Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/pkgsite: linkify vulnerability aliases #54700

Closed
neild opened this issue Aug 26, 2022 · 2 comments
Closed

x/pkgsite: linkify vulnerability aliases #54700

neild opened this issue Aug 26, 2022 · 2 comments
Assignees
Labels
FrozenDueToAge pkgsite vulncheck or vulndb Issues for the x/vuln or x/vulndb repo

Comments

@neild
Copy link
Contributor

neild commented Aug 26, 2022

The "Aliases" section for vulnerability reports should make CVE and GHSA IDs into links.

We should also stop adding these links to the "References" section of the OSV data by default. We do want to manually include advisory links on occasion, but we shouldn't put a CVE/GHSA link in the references just because the advisory aliases reference it; that's redundant and it's better to generate the link at display time if desired.

@neild neild added the pkgsite label Aug 26, 2022
@neild neild self-assigned this Aug 26, 2022
@gopherbot gopherbot added this to the Unreleased milestone Aug 26, 2022
@gopherbot
Copy link

Change https://go.dev/cl/426034 mentions this issue: all: do not add CVE/GHSA links to references

@neild
Copy link
Contributor Author

neild commented Aug 26, 2022

...actually the CVE/GHSA IDs are already links at HEAD, so just need to stop putting links in the refs section.

gopherbot pushed a commit to golang/vulndb that referenced this issue Aug 29, 2022
OSV records reference CVEs and GHSAs via the 'aliases' field.
Don't generate an additional reference link in the 'references' field;
if we want a link, we can generate it at display time.

Also don't put the GHSA permalink in the suggested context links
when generating a new report; while we do sometimes want to link
the GHSA when it's the canonical source of information on a
vulnerability, that's not the usual case.

For golang/go#54700.

Change-Id: I2e9b4f77f6caf9473fd2c62274bf5ffe790f836c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/426034
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
@jamalc jamalc modified the milestones: Unreleased, pkgsite/later Aug 29, 2022
@neild neild closed this as completed Aug 29, 2022
@julieqiu julieqiu added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 6, 2022
@golang golang locked and limited conversation to collaborators Sep 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge pkgsite vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Development

No branches or pull requests

4 participants