-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check if OLD nodejs advisories are still relevant was:[Find a way to ingest advisories without aliases] #981
Comments
Separate advisories could be merged in the future using other thing that just an alias. This would be a great improver project.
These are more reasons to merge with other keys than an alias considering descriptions, references and more beyond aliases. |
@pombredanne in the current situation when we don't have any aliases, and everytime improver runs it creates different VCIDs for same vulnerability ( we use aliases for merging as of now and in absence of alias there is no way with current code for us to know if 2 vulnerabilities are same or not ). I think we should check for similarity in references for the case when there is no alias in advisory. IMO we should never create a VCID, if we have exact same references for another VCID. |
In the specific case listed in the description, this is no longer an issue ... https://public.vulnerablecode.io/packages/pkg:npm/electron-packager@5.2.1?search=packager is now provided by other sources, and the old nodejs advisories are likely obsolete.
|
needs more discussion |
In this advisory no alias is attached https://github.com/nodejs/security-wg/blob/main/vuln/npm/104.json, we should store a made-up alias for these advisories.
The text was updated successfully, but these errors were encountered: