-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Repo specific advisories with CVE IDs don't make it into the global set #3266
Comments
It's a similar story for advisories that were created in a private repository but got a CVE assigned with information available publicly |
Hi all! Thank you for opening an issue about this. Yes, it's a flaw in our system design and a known error. It's been on our roadmap to correct this for some time but keeps being pushed back for other issues. I'll keep this issue open so I can report back when we have it resolved! |
The README for this repository says:
Perl does have such a registry (in https://metacpan.org/dist/CPAN-Audit, maintained by the submitter of this issue), so it would seem quite straightforward to add it as a supported ecosystem. |
It looks like if a repo has an advisory that was not marked to enter the global database, and that advisory is assigned a CVE ID, the CVE ID in question is not present in the GitHub Advisory Database.
I feel like I'm not explaining this well, so I have an example.
This Grafana advisory
GHSA-2x6g-h2hg-rq84
Has been assigned CVE-2022-39306
If you search the GitHub advisory database, that ID doesn't show up.
It is nice to use the GitHub database, even for unreviewed IDs, because it's vastly more complete and accurate for supported ecosystems than other sources. Incomplete CVE data means multiple data sources must be queried to get a full picture of which IDs exist.
Related is #2963 where I suggest allowing community contributions for non supported ecosystems, it would be a service to the world to have a public place to store useful details uncovered during investigations
The text was updated successfully, but these errors were encountered: