Improve data for (reviewed) withdrawn advisories #2420
Marcono1234
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello,
for a university project a fellow student and I had a look in December 2022 at the JSON data of the back then 141 GitHub-reviewed withdrawn advisories in the GitHub Advisory Database and noticed multiple issues.
Disclaimer: The number of withdrawn advisories is only a small fraction compared to the total number of advisories (back then ~1,4% of all GitHub-reviewed advisories were withdrawn). So possibly the work needed to improve this is not justified, but maybe the points mentioned below are useful nonetheless.
Some general improvements to the OSV schema have been proposed in ossf/osv-schema#160; that issue also contains some numbers regarding the GitHub Advisory Database.
The following are points more specific to the GitHub Advisory Database:
Notes about specific advisories:
GHSA-crmx-v835-hcp4 (respectively the original CVE) might have been withdrawn erroneously, see https://blog.sonatype.com/cve-2017-17461-vulnerable-or-not; it appears Sonatype did not get the CVE reopened or requested a new CVE but instead created an advisory in their own database 🙄
GHSA-364w-9g92-3grq is withdrawn saying:
But the linked CVE has not been withdrawn and says:
Results and suggestions:
https://github.com/...
URLs to avoid issue and pull request references feels personally a bit like a workaround rather than a solution to me. Maybe it would be better to additionally ignore any references from comments created by bots?In general though we see the GitHub Advisory Database positively and hope that, also in combination with advisories created and CVEs requested directly on GitHub by repository maintainers and the new Private Vulnerability Reporting feature, it will be (a lot) easier for maintainers to publish and adjust advisories. We also appreciate that the data of the Advisory Database is public as Git repository here. This allowed us to perform this analysis quite easily locally without having to use some API and risking to hit rate limiting.
Hopefully this information and the suggestions are helpful for you!
If you need the list of all advisories we considered and in which category we put them (e.g. "unknown reason", "duplicate", "duplicate without referenced advisory", ...) I can try to provide them.
Beta Was this translation helpful? Give feedback.
All reactions