RHSA ID for vulnerabilities names instead of CVE ID #495
Labels
area/usability
related to improving user experience
Comments
|
I don't recall a particular reason for that naming convention. You change sounds great. I'd love to review your patch and get it merged into the project. |
jzelinskie
added
area/usability
|
Hey,
I can’t recall the exact reason unfortunately but I’d be careful and verify
the consistency of the database after initial filling and other updates.
It could either go back to the time we didn’t associate vulnerabilities’
metadata (e.g link, description, ...) to a namespace (in which case, it
should be safe), or it could be due to the way erratas are published and
updated. For instance, ensure no erratas are published without associated
CVE, then modified to have one, etc.
At the end of the day, if RHEL decides to index their vulnerabilities by
RHSA ID and we decide to flip this database upside down to index by CVE ID,
extra care must be given that no corner cases exists. Especially the kind
of issues where some vulnerabilities would not be listed or updated
properly.
It could be very safe to do that change thought, just need to be sure it is
:)
…On December 13, 2017 at 22:29:41, Jimmy Zelinskie ***@***.***) wrote:
I don't recall a particular reason for that naming convention. You change
sounds great. I'd love to review your patch and get it merged into the
project.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#495 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABRUQf-Yydeokv2slFVrISXqiuyEfeatks5tAEHFgaJpZM4Q5Tiw>
.
|
|
Thanks for the explanations. I made a patch based on release-2.0. Before submitting it, I have to made a few changes to get it to work on the master branch (probably next week). |
yebinama
added a commit
to yebinama/clair
that referenced
this issue
Dec 18, 2017
Get one vulnerability by CVE_ID for RHEL instead of one by RHSA_ID so we can have NVD metadata added to the vulnerabilities. Fixes quay#495
yebinama
added a commit
to yebinama/clair
that referenced
this issue
Sep 14, 2018
Get one vulnerability by CVE_ID for RHEL instead of one by RHSA_ID so we can have NVD metadata added to the vulnerabilities. Fixes quay#495
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
Why did you choose to have RHSA ID (and ELSA for Oracle) as vulnerabilities names for Red Hat OSes instead of CVE-ID like Ubuntu or Alpine?
With RHSA ID as a name, vulnerabilities lack informations like NVD metadata and it's more difficult to know which images are affected by a specific CVE.
I think It would be nice to have the same behavior for all updaters.
If you are interested, I made a patch on my fork and can submit a merge request.
The text was updated successfully, but these errors were encountered: