You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Like many open source ecosystems, folks in the Julia world have been working to harden CI/CD and publication process of our default registry and related infrastructure. We've fixed some significant vulnerabilities and we'd like to report on them, but we have high confidence that they never affected any named packages/versions in our ecosystem. We want to issue an advisory so we (and others) can reference it, and it really feels like we should be able to use a JLSEC advisory as it's part-and-parcel to the Julia ecosystem, but we're blocked on how to actually define it.
How would osv.dev react to ingesting an advisory without an affected block? Is that a possible solution? Technically, that's an optional field, but the osv.dev docs say "Package-level precision is the minimum standard" and osv-lint demands it as its very first check. Or with ranges that don't name a package and instead point directly to a repo that's not a named package in our JLSEC ecosystem (cf ossf/osv-schema#94 (comment))?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Like many open source ecosystems, folks in the Julia world have been working to harden CI/CD and publication process of our default registry and related infrastructure. We've fixed some significant vulnerabilities and we'd like to report on them, but we have high confidence that they never affected any named packages/versions in our ecosystem. We want to issue an advisory so we (and others) can reference it, and it really feels like we should be able to use a JLSEC advisory as it's part-and-parcel to the Julia ecosystem, but we're blocked on how to actually define it.
How would osv.dev react to ingesting an advisory without an
affectedblock? Is that a possible solution? Technically, that's an optional field, but the osv.dev docs say "Package-level precision is the minimum standard" and osv-lint demands it as its very first check. Or with ranges that don'tnamea package and instead point directly to arepothat's not a named package in our JLSEC ecosystem (cf ossf/osv-schema#94 (comment))?Beta Was this translation helpful? Give feedback.
All reactions