linter cron job deletes invalid json findings

[hogo6002]

The linter cron job runs osv-linter on all records and writes the findings to a datastore. To remove old findings, the job deletes any existing entry from the datastore that does not have a corresponding finding in the current linter run.

But importer also does JSON validation and writes its findings to the same datastore. Since this JSON schema validation check isn't part of the osv-linter itself, the linter cron job incorrectly assumes these findings are obsolete and deletes them.

Two ways to fix this:

• Add JSON schema validation to the osv-linter. This is the ideal solution, as it would aggregate all checks into one place. One issue here is that the OSV schema is defined outside of this Go project, so we can't simply use go:embed. Also osv-linter doesn't have a formal release process, so we can't add an automated pre-build step to copy the schema. The most straightforward solution for now is probably just to copy the schema into this project?

OR

• Modify the linter cron job's logic. We could either add the schema validation check directly to the job or, more simply, prevent the job from deleting findings related to JSON validation.

[another-rex]

Add JSON schema validation to the osv-linter. This is the ideal solution, as it would aggregate all checks into one place. One issue here is that the OSV schema is defined outside of this Go project, so we can't simply use go:embed. Also osv-linter doesn't have a formal release process, so we can't add an automated pre-build step to copy the schema. The most straightforward solution for now is probably just to copy the schema into this project?

I think we already import the osv-schema repo as a submodule of this repo right, so I think we probably can just use go:embed or similar

[another-rex]

Oh it's in the same repo, just not in the same project. Let's just use a symlink to solve that issue.

[hogo6002]

Oh it's in the same repo, just not in the same project. Let's just use a symlink to solve that issue.

The downside of using a symlink is that we can't do go:embed, and will have to read file at the runtime. But considering the schema.json changes quite often, so I updated it to use a symlink and read at the runtime.