Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/pkgsite: surface known vulnerabilities for a module version #56205

Open
hyangah opened this issue Oct 13, 2022 · 0 comments
Open

x/pkgsite: surface known vulnerabilities for a module version #56205

hyangah opened this issue Oct 13, 2022 · 0 comments
Labels
pkgsite UX Issues that involve UXD/UXR input vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone

Comments

@hyangah
Copy link
Contributor

hyangah commented Oct 13, 2022

For packages with known vulnerabilities, pkgsite clearly presents a banner on the top.
However, for modules, the UX to access the list of related vulnerabilities is less clear.

Let's see golang.org/x/text. This is a package and also a module.
https://pkg.go.dev/golang.org/x/text@v0.1.0

Some packages in the module have vulnerabilities e.g. https://pkg.go.dev/golang.org/x/text@v0.1.0/encoding/unicode but there is no vulnerability in the package golang.org/x/text, so pkgsite doesn't show any information. However, modules are what users use for their dependency management, so I hope vulnerability information should be more easily accessible from the module page.

Currently, users can see the vulnerability info when they visit the module versions page
https://pkg.go.dev/golang.org/x/text@v0.1.0?tab=versions

I'd argue that this is not very obvious. Moreover, pulling all the versions to know about vulnerabilities for a specific module version is sometimes an overkill. For old modules, this list can grow very long.
https://pkg.go.dev/k8s.io/kubernetes@v1.19.17-rc.0/pkg/apis/core?tab=versions

@hyangah hyangah added UX Issues that involve UXD/UXR input vulncheck or vulndb Issues for the x/vuln or x/vulndb repo labels Oct 13, 2022
@gopherbot gopherbot added this to the Unreleased milestone Oct 13, 2022
@jamalc jamalc modified the milestones: Unreleased, pkgsite/later Oct 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
pkgsite UX Issues that involve UXD/UXR input vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Development

No branches or pull requests

3 participants