Skip to content

x/vulndb: link credits to appropriate user #50454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
julieqiu opened this issue Jan 5, 2022 · 1 comment
Open

x/vulndb: link credits to appropriate user #50454

julieqiu opened this issue Jan 5, 2022 · 1 comment
Labels
NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@julieqiu
Copy link
Member

julieqiu commented Jan 5, 2022

When the credit in a report is attributed to a username, we should change make the @username a link to the correct page. For example, https://github.com/golang/vulndb/blob/1179110444905751f6788f14cb5a2b4c60231232/reports/GO-2020-0032.yaml#L20 should be changed to https://github.com/christi3k when running vulnreport create.

/cc @golang/vulndb
@julieqiu julieqiu added the vulndb label Jan 5, 2022
@gopherbot gopherbot added this to the Unreleased milestone Jan 5, 2022
@neild
Copy link
Contributor

neild commented Mar 15, 2022

In the linked example, I can't figure out where @christi3k came from. This report references CVE-9999-0012, which doesn't exist, and I can't find anything in the cvelist repo which seems to correspond to this report.

So far as I can tell, it's uncommon for the credit field of CVEs to be filled in. In the reports I've created, I've mostly manually populated the report credit field from an vulnerability announcement email rather than the CVE metadata. We could make vulnreport create rewrite @username on the assumption that it's a GitHub username, but this won't help with the common (I think) case where the credit was manually entered.

We could instead make vulnreport lint and vulnreport fix rewrite @username, but that could cause problems if we want a literal @ in a credit field at some point.

Or perhaps we could consider this a presentation issue, leave the @username as is, and rewrite it to a link on display when desired.

I'm not sure what the right choice is. Suggestions welcome.

@neild neild removed their assignment Jul 18, 2022
@toothrot toothrot added the NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. label Jul 20, 2022
@julieqiu julieqiu added vulncheck or vulndb Issues for the x/vuln or x/vulndb repo and removed vulndb labels Sep 2, 2022
@julieqiu julieqiu modified the milestones: Unreleased, vuln/unplanned Sep 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Go Security
Status: No status
Milestone
vuln/unplanned
Development

No branches or pull requests
4 participants
@toothrot @neild @julieqiu @gopherbot