security-disclosure-en.md) and this [example](https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1612) of a source security advisory.",
"openSUSE": "The openSUSE ecosystem; The ecosystem string has a `:` suffix presenting the marketing name of the openSUSE distribution. `` matches the value in the `/etc/os-release` `PRETTY_NAME` field. The `name` field is the name of the source RPM and accompanied by a purl. There is an `ecosystem_specific` specific array `binaries` of the associated RPM binary packages in this specific openSUSE distribution. The ECOSYSTEM version ordering is the RPM versioncompare ordering, and the database uses the `introduced` and `fixed` boundaries.",
"OSS-Fuzz": "For reports from the OSS-Fuzz project that have no more appropriate ecosystem; the `name` field is the name assigned by the OSS-Fuzz project, as recorded in the submitted fuzzing configuration.",
diff --git a/tools/osv-linter/internal/checks/schema_generated.json b/tools/osv-linter/internal/checks/schema_generated.json
index a8e81303..651ff081 100644
--- a/tools/osv-linter/internal/checks/schema_generated.json
+++ b/tools/osv-linter/internal/checks/schema_generated.json
@@ -358,6 +358,7 @@
"MinimOS",
"npm",
"NuGet",
+ "opam",
"openEuler",
"openSUSE",
"OSS-Fuzz",
@@ -383,13 +384,13 @@
"type": "string",
"title": "Currently supported ecosystems",
"description": "These ecosystems are also documented at https://ossf.github.io/osv-schema/#affectedpackage-field",
- "pattern": "^(AlmaLinux|Alpaquita|Alpine|Android|BellSoft Hardened Containers|Bioconductor|Bitnami|Chainguard|CleanStart|ConanCenter|CRAN|crates\\.io|Debian|Docker Hardened Images|Echo|FreeBSD|GHC|GitHub Actions|Go|Hackage|Hex|Julia|Kubernetes|Linux|Mageia|Maven|MinimOS|npm|NuGet|openEuler|openSUSE|OSS-Fuzz|Packagist|Photon OS|Pub|PyPI|Red Hat|Rocky Linux|RubyGems|SUSE|SwiftURL|Ubuntu|VSCode|Wolfi|GIT)(:.+)?$"
+ "pattern": "^(AlmaLinux|Alpaquita|Alpine|Android|BellSoft Hardened Containers|Bioconductor|Bitnami|Chainguard|CleanStart|ConanCenter|CRAN|crates\\.io|Debian|Docker Hardened Images|Echo|FreeBSD|GHC|GitHub Actions|Go|Hackage|Hex|Julia|Kubernetes|Linux|Mageia|Maven|MinimOS|npm|NuGet|opam|openEuler|openSUSE|OSS-Fuzz|Packagist|Photon OS|Pub|PyPI|Red Hat|Rocky Linux|RubyGems|SUSE|SwiftURL|Ubuntu|VSCode|Wolfi|GIT)(:.+)?$"
},
"prefix": {
"type": "string",
"title": "Currently supported home database identifier prefixes",
"description": "These home databases are also documented at https://ossf.github.io/osv-schema/#id-modified-fields",
- "pattern": "^(ASB-A|PUB-A|ALPINE|ALSA|ALBA|ALEA|BELL|BIT|CGA|CURL|CVE|DEBIAN|DHI|DRUPAL|DSA|DLA|ELA|DTSA|ECHO|EEF|FreeBSD|GHSA|GO|GSD|HSEC|JLSEC|KUBE|LBSEC|LSN|MAL|MINI|MGASA|OESA|OSV|openSUSE-SU|PHSA|PSF|PYSEC|RHBA|RHEA|RHSA|RLSA|RXSA|RSEC|RUSTSEC|SUSE-[SRFO]U|UBUNTU|USN|V8)-"
+ "pattern": "^(ASB-A|PUB-A|ALPINE|ALSA|ALBA|ALEA|BELL|BIT|CGA|CURL|CVE|DEBIAN|DHI|DRUPAL|DSA|DLA|ELA|DTSA|ECHO|EEF|FreeBSD|GHSA|GO|GSD|HSEC|JLSEC|KUBE|LBSEC|LSN|MAL|MINI|MGASA|OESA|OSEC|OSV|openSUSE-SU|PHSA|PSF|PYSEC|RHBA|RHEA|RHSA|RLSA|RXSA|RSEC|RUSTSEC|SUSE-[SRFO]U|UBUNTU|USN|V8)-"
},
"severity": {
"type": [
diff --git a/validation/schema.json b/validation/schema.json
index a8e81303..651ff081 100644
--- a/validation/schema.json
+++ b/validation/schema.json
@@ -358,6 +358,7 @@
"MinimOS",
"npm",
"NuGet",
+ "opam",
"openEuler",
"openSUSE",
"OSS-Fuzz",
@@ -383,13 +384,13 @@
"type": "string",
"title": "Currently supported ecosystems",
"description": "These ecosystems are also documented at https://ossf.github.io/osv-schema/#affectedpackage-field",
- "pattern": "^(AlmaLinux|Alpaquita|Alpine|Android|BellSoft Hardened Containers|Bioconductor|Bitnami|Chainguard|CleanStart|ConanCenter|CRAN|crates\\.io|Debian|Docker Hardened Images|Echo|FreeBSD|GHC|GitHub Actions|Go|Hackage|Hex|Julia|Kubernetes|Linux|Mageia|Maven|MinimOS|npm|NuGet|openEuler|openSUSE|OSS-Fuzz|Packagist|Photon OS|Pub|PyPI|Red Hat|Rocky Linux|RubyGems|SUSE|SwiftURL|Ubuntu|VSCode|Wolfi|GIT)(:.+)?$"
+ "pattern": "^(AlmaLinux|Alpaquita|Alpine|Android|BellSoft Hardened Containers|Bioconductor|Bitnami|Chainguard|CleanStart|ConanCenter|CRAN|crates\\.io|Debian|Docker Hardened Images|Echo|FreeBSD|GHC|GitHub Actions|Go|Hackage|Hex|Julia|Kubernetes|Linux|Mageia|Maven|MinimOS|npm|NuGet|opam|openEuler|openSUSE|OSS-Fuzz|Packagist|Photon OS|Pub|PyPI|Red Hat|Rocky Linux|RubyGems|SUSE|SwiftURL|Ubuntu|VSCode|Wolfi|GIT)(:.+)?$"
},
"prefix": {
"type": "string",
"title": "Currently supported home database identifier prefixes",
"description": "These home databases are also documented at https://ossf.github.io/osv-schema/#id-modified-fields",
- "pattern": "^(ASB-A|PUB-A|ALPINE|ALSA|ALBA|ALEA|BELL|BIT|CGA|CURL|CVE|DEBIAN|DHI|DRUPAL|DSA|DLA|ELA|DTSA|ECHO|EEF|FreeBSD|GHSA|GO|GSD|HSEC|JLSEC|KUBE|LBSEC|LSN|MAL|MINI|MGASA|OESA|OSV|openSUSE-SU|PHSA|PSF|PYSEC|RHBA|RHEA|RHSA|RLSA|RXSA|RSEC|RUSTSEC|SUSE-[SRFO]U|UBUNTU|USN|V8)-"
+ "pattern": "^(ASB-A|PUB-A|ALPINE|ALSA|ALBA|ALEA|BELL|BIT|CGA|CURL|CVE|DEBIAN|DHI|DRUPAL|DSA|DLA|ELA|DTSA|ECHO|EEF|FreeBSD|GHSA|GO|GSD|HSEC|JLSEC|KUBE|LBSEC|LSN|MAL|MINI|MGASA|OESA|OSEC|OSV|openSUSE-SU|PHSA|PSF|PYSEC|RHBA|RHEA|RHSA|RLSA|RXSA|RSEC|RUSTSEC|SUSE-[SRFO]U|UBUNTU|USN|V8)-"
},
"severity": {
"type": [