search

google / osv.dev

Open source vulnerability DB and triage service.
https://osv.dev
Apache License 2.0
1.55k stars 190 forks source link

Support direct linking by alias #760

Open andrewpollock opened 2 years ago

andrewpollock commented 2 years ago

[redacted] linking to https://osv.dev/vulnerability/GHSA-jfh8-c2jp-5v3q for Log4Shell.

I wish it was possible to link to https://osv.dev/vulnerability/CVE-2021-44228

oliverchang commented 2 years ago

I wonder what the behaviour should be if there are multiple that link to the same alias.

oliverchang commented 2 years ago

I wonder what the behaviour should be if there are multiple that link to the same alias.

Oh, maybe we can redirect to the list page instead with the filter set to the alias in that case.

andrewpollock commented 2 years ago

I see in the case of https://osv.dev/vulnerability/GHSA-jfh8-c2jp-5v3q, it has three aliases, two of which link to other entries that cite each other. It's basically the (current) lack of an entry for the CVE that makes this not work.

I'm thinking we'd call this "done" once we're successfully importing the CVE record from the NVD?

andrewpollock commented 2 years ago

I'm thinking we'd call this "done" once we're successfully importing the CVE record from the NVD?

Are there other data sources than CVE that can get referenced as an alias without currently being imported?

oliverchang commented 2 years ago

I see in the case of https://osv.dev/vulnerability/GHSA-jfh8-c2jp-5v3q, it has three aliases, two of which link to other entries that cite each other. It's basically the (current) lack of an entry for the CVE that makes this not work.

I'm thinking we'd call this "done" once we're successfully importing the CVE record from the NVD?

Yes, that's one approach, but it does introduce questions around duplicates even if we can link them via aliases.

Are there other data sources than CVE that can get referenced as an alias without currently being imported?

Yes, there is no requirement that anything in aliases are OSV formatted. There are going to be things like SNYK-, RHSA- in there.

zahraaalizadeh commented 6 months ago

Is this issue still applicable or a matter of concern? @oliverchang

another-rex commented 6 months ago

I believe we do still want this, though the need for it is greatly reduced now that we are importing git CVE entries directly. E.g. The example given by Andrew is no longer an issue, since it now links to the GIT entry.

andrewpollock commented 6 months ago

This is essentially search-by-alias functionality, when the aliased record doesn't actually exist in OSV.dev.

e.g. when https://osv.dev/GHSA-9p26-698r-w4hx aliases CVE-2024-23650 and CVE-2024-23650 doesn't exist in OSV.dev.

Trying to go to https://OSV.dev/CVE-2024-23650 results in a 404.

There's an opportunity to search the AliasGroup in Data Store, determine that GHSA-9p26-698r-w4hx and GO-2024-2492 are existant aliases for this and present an interstitial page (or search results) that links to these instead of serving a 404.

github-actions[bot] commented 4 months ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks