advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

Informational RustSec Advisory Presentation

Open pinkforest opened this issue 3 years ago • 0 comments

e.g. ansi_term we provided informational advisory: https://rustsec.org/advisories/RUSTSEC-2021-0139.html But GHSA has different intepretation / representation: https://github.com/advisories/GHSA-74w3-p89x-ffgh

It's an advisory as others but it should be represented in canonical way as RustSec database implicitly intended.

Informational advisories do have security related concerns but these are nonetheless different to regular advisories -

It is database specific OSV attribute:

  "affected": [
      "database_specific": {
        "informational": "unmaintained"
      },

Problem is GHSA / Dependabot as of now does not take into account of different advisory types as canonical representation.

GHSA / Dependabot also assumes "Critical" severity which is incorrect when we don't even flag CVSS for these -

We had a dicussion about it here: https://rust-lang.zulipchat.com/#narrow/stream/146229-wg-secure-code/topic/github.20advisory.20flags.20as.20critical/near/299276275

Also I see that GHSA / Dependabot omits the provided actionable advice that is helpful to anyone intepreting these advisories - nonetheless it does link to the original RUSTSEC advisory but I think Dependabot should include this actionable "fix" - if any given people might be just fine using unmaintained - for any given time - based on what ever individual / project opinion they hold as to whether to migrate or not.

I've raised another issue about the omitting actionable advice: https://github.com/github/advisory-database/issues/684

pinkforest avatar Sep 17 '22 07:09 pinkforest