Currently, we require a dedicated .yaml file for each application version, with it's own set of advisories. Often these can be more or less copy/paste between app versions.
Take for example grafana. There are (at the time of writing), three supported versions: v8, v9.5 and v10.x (latest). This would require us to create at least three advisory YAMLs (grafana-8.yaml, grafana9.5.yaml, grafana.yaml).
I believe this format is required for vulnerability feeds and scanners to parse, but perhaps there is a better way to generate these, whilst maintaining a single yaml file for each application?
Ideal outcome
A single .yaml file for each application, i.e we'd only ever have a 'grafana.yaml' with advisory data covering all releases.
How might we achieve this?
Perhaps we could introduce a 'affected_versions' parameter. By default when this is not set, the CVE advisory is only appliciable to the latest releases (or perhaps we default to being applicable to all?). Then we can use 'affected_versions' to pin an advisory to a specific version.
I guess we'd need to create some logic to then generate the individual .yamls for each release in the format the scanners are looking for? Which in itself might be challenging.
I'm sure there may be other options too, but the hope / goal would be to reduce engineering toil by having to make copies of the .yaml each time we need to produce a pinned version of an application, or update advisories in multiple files for multiple releases?
luhring
commented
11 months ago
Summary
Currently, we require a dedicated .yaml file for each application version, with it's own set of advisories. Often these can be more or less copy/paste between app versions.
Take for example grafana. There are (at the time of writing), three supported versions: v8, v9.5 and v10.x (latest). This would require us to create at least three advisory YAMLs (grafana-8.yaml, grafana9.5.yaml, grafana.yaml).
I believe this format is required for vulnerability feeds and scanners to parse, but perhaps there is a better way to generate these, whilst maintaining a single yaml file for each application?
Ideal outcome
A single .yaml file for each application, i.e we'd only ever have a 'grafana.yaml' with advisory data covering all releases.
How might we achieve this?
Perhaps we could introduce a 'affected_versions' parameter. By default when this is not set, the CVE advisory is only appliciable to the latest releases (or perhaps we default to being applicable to all?). Then we can use 'affected_versions' to pin an advisory to a specific version.
I guess we'd need to create some logic to then generate the individual .yamls for each release in the format the scanners are looking for? Which in itself might be challenging.
I'm sure there may be other options too, but the hope / goal would be to reduce engineering toil by having to make copies of the .yaml each time we need to produce a pinned version of an application, or update advisories in multiple files for multiple releases?