Open julieqiu opened 2 years ago
In the linked example, I can't figure out where @christi3k
came from. This report references CVE-9999-0012, which doesn't exist, and I can't find anything in the cvelist
repo which seems to correspond to this report.
So far as I can tell, it's uncommon for the credit field of CVEs to be filled in. In the reports I've created, I've mostly manually populated the report credit field from an vulnerability announcement email rather than the CVE metadata. We could make vulnreport create
rewrite @username
on the assumption that it's a GitHub username, but this won't help with the common (I think) case where the credit was manually entered.
We could instead make vulnreport lint
and vulnreport fix
rewrite @username
, but that could cause problems if we want a literal @
in a credit field at some point.
Or perhaps we could consider this a presentation issue, leave the @username
as is, and rewrite it to a link on display when desired.
I'm not sure what the right choice is. Suggestions welcome.
When the credit in a report is attributed to a username, we should change make the
@username
a link to the correct page. For example, https://github.com/golang/vulndb/blob/1179110444905751f6788f14cb5a2b4c60231232/reports/GO-2020-0032.yaml#L20 should be changed tohttps://github.com/christi3k
when runningvulnreport create
./cc @golang/vulndb