laurentsimon
commented
3 years ago @oliverchang is this something you could do for q4?
Open laurentsimon opened 3 years ago
laurentsimon
commented
3 years ago @oliverchang is this something you could do for q4?
oliverchang
commented
3 years ago Severity isn't actually a standard part of the schema, as it's hard to define a standardized value that makes sense for all ecosystems. There's also debate on if a severity value is generally that useful at all -- a real severity to a user depends on they they use it.
laurentsimon
commented
3 years ago agreed on the context being important from a dependent's point of view. For the repo owner, severity helps with prioritization and could have been useful. Any thoughts on how we could make the check more granular?
github-actions[bot]
commented
2 years ago Stale issue message
laurentsimon
commented
2 years ago another idea around improving the vulnerability check is the following. Since scorecard always works at HEAD for a repo, it's likely all repos have their OSV/CVE vulnerabilities fixed at HEAD on main. I think we need a way to assess existing vulnerabilities, and the time it take to be fixed. Some examples:
cc @scovetta
laurentsimon
commented
2 years ago There is also https://docs.github.com/en/rest/reference/code-scanning that we may use to retrieve existing vulnerabilities from scanners
github-actions[bot]
commented
10 months ago This issue is stale because it has been open for 60 days with no activity.
Chealer
commented
5 months ago [...] We could also take the time the vulnerabilities have been present for. Bit I think this complicates too much and I'm not sure it helps.
It would most certainly help. A critical vulnerability which is fixed before shipping should have less weight than a vulnerability a tenth as severe but for which a fix is only released a year after it's disclosed that it affects the current version (and it starts being exploited).
Thank you for reporting
Chealer
commented
5 months ago Severity isn't actually a standard part of the schema, as it's hard to define a standardized value that makes sense for all ecosystems. There's also debate on if a severity value is generally that useful at all -- a real severity to a user depends on they they use it.
Issue importance is very hard to model. Indeed, impact on individual A can be orders of magnitude the impact on individual B. Even if we could consider individual importance to each user, the model would still be imperfect until it would consider that each user's usage changes over time.
None of this is reason enough to ignore importance. If we refused to estimate importance, computing would be little more than a curiosity.
We should make the
Vulnerabilitiescheck more granular by taking into account the severity of the vulnerabilities. Example: Critical vulnerabilities -> score -= 10 High -> score -= 7 Medium -> score -= 2 Low -> score -= 1Suggestions welcome. We could also take the time the vulnerabilities have been present for. Bit I think this complicates too much and I'm not sure it helps.