Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check if OLD nodejs advisories are still relevant was:[Find a way to ingest advisories without aliases] #981

Open
TG1999 opened this issue Oct 26, 2022 · 4 comments
Open

Check if OLD nodejs advisories are still relevant was:[Find a way to ingest advisories without aliases] #981

TG1999 opened this issue Oct 26, 2022 · 4 comments
Assignees
@pombredanne @TG1999
Labels
data-quality next

Comments

@TG1999
Copy link
Member

TG1999 commented Oct 26, 2022

In this advisory no alias is attached https://github.com/nodejs/security-wg/blob/main/vuln/npm/104.json, we should store a made-up alias for these advisories.
@pombredanne
Copy link
Member

  1. we should be able to create things without alias.
    Or use some made up alias if need be? Only if we could use this consistently which based on the data below is unlikely

Separate advisories could be merged in the future using other thing that just an alias. This would be a great improver project.

  1. This is a bit more involved on the data side as this looks also to be the same as:

These are more reasons to merge with other keys than an alias considering descriptions, references and more beyond aliases.

@TG1999
Copy link
Member Author

TG1999 commented Nov 2, 2022
edited
Loading

@pombredanne in the current situation when we don't have any aliases, and everytime improver runs it creates different VCIDs for same vulnerability ( we use aliases for merging as of now and in absence of alias there is no way with current code for us to know if 2 vulnerabilities are same or not ). I think we should check for similarity in references for the case when there is no alias in advisory.

IMO we should never create a VCID, if we have exact same references for another VCID.

@TG1999 TG1999 linked a pull request Nov 7, 2022 that will close this issue
Add heuristics to ingest advisories without aliases #981 #995
Closed
@TG1999 TG1999 mentioned this issue Nov 11, 2022
Closed
@TG1999 TG1999 changed the title No alias found for npm advisory Find a way to ingest advisories without aliases Nov 18, 2022
@TG1999 TG1999 added this to the v32.0.0 milestone Nov 18, 2022
@pombredanne pombredanne modified the milestones: v32.0.0, v33.0.0 Dec 8, 2022
@TG1999 TG1999 removed this from the v33.0.0 milestone Aug 15, 2023
@pombredanne pombredanne changed the title Find a way to ingest advisories without aliases Check if OLD nodejs are is till relevant was:[Find a way to ingest advisories without aliases] Jan 11, 2024
@pombredanne
Copy link
Member

In the specific case listed in the description, this is no longer an issue ... https://public.vulnerablecode.io/packages/pkg:npm/electron-packager@5.2.1?search=packager is now provided by other sources, and the old nodejs advisories are likely obsolete.
If they are we should simply drop the importer.

@DennisClark DennisClark changed the title Check if OLD nodejs are is till relevant was:[Find a way to ingest advisories without aliases] Check if OLD nodejs advisories are still relevant was:[Find a way to ingest advisories without aliases] Jul 1, 2024
@DennisClark
Copy link
Member

needs more discussion

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pombredanne pombredanne

@TG1999 TG1999

Labels
data-quality next
Projects
VulnerableCode Data Quality
Status: Needs Review
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add heuristics to ingest advisories without aliases #981 TG1999/vulnerablecode
3 participants
@pombredanne @DennisClark @TG1999