-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expand vuln id relationships #53
Comments
Relationships off the top of my head:
|
Maybe add also AND/OR/NOT relations, to describe dependencies among packages:
|
Hi @chrisbloom7 ! I'm adding you here because I received a comment from you in another issue I opened, and I'd like to hear your opinion about this. I'm using this issue instead of opening a new one because I think we're talking about the same, how can I express in OSV this parent/child relation named above? For example, this vulnerability Even when I properly described the range for This situation can't be covered easily with the algorithm proposed in https://ossf.github.io/osv-schema/#evaluation. |
@oliverchang Bumping this as it affects GSD process for revoking duplicate IDs as the data gets normalized (How should duplicate IDs be handled?) This wouldn't be a backward compatible change, but to be honest, |
Could you talk a bit more about the use case for expanding on this? It's not clear that this helps any automated tools in any way. If so, then is this just providing more details to humans? How will a human make use of this? Do these categories provide enough context such that they don't have to do a significant amount of work understanding the linked IDs anyway? The categories proposed in #133 are also slightly confusing, in that there's overlap with |
The primary one of relevance is DUPLICATED_BY / DUPLICATE_OF, which is relevant for machines and humans, see: CloudSecurityAlliance/gsd-tools#194 for context. Presumably aliases are for...well, aliases. IDs that are referring to the exact same thing, as opposed to related IDs. for example, GSD-2021-44228 would have an alias of CVE-2021-44228. Or GHSA-5r3x-p7xx-x6q5 would have aliases of CVE-2023-28631 and GHSL-2023-049. Whereas something that gets withdrawn and replaced with another would have no aliases, and a related entry of "DUPLICATE_OF" with the ID of the replacement ID. EDIT: In retrospect, you could actually consolidate aliases into the related field, with a type of ALIAS. |
Was chatting with @kurtseifried while working on https://data.gsd.id and for relationships, would be valuable to have: {
"id": string (required)
"type": string (required)
"canonical_url": string (optional)
"reference_urls": Array[string] (optional)
} Format provided as an example / skeleton to work from. |
I think the type data should be an enum, e.g.: DUPLICATE_OF I suspect one is enough for almost all cases, the above options are very much exclusive to each other with the exception of COMMON_NAME. |
Allow not just aliasing (this ID is also known as...) and relates to (this ID is different from, but related to...), but also more nuanced relationships like parent/child and such.
@JLLeitschuh what would be most useful relationship types to include from a researcher's perspective?
The text was updated successfully, but these errors were encountered: