Code Monkey home page Code Monkey logo

Comments (3)

mayrstefan avatar mayrstefan commented on May 31, 2024

Even more confusing: both links have a different security rating. Although https://nvd.nist.gov/vuln/detail/CVE-2021-41190 mentions Github with a low scoring we can find this id on Github with a medium scoring.

from advisory-database.

ravage84 avatar ravage84 commented on May 31, 2024

@mayrstefan while I was researching a similar case, I came across this statement:

Edits to global advisories will not change or affect how the advisory appears on the repository. For more information, see "Editing security advisories in the GitHub Advisory Database."

https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory

from advisory-database.

Marcono1234 avatar Marcono1234 commented on May 31, 2024

This differentiation between Repository Advisory and Database Advisory which both have the exact same GHSA ID is really confusing. In #1136 (comment) it was mentioned:

They can actually differ in content. The GitHub Security Lab Curation team reviews each and every advisory that makes it into the "reviewed" category on our system, and they'll sometimes add additional details or fix the spelling of a package name, etc. We don't want to force those changes on anyone's repository, so we let them update as they see fit.

But as mentioned above in this issue, this difference in content is more likely to cause confusion than help anyone (?). And when you just write the name of an advisory, such as GHSA-qq97-vm5h-rrhg, GitHub seems to automatically add a link to the Database Advisory, making it even more unlikely that users will see the Repository Advisory.

And to increase the confusion, when you write the URLs https://github.com/distribution/distribution/security/advisories/GHSA-qq97-vm5h-rrhg (Repository Advisory) and https://github.com/advisories/GHSA-qq97-vm5h-rrhg (Database Advisory) for example in a comment on an issue, the GitHub UI shows for both the link text GHSA-qq97-vm5h-rrhg.

Here are some more negative examples in the context of withdrawn advisories:

Repository Advisory (not withdrawn) Database Advisory (withdrawn)
GHSA-9pgh-qqpf-7wqj GHSA-9pgh-qqpf-7wqj
GHSA-cvx8-ppmc-78hm GHSA-cvx8-ppmc-78hm
GHSA-mcwm-2wmc-6hv4 GHSA-mcwm-2wmc-6hv4

from advisory-database.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.