retire.js icon indicating copy to clipboard operation
retire.js copied to clipboard
verified publisher icon RetireJS

Include NSWG ids for issues coming from Node.js Security Working Group program

Open ChALkeR opened this issue 7 years ago • 3 comments

References to NSWG vuln ids in the JSON dataset would be helpful, e.g. for additional deduplication when retrieving the entries from several sources at once.

Some don't have CVE entries, and HackerOne links might be not ideal for deduplication (though effective in most cases).

Those are in format NSWG-ECO-430, ref: https://github.com/nodejs/security-wg/blob/master/vuln/README.md#ecosystem.

I have a viewer set up here, but it is temporary and those links shouldn't be used.

I recomment to use just the ids in NSWG-ECO-430 form.

/cc @bl4de @eoftedal

ChALkeR avatar May 14 '18 13:05 ChALkeR

@ChALkeR You mean something like this:

"SAMPLE": {
    "vulnerabilities": [
      {
        "below": "0.0.21",
        "severity": "high",
        "identifiers": {
          "summary": "Path Traversal",
          "CVE": [
            "CVE-2018-XXXX"
          ],
          "NSWG": [
              "NSWG-ECO-XXX"
          ]
        },
        "info": [
          "https://hackerone.com/reports/XXXXXX"
        ]
      }
    ]
  },

?

bl4de avatar May 14 '18 14:05 bl4de

@bl4de Yes. I don't see a reason for it to be an array (unlike CVE, for which an array sometimes makes sense), though that would also work.

ChALkeR avatar May 14 '18 14:05 ChALkeR

Yeah, I've just did a quick copy-paste here :)

I think this is what you mean, correct?:

"SAMPLE": {
    "vulnerabilities": [
      {
        "below": "0.0.21",
        "severity": "high",
        "identifiers": {
          "summary": "Path Traversal",
          "CVE": [
            "CVE-2018-XXXX"
          ],
          "NSWG": "NSWG-ECO-XXX"
        },
        "info": [
          "https://hackerone.com/reports/XXXXXX"
        ]
      }
    ]
  },

bl4de avatar May 14 '18 14:05 bl4de