Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

List Perl as an environment #3536

Open
briandfoy opened this issue Feb 14, 2024 · 8 comments
Open

List Perl as an environment #3536

briandfoy opened this issue Feb 14, 2024 · 8 comments

Comments

@briandfoy
Copy link

briandfoy commented Feb 14, 2024

I'd like to improve several reports related to the Perl language and ecosystem, I cannot submit the form because the improvement form has the ecosystem as a required field, and there is not entry for "Other" or some such.

I suggest some combination of these:

  • Do not require an environment value to improve a report. The allows someone to improve a report even without a listed ecosystem.
  • Use an "Unknown" or "Other" value for the ecosystem, which could either be a virtual ecosystem or simply uses no value (the current state) but still allows the form field to be required but have a null value.
  • Add Perl as an ecosystem. There are plenty of people who would help categorize the backlog of over 200,000 uncategorized reports.
  • Even without a "Perl" ecosystem, I'd still like to improve the values in the ecosystem section of the improvement form to note the versions affected, package name, and so on. In general, any improvement, even if incomplete, is valuable.
@briandfoy
Copy link
Author

briandfoy commented Feb 15, 2024

This looks like the same request for C/C++ in #2963 and #3266.

@delgreco
Copy link

Fully support this

briandfoy added a commit to briandfoy/cpan-security-advisory that referenced this issue Feb 17, 2024
@rawleyfowler
Copy link

I support this!

@KateCatlin
Copy link
Collaborator

Hi all, thanks for opening this issue! And wow that is a lot of 👍 interest!

We have opened an issue internally to look into this and see what we would need to do to support it.

@briandfoy
Copy link
Author

@KateCatlin - I didn't see another way to get in touch with you, but as one of the people who maintains some of the Perl tools that do security audits for Perl projects, I'd be happy to talk to you about how the Perl community could help the GitHub Advisory Database. I'm happy to help as a volunteer in any way that I can be useful. If you want to take it offline, my email is on https://briandfoy.github.io .

For example, I maintain the CPAN Security Advisory, which is a secondary source of information that collates a bunch of different sources for our tools. Currently I'm adding the GitHub Advisory ID to anything we are tracking. As part of that, I've collected a bunch of information on affected versions, fixed versions, and a few other things for Perl advisories. It's something I've been doing for awhile. There are a lot of people that help, so we have a lot of information that can improve the GitHub reports.

@KateCatlin
Copy link
Collaborator

Thanks for offering, Brian! We'd love to have this conversation!

I'm actually going to pass this over to @taladrane who is the leader of our Advisory Database Curation team, the team that would be most involved in taking on a new ecosystem to support. I'll let you two follow up and connect from here!

@stigtsp
Copy link

stigtsp commented Mar 6, 2024

@KateCatlin @taladrane Hi! I'm one of the members of the CPAN Security Group (@CPAN-Security), and I'd like to support the initiative by @briandfoy to add Perl as an environment in your advisory database.

Some of our goals are to help triage vulnerabilities with the Perl and CPAN community, secure the CPAN supply chain and help with the development of security related tooling. You can find more information about our efforts on https://security.metacpan.org/ or contact us on cpan-security@perl.org

@briandfoy
Copy link
Author

We had a good meeting with @taladrane and part of her team today. I have some homework to pull together various things about how Perl modules work and so on so GitHub can see how that would fit into their workflow. This is progressing satisfactorily, and neither side is making any promises about anything. We're a long way from actual support, but I'm very happy that I even got the meeting and that they had lots of good questions. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants