please help the jq project add GHSA-8mxc-vqrq-gcm8 to their Security Notices

[eslerm]

Hi Github Advisory Curation Team,

Could you please assist jq in adding GHSA-8mxc-vqrq-gcm8 to their Security tab? Upstream is interested: jqlang/jq#3296 (comment)

ref: https://github.com/github/advisory-database/blob/main/advisories/unreviewed/2025/02/GHSA-8mxc-vqrq-gcm8/GHSA-8mxc-vqrq-gcm8.json

[shelbyc]

Hi @eslerm, there isn't a procedure for retroactively adding a global advisory to a repository. However, the maintainers of jq are welcome to make a new repository GitHub Security Advisory about CVE-2024-53427 to discuss the vulnerability. As I said in #5383 (comment), jq isn't in one of the GitHub Advisory Database's supported ecosystems, so we can't review the advisory for inclusion in the reviewed set of advisories. But if jq want to include their perspective as maintainers in the CVE record, they can publish a repo GHSA and send it to https://cveform.mitre.org when they request an update as a publicly available reference to support updates they want to make to the CVE record.

[eslerm]

Thank you @shelbyc 🙏 I hadn't seen @kbsteere's PR 👍

To publish a repo GHSA, does jq need to file a GitHub Private Vulnerability Report?

[shelbyc]

To publish a repo GHSA, does jq need to file a GitHub Private Vulnerability Report?

No, they just need someone with sufficient privileges to create an advisory. Private Vulnerability Reporting is a tool for researchers, rather than maintainers, to create a private repo GHSA to enable coordinated vulnerability disclosure.

[eslerm]

Thanks @shelbyc

iiuc, either a jq owner or "Security Managers" for the org are allowed to do that. I'll relay to jq. Cheers!