-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable GHSA to consolidate affected
entries
#35
Comments
@rsc @chrisbloom7 WDYT? I'm starting to think supporting an event that encodes "<=version" makes sense, especially since it's supported in CVE 5.0. |
But in this case, +1 for supporting |
@oliverchang Thanks for explaining why the current approach could be problematic and for iterating through a number of potential solutions. For starters, I would love to remove our dependence on custom If that potential for misuse makes option 2 less attractive, then your first suggestion for |
grumble ... thinking about this further, we use |
Thanks for the comments! Perhaps we can start with the range-specific @rsc, what do you think of all of this? |
Maybe we can do both options 1 and 2? They serve different purposes, and having both options available would be useful on our side to clean up our round-trip transformation process. |
It is a design goal for OSV for all clients to be able to determine in an algorithmically precise way whether a particular version is affected. Having "database_specific" in the affected object would harm that goal, because now the meaning depends on knowing about each particular database. So I'd very very much like to avoid doing that. Changing the algorithm has similar problems. That leaves the potential for adding a <= operator in some form. Since we did that for CVE JSON 5.0 and we ideally want to be able to convert losslessly between CVE and OSV, it does seem reasonable to add <=. Today we have "introduced" and "fixed". If we added <=, I assume the way it would work is that we'd add "last_affected", and an entry can have either "last_affected" or "fixed" but not both. And then the test would be < fixed or else <= last_effected. I think that matches CVE JSON 5.0's lessThan and lessThanOrEqual. Do I have that right? |
Right, in this case though, I don't think
I'm also leaning toward this given the CVE JSON 5.0 support and the closer alignment with GHSA. I can draft up a PR for this if we all agree here.
|
Might I suggest that if we're willing to add |
(Also, selfishly, that would solve soooo many problems on our translation side) |
I do think we want to optimise more for the consumers of these entries to be able to consume/edit them more simply. As @rsc also explored in #31 (comment), there are other reasons to not add operators like "last_known_good", including lack of CVE 5.0 support and inaccurate encodings. Given the compatibility constraints of our schema, adding new fields/semantics is expensive and I think we should be a bit cautious here in introducing too many new fields at once. |
I agree with @oliverchang about being very selective in how many different constraints we add, for all the reasons he enumerated. I suggest we start with just "last_affected". |
This is intended only for metadata that enables databases to losslessly convert OSV entries back into their original representation. Part of #35.
* Add `last_affected` event type. Part of #35. * Update docs/schema.md Co-authored-by: Chris Bloom <[email protected]> * JSON validation Co-authored-by: Chris Bloom <[email protected]>
* Add database_specific to `affected[].ranges[]`. This is intended only for metadata that enables databases to losslessly convert OSV entries back into their original representation. Part of #35. * Update docs/schema.md Co-authored-by: Chris Bloom <[email protected]> Co-authored-by: Chris Bloom <[email protected]>
* Add `last_affected` event type. (#38) * Add `last_affected` event type. Part of #35. * Update docs/schema.md Co-authored-by: Chris Bloom <[email protected]> * JSON validation Co-authored-by: Chris Bloom <[email protected]> * Add database_specific to `affected[].ranges[]`. (#37) * Add database_specific to `affected[].ranges[]`. This is intended only for metadata that enables databases to losslessly convert OSV entries back into their original representation. Part of #35. * Update docs/schema.md Co-authored-by: Chris Bloom <[email protected]> Co-authored-by: Chris Bloom <[email protected]> * Bump version and add change log. Co-authored-by: Chris Bloom <[email protected]>
@oliverchang I'm just in the process of implementing support for
Should that last |
Good catch, thanks! That was indeed a bad copy/paste. I've fixed up the original post, and renamed this to the actual field name we went with ( |
@oliverchang awesome, thanks for that! I've landed support for |
Context
Currently, GitHub's Advisory Database encodes pairs of (introduced, fixed) events in separate
affected
objects. This is because GitHub needs to preserve these pairs when converting the OSV entry back into their internal database represenation.An example: https://github.com/github/advisory-database/blob/d6004eb8de91ad341605da869ab1b9f1e4abe433/advisories/github-reviewed/2017/10/GHSA-xgr2-v94m-rc9g/GHSA-xgr2-v94m-rc9g.json#L14
One obvious alternative here is to use a single
affected
entry and have two separateECOSYSTEM
ranges in there:However, I believe this wasn't done, because GitHub needs to record version metadata using a <= operator, and relies on
database_specific
to this. One example: https://github.com/github/advisory-database/blob/d6004eb8de91ad341605da869ab1b9f1e4abe433/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.jsonThis has a bunch of affected entries that look like:
GHSA-gww7-p5w4-wrfv.json
Problems
There are a number of problems here:
Using the the current evaluation pseudo-code, the semantics of the GHSA-gww7-p5w4-wrfv.json entry above would mean: everything after
2.0.0
is affected, regardless of any fixes that are encoded afterwards in otheraffected
entries.This advisory has fixes later specified in 2.8.11.5 and 2.9.10.1, but they're not going to be considered under the current evaluation algorithm. Any version after
2.0.0
will be incorrectly considered to be vulnerable.Having duplicate package entries makes the entry a lot less lean than it should be
Proposed solutions
Add
database_specific
toaffected[].ranges[]
If we instead add
database_specific
toaffected[].ranges[]
, we could encode GHSA-gww7-p5w4-wrfv asThe pseudo-code as is should work as intended with this encoding (with minor changes re sorting), and the resulting JSON has far less duplication.
Support a <= event
Similar to above, rather than encoding this in
database_specific
, we support a "last_affected" event or something similar:In the vast majority of cases, GitHub does actually know the exact fix version (example), but they would still like to record this <= information for use in tools such as Dependabot.
Supporting this would mean we potentially complicate our version specification, and potentially encourage entries that only use
last_affected
when we really wantfixed
in all cases. On the other hand, CVE 5.0 does support alessThanOrEqual
, and perhaps OSV was missing this.Fix the evaluation algorithm to consider all
affected
entries for the same package.We could alternatively make the pseudo-code handle these problematic cases, but it doesn't seem ideal as it:
affected
entries for the same package was to encode things like platform configurations where the set of affected versions are not the same.The text was updated successfully, but these errors were encountered: