x/pkgsite: surface known vulnerabilities for a module version #56205
Labels
pkgsite
UX
Issues that involve UXD/UXR input
vulncheck or vulndb
Issues for the x/vuln or x/vulndb repo
Milestone
For packages with known vulnerabilities, pkgsite clearly presents a banner on the top.
However, for modules, the UX to access the list of related vulnerabilities is less clear.
Let's see
golang.org/x/text
. This is a package and also a module.https://pkg.go.dev/golang.org/x/text@v0.1.0
Some packages in the module have vulnerabilities e.g. https://pkg.go.dev/golang.org/x/text@v0.1.0/encoding/unicode but there is no vulnerability in the package golang.org/x/text, so pkgsite doesn't show any information. However, modules are what users use for their dependency management, so I hope vulnerability information should be more easily accessible from the module page.
Currently, users can see the vulnerability info when they visit the module versions page
https://pkg.go.dev/golang.org/x/text@v0.1.0?tab=versions
I'd argue that this is not very obvious. Moreover, pulling all the versions to know about vulnerabilities for a specific module version is sometimes an overkill. For old modules, this list can grow very long.
https://pkg.go.dev/k8s.io/kubernetes@v1.19.17-rc.0/pkg/apis/core?tab=versions
The text was updated successfully, but these errors were encountered: