Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support multiple URLs in the URL field #429

Closed
Qwaz opened this issue Oct 15, 2020 · 10 comments
Closed

Support multiple URLs in the URL field #429

Qwaz opened this issue Oct 15, 2020 · 10 comments

Comments

@Qwaz
Copy link
Contributor

Qwaz commented Oct 15, 2020

The current advisory format only allows a single entry in the URL field, but sometimes it is useful to include multiple URLs in advisories.

Examples:

Is it too late to introduce this kind of breaking changes to the advisory format, or can we still do this as part of V3 migration (#414)?

@tarcieri
Copy link
Member

tarcieri commented Oct 15, 2020

I would suggest a non-breaking approach which adds a brand new references section in addition to the current url field.

The references section can be a list/array of URLs, but url still provides the most definitive information about a vulnerability.

@Qwaz
Copy link
Contributor Author

Qwaz commented Oct 16, 2020

I like the name references. One question though, what would be the recommendation if there are multiple equally definitive URLs (as in RUSTSEC-2019-0009)? Put one of them in url and the other in references, leave url empty and put both of them in references, or something else?

@tarcieri
Copy link
Member

I think it's up to the advisory author to decide. If there's no definitive one, they could all just be references.

@tarcieri
Copy link
Member

It seems references is already used for a list of vulnerability IDs, and there's some usage of it in the current advisory DB, unfortunately.

@BlackHoleFox
Copy link
Contributor

BlackHoleFox commented Oct 31, 2020

Its not as fun as references, but maybe “sources”, as in “information sources”?

It would be great to have multiple, for example, if you wanted to link the issue that has most of the information but also the PR that fixed it, which I bumped into wanting to do earlier.

@tarcieri
Copy link
Member

@BlackHoleFox I had a similar thought, but resources

@tarcieri
Copy link
Member

tarcieri commented Nov 9, 2020

Reflecting on this, I'd really like to use references for this, since that's standard nomeclature in other vulnerability databases, but that'd be a breaking change.

One possible way to do it:

  • Rename the current references section to related. This is non-breaking.
  • Update the database to move all the existing references to related
  • After clients have been updated (this may not even be breaking), start introducing URL references

It'd be interesting to experiment and determine if existing clients could parse URLs in the references field as well

@Qwaz
Copy link
Contributor Author

Qwaz commented Nov 10, 2020

RUSTSEC-2016-0002, RUSTSEC-2019-0002, and RUSTSEC-2020-0024 seem to be the only advisories that use references field at this point of time.

@tarcieri
Copy link
Member

PR to rename references to related: https://github.com/RustSec/rustsec-crate/pull/261

The former is still preserved in the linter.

After that we'll need to rename it in the advisories, and then add support for a new URL-based references field.

tarcieri added a commit that referenced this issue Nov 23, 2020
This frees up `references` to be used for tracking multiple URLs with
additional information.

See also: #429
tarcieri added a commit that referenced this issue Nov 23, 2020
This frees up `references` to be used for tracking multiple URLs with
additional information.

See also: #429
tarcieri added a commit that referenced this issue Nov 23, 2020
This frees up `references` to be used for tracking multiple URLs with
additional information.

See also: #429
@pinkforest
Copy link
Contributor

This works today as:
references = ["https://foo.com", "https://bar.com"]

I've added Doc PR #1354

Closing as Completed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants