nexB
Do not leak internal database ids in the API
In this we have URLs such as
- "url": "http://public.vulnerablecode.io/api/vulnerabilities/1265",
- "url": "http://public.vulnerablecode.io/api/packages/168702", that leak internal record ids/primary keys. We should provide either a GUID or a natural key instead.
[
{
"url": "http://public.vulnerablecode.io/api/packages/168702",
"purl": "pkg:maven/junit/[email protected]",
"type": "maven",
"namespace": "junit",
"name": "junit",
"version": "4.12",
"qualifiers": {},
"subpath": "",
"affected_by_vulnerabilities": [
{
"url": "http://public.vulnerablecode.io/api/vulnerabilities/1265",
"vulnerability_id": "VCID-e1bu-4uh4-aaac",
"summary": "",
....
Hey, I have a question. what's the expected result you wanna have? from what i've understood it's this
For example, instead of: "http://public.vulnerablecode.io/api/vulnerabilities/1265"
It could be: "http://public.vulnerablecode.io/api/vulnerabilities/abcdefg-1234-5678-90ab-cdefghijklmn"
Please correct me if i'm wrong
How about VCID and purl in public urls ? This would make the URLs independent of database deletion/re-creation, if it so happens. Also, multiple instances will be very explicit about which vulnerability/package they're pointing at by just looking at the url.
EDIT: Just realized VCID is based on UUID so this might not be as good.
As I can infer from the discussion, is it okay to reference the URLs via the natural key instead of UUID. This means that the natural key is a different entity other than the primary key right?
I checked, and this problem still exists. If you are willing to work on a solution, I would like to take up the case.
I have discovered the true cause of this primary key, which is that the HyperlinkModel Serializer is being used. The question at hand is: will we use the VCID field or something else in place of the PK field? @TG1999 or @Hritik14 can someone please help me with this?
@Mohit-majumdar we would want to use either a natural key (may be VCID or package_url) or a UUID