vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

Revisit VULCOID ...

Open pombredanne opened this issue 3 years ago • 5 comments

  • [ ] VULCOID have a confusing id numbering (base 36) that have a varying length. We should do something that is random and fixed size instead and eschew having something memorable.
  • [ ] VULCOID should have a namespace to avoid collision between VCIO instances
  • [ ] VULCOID could have a better name that's easier to pronounce

pombredanne avatar Jul 26 '22 15:07 pombredanne

Related https://github.com/nexB/vulnerablecode/issues/695#issuecomment-1102501957

Further suggestions

VULCOID-YEAR-ABCD

* Year is hard to infer for all vulnerabilities.

VULCOID-ABC

* Variable length base 36 `ABC`

VULCOID-[NAMESPACE-]ABC

* Same as `VULCOID-ABC` but with a reserved space for `NAMESPACE` that could be an identifier AboutCode supplies via Scancode Toolkit or any other means. (Unique values such as github usernames could also be leveraged)

Hritik14 avatar Jul 26 '22 15:07 Hritik14

Here are some suggestions for name:

  • Vulcan
  • Vern
  • Vlad (this ones my fav - vlad the impaler :p )
  • vade
  • vale
  • veld
  • verb
  • vole

Hritik14 avatar Jul 26 '22 20:07 Hritik14

The name to replace VULCOID needs to be simple and short like "purl". Candidates along these lines are: VULCO_ID, VULN_ID (already in use by others per Google Search - e.g. https://source.whitehatsec.com/help/sentinel/admins/customize-or-accept-risk.html), VUL_ID, VULCODE_ID etc.. It is probably preferable if the name is something distinct for us.

mjherzog avatar Jul 27 '22 01:07 mjherzog

Candidates along these lines are: VULCO_ID, VULN_ID

I would prefer avoiding underscore and dash in the name and use only letters

Also, for some background, these are common "names" in use: https://cve.mitre.org/data/refs/index.html

In addition several are not listed there ... that's another source of inspiration:

  • GHSA for GitHub Security Advisory
  • RHSA for RedHat Security Advisory
  • ASB for Android Security Bulletin
  • DSA for Debian Security Advisory
  • GSD for Global Security Database
  • GO for Golang
  • OSV for the OSV DB from Google and mostly for OSS Fuzz
  • PYSEC for Python
  • ... and a few more

pombredanne avatar Jul 29 '22 07:07 pombredanne

So it looks like all-caps is the preferred. We need a SOURCE name (as would be used if we post a new vulnerability to the NVD) and a name/abbreviation for the identifier. The logical SOURCE name would be VCDB and the identifier could be VCID meaning VulnerableCode ID. There is an unfortunate usage of VCID as an abbreviation for "Vascular Cognitive Impairment and Dementia" and other usage for Virtual Channel Identifier but those are far afield from our work.

mjherzog avatar Jul 29 '22 17:07 mjherzog

We could use an XKCD-like password generator for ids https://preshing.com/20110811/xkcd-password-generator/ ? possibly with scary words. ? See https://github.com/rayraegah/xkcd936 https://github.com/redacted/XKCD-password-generator and https://github.com/rayraegah/xkcd936

pombredanne avatar Aug 18 '22 16:08 pombredanne

After a long though I suggest that we use a uuid4() as '5a9b63ed-8092-4433-b9bd-8738661a101b' but that would not make the id memorable

pombredanne avatar Aug 23 '22 16:08 pombredanne

@keshav-space said in the weekly call that it does not have a purpose to have a memorable id if the id is not unique and pointing to the same vulnerability globally.

pombredanne avatar Aug 23 '22 16:08 pombredanne

So I suggest VULCODE or VULCO prefix and a UUID4 as in 5a9b63ed-8092-4433-b9bd-8738661a101b Or ABCD, VULID, VCIO, VULCID, CODEVULN, VULN, VULNID as prefix. I just need some consensus! So:

VULCODE-5a9b63ed-8092-4433-b9bd-8738661a101b or VULCO-5a9b63ed-8092-4433-b9bd-8738661a101b

pombredanne avatar Aug 24 '22 22:08 pombredanne

My votes are:

  1. VULNID for Vulnerability ID. Most commonly used in our context in variations like vulnid or Vuln id. Some unfortunate overlap with "Deviant Art" -https://www.deviantart.com/tag/vulnid, but this seems pretty obscure. The likely English pronunciations are "vuln id" or "vul nid" which see OK. We could conceivably take over as the primary reference point for VULNID. Preferred over VC or VULCO references because it is more descriptive to someone who does not know about our database yet.
  2. VCID for VulnerableCode ID (despite the unfortunate overlap with "Vascular Cognitive Impairment and Dementia" - there will be no confusion about field of use)

mjherzog avatar Aug 24 '22 22:08 mjherzog

This form is now up for votes: Please +1 or -1 The id will be: VULNID-5a9b63ed-8092-4433-b9bd-8738661a101b And we can display it in a shorter form as needed

pombredanne avatar Aug 25 '22 16:08 pombredanne

+1

TG1999 avatar Aug 25 '22 16:08 TG1999

+1 for VCID

johnmhoran avatar Aug 25 '22 16:08 johnmhoran

  • VCID: John, Michael, Ziad, Keshav: 4 votes
  • VULNID: Tushar, Philippe, Michael: 3 votes

Many absentees have not voted: but the final is VCID!

The winning format is: VCID-5a9b63ed-8092-4433-b9bd-8738661a101b

Next steps:

  • add uuid column, migrate data to new column (details TBD and some possible performance impact)
  • replace any VULCOID reference by VCID in the code, UI, documentation and API

pombredanne avatar Aug 30 '22 16:08 pombredanne

For reference:

$ grep -r . -e "VULCOID" -l
./vulnerablecode/static/api_doc/api_schema.yaml
./docs/source/tutorial_add_new_improver.rst
./vulnerabilities/tests/test_fix_api.py
./vulnerabilities/tests/test_models.py
./vulnerabilities/templates/vulnerability_details.html
./vulnerabilities/templates/index.html
./vulnerabilities/templates/vulnerabilities.html
./vulnerabilities/models.py
./vulnerabilities/migrations/0012_alter_vulnerability_vulnerability_id.py
./vulnerabilities/migrations/0001_initial.py
./vulnerabilities/migrations/0013_auto_20220503_0941.py
./vulnerabilities/fixtures/openssl.json
$ grep -r . -e "VULCOID" | wc -l
39

pombredanne avatar Aug 30 '22 16:08 pombredanne