Add RSEC as a supported database prefix
#175
Comments
|
+1. R is used by many, and in particular is often used for statistical analysis of vast amounts of data... so vulnerabilities in certain R packages could have a serious impact. |
|
Absolutely! Would be awesome to get RSEC included here. Can you please open a PR similar to #157 ? |
|
@oliverchang After #176 is approved and merged, what additional work is required to get RSEC vulnerabilities populating on https://osv.dev/? Happy to do whatever follow-up is necessary to start getting visibility on these |
|
@tylfin I've filed google/osv.dev#1476 to track the work required on osv.dev side. Just eyeballing the entries at https://github.com/RConsortium/r-advisory-database/blob/main/vulns/readxl/RSEC-2023-1.yaml, the timestamps look a bit problematic: I'm not sure we support the "N" suffix here (and it doesn't seem to be part of RFC 3339). It would be worth converting these entries to JSON and then seeing if they validate against https://github.com/ossf/osv-schema/blob/main/validation/schema.json |
|
Should be all set, I added a GHA CI Check to ensure the repository adheres to the schema moving forward |
Closes #175. I didn't quite understand "Source URL" vs. "OSV Formatted URL" so I took a guess. cc @tylfin as upstream maintainer. I marked this as "unofficial" despite R Consortium backing, please CMIIW. --------- Signed-off-by: Michael Chirico <michaelchirico4@gmail.com> Signed-off-by: Oliver Chang <oliverchang@users.noreply.github.com> Co-authored-by: Tyler Finethy <tylfin@gmail.com> Co-authored-by: Oliver Chang <oliverchang@users.noreply.github.com>
|
@tylfin could I please also ask you to update https://github.com/ossf/osv-schema/blob/main/docs/schema.md#r-cran--bioconductor-vulnerability now that there are example entries in the DB? |
Also fix OSV formatted URL for RSEC with `vulns` path Per comment: #175 (comment)
I want to get
RSECadded to the list of supported database prefixes. This would cover the R language and packages hosted in cran.r-project.org or bioconductor.org package repositories.I've started a repository here: https://github.com/RConsortium/r-advisory-database that can be used as a community-owned destination for these vulnerabilities.
I have an example of a vulnerability here: RConsortium/r-advisory-database#1 that shows what these will look like moving forward, and this repository generally follows the format of the PyPA's advisory database.
The text was updated successfully, but these errors were encountered: