-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/pkgsite: add Affected Symbols section to vulnerability pages #54812
Comments
Blocked by #54992 |
Change https://go.dev/cl/429678 mentions this issue: |
It might make sense to list the information vertically, as opposed to in a table. It is also likely that in many reports, all exported symbols will be affected. /cc @jinhongy @fflewddur for UX input We should also only list exported symbols on this page, and maybe link to the corresponding pkg.go.dev/# page (This is #52660). We compute derived symbols when creating the reports, for this use case on pkgsite. |
@julieqiu Where is the derived symbols field? I don't see derived symbols in the example data nor the osv package types (https://pkg.go.dev/golang.org/x/vuln/osv#EcosystemSpecificImport). EDIT: from code I guess the Symbols field contain both derived and originally-reported symbols. But if we exclude all unexported symbols, there will be no exported symbol for |
This is cl/429678 patchset 3 List affected symbols (exported only) in the next When multiple packages are affected: When there are more than N (e.g. 5) symbols for a package, use |
I would recommend to use the table considered the case that we might have multiple packages with multiple affected symbols. We can make it clear even with huge amount of affected symbols with following adjustment:
|
Thanks @jinhongy! Would you mind sharing what the mobile design would look like? Here's the current mobile view: |
Thanks @jinhongy In the cl/429678 patchset 4, I made it to the three-column (Package, Versions, Symbols) table for wide screens, and made it similar to @jinhongy's mock for narrower screens. To make it look more polished, I need help from @jamalc or @jinhongy who are more capable of js/css. Wide screen
Mobile view |
Only exported symbols are reported. In case there are no exported symbols, we present as if all symbols in the package are completely vulnerable. Updates golang/go#54812 Change-Id: I4555af8f27ae50fcb1a9e3b9e1c2ec29e750a9ad Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/429678 Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com> TryBot-Result: kokoro <noreply+kokoro@google.com> Reviewed-by: Jamal Carvalho <jamal@golang.org> Reviewed-by: Jonathan Amsterdam <jba@google.com>
For example, https://pkg.go.dev/vuln/GO-2021-0113 should have an "Affected Symbols" section explicitly listing these symbols from the ecosystem_specific.imports.symbols section:
"MatchStrings",
"MustParse",
"Parse",
"ParseAcceptLanguage"
The text was updated successfully, but these errors were encountered: