Comments (3)
Even more confusing: both links have a different security rating. Although https://nvd.nist.gov/vuln/detail/CVE-2021-41190 mentions Github with a low scoring we can find this id on Github with a medium scoring.
from advisory-database.
@mayrstefan while I was researching a similar case, I came across this statement:
Edits to global advisories will not change or affect how the advisory appears on the repository. For more information, see "Editing security advisories in the GitHub Advisory Database."
from advisory-database.
This differentiation between Repository Advisory and Database Advisory which both have the exact same GHSA ID is really confusing. In #1136 (comment) it was mentioned:
They can actually differ in content. The GitHub Security Lab Curation team reviews each and every advisory that makes it into the "reviewed" category on our system, and they'll sometimes add additional details or fix the spelling of a package name, etc. We don't want to force those changes on anyone's repository, so we let them update as they see fit.
But as mentioned above in this issue, this difference in content is more likely to cause confusion than help anyone (?). And when you just write the name of an advisory, such as GHSA-qq97-vm5h-rrhg
, GitHub seems to automatically add a link to the Database Advisory, making it even more unlikely that users will see the Repository Advisory.
And to increase the confusion, when you write the URLs https://github.com/distribution/distribution/security/advisories/GHSA-qq97-vm5h-rrhg
(Repository Advisory) and https://github.com/advisories/GHSA-qq97-vm5h-rrhg
(Database Advisory) for example in a comment on an issue, the GitHub UI shows for both the link text GHSA-qq97-vm5h-rrhg
.
Here are some more negative examples in the context of withdrawn advisories:
Repository Advisory (not withdrawn) | Database Advisory (withdrawn) |
---|---|
GHSA-9pgh-qqpf-7wqj | GHSA-9pgh-qqpf-7wqj |
GHSA-cvx8-ppmc-78hm | GHSA-cvx8-ppmc-78hm |
GHSA-mcwm-2wmc-6hv4 | GHSA-mcwm-2wmc-6hv4 |
from advisory-database.
Related Issues (20)
- include advisories from Snyk HOT 3
- arduino-ide-extension marked as malware HOT 13
- List Perl as an environment HOT 8
- NPM IP package warning overstates danger HOT 2
- GHSA-5mwm-wccq-xqcp contains an incorrect reference HOT 3
- New Rails vulnerabilities have been disclosed. HOT 1
- www.google.com
- nogot HOT 1
- GHSA-cqhr-jqvc-qw9p has an invalid CVE id and appears to be a duplicate of GHSA-g66q-grxc-64j3 HOT 1
- Add C/C++ ecosystem like conan. HOT 1
- GHSA-5667-3wch-7q7w aka CVE-2024-1023 has wrong version range
- Haskell security advisory database (Hackage packages) HOT 3
- When you reload the site on your phone, Gone all the user icons HOT 1
- GHSA-8cp3-66vr-3r4c isn't considered a vulnerability by Synk HOT 1
- Request to review GHSA-7jmm-gqgx-fq9m
- Request to review GHSA-gwr8-m965-83p4
- A taks
- Version range of GHSA-95mg-jgfx-54v9
- Incorrect security adivsory credit count
- nuget: different package names fo same packages
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from advisory-database.