No related "cves" metadata on USN-4754-2

[blackboxsw]

Summary

In order to properly fix a USN, ua fix USN-4754-2 attempts to find any additional USNs by querying the related "cves" returned for the USN response object.

In the case of USN-4754-2 there are no related "cves" (probably because f USN-4754-2 introduced a regression). In this case, there is not enough information or breadcrumbs for the client to discover other USNs which could subsequently fix the related issue. Do we know why the original related CVE is stricken from this metadata? Is this a class of USNs that we can better handle to allow discoverability of related USNs or CVEs?

[blackboxsw]

cc @stevebeattie

[albertkol]

@blackboxsw have you find a solution or a work around this problem?

[albertkol]

This seems abandoned. I am closing it.

[stevebeattie]

Ugh, apologies I missed this issue. USN-4754-2 addressed a regression by reverting a CVE fix. Unfortunately, we don't really encode that information; what the security does (modulo mistakes on our part) is include a reference to the prior USN (4754-1 in this case) and to the regression bug report. In this case, the followup USN 4754-4 was published with a corrected fix for that CVE and was supposed to include a reference to USN-4754-2. But we have published USNs in the past where we reverted a fix due to a regression and subsequently deemed the vulnerability a low enough priority to not warrant the risk of regression worth trying to come up with a fixed version.

That said, I can't guarantee we're providing those references to the web api.

I'm not sure what would be an effective way to extend the api to communicate both that a given USN is a regression update for a prior USN and also indicate that a given fix has been reverted, or just that an improved fix is being applied. I would appreciate input from others here.

Thanks.