What kind of credit in credits field?

ossf / osv-schema

Open Source Vulnerability schema.

https://ossf.github.io/osv-schema/

Apache License 2.0

175 stars 73 forks source link

What kind of credit in credits field? #85

Open kurtseifried opened 1 year ago

kurtseifried commented 1 year ago

credits fields { "credits": [ { "name": string, "contact": [ string ], } ] } The credits field is a JSON array providing a way to give credit for the discovery, confirmation, patch, or other events in the life cycle of a vulnerability.

is there some reason we don't have an optional text description or ENUM for what kind of credit(s)?

KateCatlin commented 1 year ago

Chiming in here from the GitHub side, we'd like to update our own credits model to have types of credits in alignment with the MITRE spec.

Would be great if we could consider a "type" field in credits similar to the OSV references field.

oliverchang commented 1 year ago

Thanks for chiming in! Given the additional interest, let's resurrect this thread.

A "type" enum field that allows an easy 1:1 mapping to the MITRE spec could certainly work here.

captn3m0 commented 1 year ago

How should package-maintainers get credited? remediation developer ?

KateCatlin commented 1 year ago

@captn3m0 here's how the meanings are described as per MITRE:

finder: identifies the vulnerability reporter: notifies the vendor of the vulnerability to a CNA. analyst: validates the vulnerability to ensure accuracy or severity. coordinator: facilitates the coordinated response process. remediation developer: prepares a code change or other remediation plans. remediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness. remediation verifier: tests and verifies the vulnerability or its remediation. tool: names of tools used in vulnerability discovery or identification. sponsor: supports the vulnerability identification or remediation activities.

So I guess it would depend on the maintainer's role in the solution... Could be analyst, coordinator, remediation developer, or really any.

oliverchang commented 1 year ago

Would someone like to suggest a PR to add this? It seems like the type should enable an easy 1:1 mapping to MITRE for interoperability.

KateCatlin commented 1 year ago

@oliverchang thank you! Our team will submit one.

hawaiigal commented 1 year ago

@oliverchang created a PR here: https://github.com/ossf/osv-schema/pull/110

/cc @KateCatlin @katblag

joshbuker commented 1 year ago

@oliverchang Looks like this has been merged/deployed. Time to close the issue? :tada: