Compute all CVEs for updates #321
Comments
martincostello
added a commit
that referenced
this issue
Apr 25, 2023
If the SDK is updated by more than one runtime patch version, roll-up the CVEs and security status of all the releases in between to determine the list and the security status. Resolves #321.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem?
If a .NET SDK update occurs when is more than one version (e.g. #320), then any CVEs that are fixed are only reported for those in the version being updated to, rather than also including any from the releases between the old one and the new one.
Describe the solution you'd like
Include all fixed CVEs by the update in the PR description.
Describe alternatives you've considered
None.
Additional context
This also has the effect that if there's an update from version
Nto versionN+2where versionN+1fixed a CVE andN+2did not that the update will be reported as a security update correctly. Currently the update would not flag as an security update as the delta between the releases is not computed.The text was updated successfully, but these errors were encountered: