Trying to understand why last_affected and fixed are exclusionary?

[kurtseifried]

In the schema:

            {
              "if": {
                "properties": {
                  "events": {
                    "contains": {
                      "required": ["last_affected"]
                    }
                  }
                }
              },
              "then": {
                "not": {
                  "properties": {
                    "events": {
                      "contains": {
                        "required": ["fixed"]
                      }
                    }
                  }
                }
              }
            }

Why are they exclusionary? I couldn't find anything in the docs. Was there a discussion about this that I can view that explains it?

[kurtseifried]

Or was it meant to have all 4 in there as per:

Only a single type (either "introduced", "fixed", "last_affected",
"limit") is allowed in each event object. For instance,
{"introduced": "1.0.0", "fixed": "1.0.2"} is invalid.

[oliverchang]

This is this sentence in the schema:

"Entries in the events array can contain either "last_affected" or "fixed" events, but not both."

The intention is to prevent confusing combinations of last_affected and fixed within the same events array, because they make each other redundant.

[kurtseifried]

Ok, can we update the docs to mention that this is actually enforced in the schema?

[bagder]

Why can't we have both? As a mere human, I think they provide information and it certainly doesn't hurt to have both even if one of them would suffice.

[andrewpollock]

@kurtseifried I'm trying to determine if there's anything actionable here.

Are you asking to more explicitly state that things documented as being required by the schema are enforced by the schema definition?

[kurtseifried]

@kurtseifried I'm trying to determine if there's anything actionable here.

Are you asking to more explicitly state that things documented as being required by the schema are enforced by the schema definition?

At a minimum, it needs to be documented, and enforced in the schema, so those both need an update.

Also, I think, in line with @bagder it is not necessary to make it exclusionary especially as there are many cases where "The intention is to prevent confusing combinations of last_affected and fixed within the same events array, because they make each other redundant." is not correct (Cisco software train version, Linux Kernel, etc.).

[andrewpollock]

At a minimum, it needs to be documented, and enforced in the schema, so those both need an update.

I think the point @oliverchang was trying to make was that these are both the case today, if I am reading correctly?

Perhaps you could send us a PR to illustrate what you feel needs to be updated?

[kurtseifried]

The problem is, if it is up to me I would remove the requirement entirely and allow both. As such I can't really say why it is required, so I can't really submit a PR for this as I don't understand what the intent is other than "it might be confusing"(but for many of my use cases it is not).

[rhalar]

I have to admit I do agree that having both is confusing and potentially very vague as to what is or isn't vulnerable, if @kurtseifried would be willing to expand on his reasoning?

I've mentioned part my confusion in another issue (#150 (comment)), but I'm also interested to understand when having both isn't redundant, namely you say:

"The intention is to prevent confusing combinations of last_affected and fixed within the same events array, because they make each other redundant." is not correct

[hayleycd]

For any future readers on this issue, please refer to this comment in #150 for clarity.

[hayleycd]

I think we can close this given #174 and #159