Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GHSA-qq97-vm5h-rrhg out-of sync. Why does it have different states? #224

Open
mayrstefan opened this issue Apr 26, 2022 · 3 comments
Open

GHSA-qq97-vm5h-rrhg out-of sync. Why does it have different states? #224

mayrstefan opened this issue Apr 26, 2022 · 3 comments

Comments

@mayrstefan
Copy link

mayrstefan commented Apr 26, 2022
edited
Loading

When analyzing aquasecurity/trivy#2034 I was surprised to find the advisory id GHSA-qq97-vm5h-rrhg in two different states:

  1. GHSA-qq97-vm5h-rrhg from the repo maintainers which seems to be the most up-to-date version, including the CVE number
  2. GHSA-qq97-vm5h-rrhg as a public Github Advisory which has not been updated

Because I did not find a machine readable format of the first one I have to ask:

  • is there any automation to keep the official advisories in-sync (bot for automated pull requests on updates)?
  • where is the official process documented?
  • one id, two links, different information: which one is expected to be used by the public? I guess the second one because the on mouse over preview has more details
@mayrstefan
Copy link
Author

Even more confusing: both links have a different security rating. Although https://nvd.nist.gov/vuln/detail/CVE-2021-41190 mentions Github with a low scoring we can find this id on Github with a medium scoring.

@ravage84
Copy link

@mayrstefan while I was researching a similar case, I came across this statement:

Edits to global advisories will not change or affect how the advisory appears on the repository. For more information, see "Editing security advisories in the GitHub Advisory Database."

https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory

@Marcono1234
Copy link
Contributor

This differentiation between Repository Advisory and Database Advisory which both have the exact same GHSA ID is really confusing. In #1136 (comment) it was mentioned:

They can actually differ in content. The GitHub Security Lab Curation team reviews each and every advisory that makes it into the "reviewed" category on our system, and they'll sometimes add additional details or fix the spelling of a package name, etc. We don't want to force those changes on anyone's repository, so we let them update as they see fit.

But as mentioned above in this issue, this difference in content is more likely to cause confusion than help anyone (?). And when you just write the name of an advisory, such as GHSA-qq97-vm5h-rrhg, GitHub seems to automatically add a link to the Database Advisory, making it even more unlikely that users will see the Repository Advisory.

And to increase the confusion, when you write the URLs https://github.com/distribution/distribution/security/advisories/GHSA-qq97-vm5h-rrhg (Repository Advisory) and https://github.com/advisories/GHSA-qq97-vm5h-rrhg (Database Advisory) for example in a comment on an issue, the GitHub UI shows for both the link text GHSA-qq97-vm5h-rrhg.

Here are some more negative examples in the context of withdrawn advisories:

Repository Advisory (not withdrawn) Database Advisory (withdrawn)
GHSA-9pgh-qqpf-7wqj GHSA-9pgh-qqpf-7wqj
GHSA-cvx8-ppmc-78hm GHSA-cvx8-ppmc-78hm
GHSA-mcwm-2wmc-6hv4 GHSA-mcwm-2wmc-6hv4

@Marcono1234 Marcono1234 mentioned this issue Jun 18, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ravage84 @Marcono1234 @mayrstefan and others