neild
commented
2 years ago In the linked example, I can't figure out where @christi3k came from. This report references CVE-9999-0012, which doesn't exist, and I can't find anything in the cvelist repo which seems to correspond to this report.
So far as I can tell, it's uncommon for the credit field of CVEs to be filled in. In the reports I've created, I've mostly manually populated the report credit field from an vulnerability announcement email rather than the CVE metadata. We could make vulnreport create rewrite @username on the assumption that it's a GitHub username, but this won't help with the common (I think) case where the credit was manually entered.
We could instead make vulnreport lint and vulnreport fix rewrite @username, but that could cause problems if we want a literal @ in a credit field at some point.
Or perhaps we could consider this a presentation issue, leave the @username as is, and rewrite it to a link on display when desired.
I'm not sure what the right choice is. Suggestions welcome.
When the credit in a report is attributed to a username, we should change make the
@usernamea link to the correct page. For example, https://github.com/golang/vulndb/blob/1179110444905751f6788f14cb5a2b4c60231232/reports/GO-2020-0032.yaml#L20 should be changed tohttps://github.com/christi3kwhen runningvulnreport create./cc @golang/vulndb