Open pombredanne opened 6 months ago
Some input from today's weekly call:
Adding to above,
In the git based design, the original data sources persist in our storage. The import operations do not overwrite the existing data from the same data source, instead it maintains a diff-based (call it git?) record of all the changes an advisory goes through. This shows a timeline of the advisory as it grows.
The benefits are:
The implementation of such a model needs to be discussed in detail after the idea sounds convincing enough.
This https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.owasp.antisamy/antisamy/CVE-2023-49093.yml started as an advisory and then became a "False positive" Gitlab updates the description and title in these cases, and there are 150+ such advisories.
The outcome is invalid data. We should support these and update accordingly
See https://public.vulnerablecode.io/packages/pkg:maven/org.owasp.antisamy/antisamy@1.7.4?search=antisamy
There https://public.vulnerablecode.io/vulnerabilities/VCID-zx5k-4m3n-aaaj does NOT apply to antisamy
See attached for a list of patterns found in GitLab advisories fp.txt
@julianthome gentle ping... do you know if there is a list of patterns we can track? Thanks!
In the same domain, we should also find is there are other related unstructured patterns in GitLab and also: