Got feedback for our new open-source Advisory Database repository? #11
Replies: 23 comments 58 replies
-
It'd be great to use CODEOWNERS so that maintainers of packages got automatically notified on PRs that affected their packages; that way i wouldn't have to watch the entire repo. |
Beta Was this translation helpful? Give feedback.
-
Could PR titles mention the ecosystem, package name, and vuln category? The GSA id doesn’t seem particularly useful as at-a-glance info. |
Beta Was this translation helpful? Give feedback.
-
Coming from #24 it would be nice to get some visual indication on which fields are required to get set for submitting a change :) |
Beta Was this translation helpful? Give feedback.
-
Has there been any discussion about how to go about contributing an entirely new advisory (for instance some historical CVE that just hasn't been tagged with specific package information)? |
Beta Was this translation helpful? Give feedback.
-
Hi! Thank you for this feature! I have an auto-imported security advisory GHSA-mv2w-4jqc-6fg4. My user story (what's worked so far!) I've been able to add a suggestion by clicking "Suggest improvements for this vulnerability". It created a PR at #108 which was merged d184017. It's live now and looks very to see it connected with data from pip, versions, and a connected package also subject to the flaw. I have some curiosities!
|
Beta Was this translation helpful? Give feedback.
-
I am having trouble correcting a listing. How do I combine version constraints? |
Beta Was this translation helpful? Give feedback.
-
Hi. The "Suggest improvement" interface is nice 👍 After opening #323 I also noticed the info
which is directly below the headline and easy to overlook IMO :D I would suggest to relabel the "Submit improvements" to something like "Create Pull Request" or "Submit improvements as Pull Requests". Maybe one could also include a note somewhere about checking for already openend PRs to avoid duplicates :) |
Beta Was this translation helpful? Give feedback.
-
The "Improve security advisory" form looks like a full submission of the whole advisory. It doesn't have a free-form field where I can comment what's wrong with the advisory. It feels weird to submit new data without an explanation why it needs to be changed. |
Beta Was this translation helpful? Give feedback.
-
GitHub uses CVSS scores of a "worst possible scenario", and this means that severities of alerts are highly inflated. This policy combines exceptionally poorly with Rust advisories about unsoundness in APIs.
Here's an example where this combination of policy and theoretical issue leads to an absurdly inappropriate Critical score. The advisory is about library trusting results of a hidden auto-implemented method called I fault GitHub for seriously considering such absurdly unlikely possibility as a "Critical" issue. I've been alerted about this problem as if it was a real imminent security danger, but in practice this was a false alarm. This problem can't happen in practice and doesn't affect anyone. I already ignore all Labelling trivial issues as Critical puts me in danger, because it teaches me to ignore the severity entirely. I can't be responding to so many pointless non-issues with the urgency and seriousness that real Critical issues require. When an actual Critical issue is discovered, I'll leave it ignored underneath the pile of a hundred false positives labelled as Critical too.
|
Beta Was this translation helpful? Give feedback.
-
Advisories imported from NVD which are not from one of the "supported ecosystems" can't currently be edited and improved, because the ecosystem is a required field. An example is GHSA-269w-9hm6-g22q, which refers to a C library hosted on GitLab. Surely such advisories should still be editable? Should also consider having an |
Beta Was this translation helpful? Give feedback.
-
Some CVE's aren't really actionable because a fix hasn't been published yet. For example, see "patched version: none": In the "Dismiss alert" dropdown, I'm missing an option allowing to dismiss the alert until a patched version becomes available. I would like to upgrade this dependency eventually, but obviously can't just yet. |
Beta Was this translation helpful? Give feedback.
-
It would be terrific to have a 'Convert to Issue' button on these advisories (much like pull request comments have). At the moment, if the update needs manual changes, I don't see an easy way to link related git commits and pull requests to these advisories. |
Beta Was this translation helpful? Give feedback.
-
Can GitHub please commit to make sure to keep "security advisories" up to date and accurate? E.g. GHSA-v833-mfjc-7qr5 was updated upstream, the "advisory" here is still stale. Also the "advisory" here, does not provide any advice. |
Beta Was this translation helpful? Give feedback.
-
Hi there, As I checking the vuln data for composer, the name and format of the composer packages are not consistent. For example: |
Beta Was this translation helpful? Give feedback.
-
I frequently get advisory warnings for files that have long been deleted from the repo. I don’t think maintainers should be warned about files in long-ago repo history, but only the current version. My latest warning was for an old version of jQuery I already removed from the repo a month ago (Jun 16, today is Jul 11). |
Beta Was this translation helpful? Give feedback.
-
I was recently informed that this repo exists and the advisory DB is open for feedback/discussion! This is great! But it would be nice if this was a bit more obvious from the dependabot interface itself. Currently, the web form for improvements ( |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
Hi, while trying to update an existing advisory via a PR, I just noticed it is not possible to add |
Beta Was this translation helpful? Give feedback.
-
I've just noticed some functionality degradation. There are cases where vulnerability affects just specific middle range or versions (.e. g just version v8 and v7, but not v6 and not v9), and currently it seems not possible to configure such vulnerability range. When this database supported, we were able to fix that issues, as e.g. one here: #179 Currently I see another similar regression in database and I'm not sure how it an be fixed |
Beta Was this translation helpful? Give feedback.
-
GitHub team, Many packages use a breaking change as an opportunity to rename the package. If a vulnerability is found on the old name for a package, there's often no way to inform users that a new version exists in a different location. A classic example of this When this occurs our users often incorrectly believe there is no security fix available; they don't realize a new version is available with a new name. Would it be possible to add fields to the GitHub advisory database to handle this scenario? e.g. a |
Beta Was this translation helpful? Give feedback.
-
Hi, recently I reported the the However now it seems like my credit is not marked in the database since I didn't recieve any result when searching for |
Beta Was this translation helpful? Give feedback.
-
There should be a way to ignore the generated lock files of a static GitHub Pages site, because it's generated at pushtime and only runs on GitHub's servers without any opportunity for attack |
Beta Was this translation helpful? Give feedback.
-
Not sure to comment here or create an issue: |
Beta Was this translation helpful? Give feedback.
-
Welcome 🎉
Github just released our new Community Contributions feature, and we can’t wait to hear your feedback!
Along with Community Contributions, GitHub is publishing the entire contents of the Advisory Database to this new public repository. Together these changes make it easier for you to share your knowledge and for the community to benefit from the advisory intel.
How to use this database
There are two ways to provide a community contribution to a security advisory. The first way is to open a pull request against a vulnerability in this repository.
The second way is to navigate from https://github.com/advisories to the advisory to which you wish to contribute to, and submit your research through the “suggest improvements for this vulnerability” workflow. In the following form, you can suggest changes or provide more context on packages, affected versions, impacted ecosystems, and more.
To complete your submission, the form will walk you through opening a pull request that details your suggested changes. Once the pull request is open, security researchers from the GitHub Security Lab, as well as the maintainer of the project who filed the CVE (if known), will be able to review your request. Contributors will get public credit on their GitHub profile once their contribution is merged!
Let's talk!
Do you have questions? Comments? Concerns? Kudos? This is the place to voice them. Let’s chat!
Beta Was this translation helpful? Give feedback.
All reactions