Enable GHSA to consolidate affected entries
#35
Comments
|
@rsc @chrisbloom7 WDYT? I'm starting to think supporting an event that encodes "<=version" makes sense, especially since it's supported in CVE 5.0. |
But in this case, +1 for supporting |
|
@oliverchang Thanks for explaining why the current approach could be problematic and for iterating through a number of potential solutions. For starters, I would love to remove our dependence on custom If that potential for misuse makes option 2 less attractive, then your first suggestion for |
|
grumble ... thinking about this further, we use |
|
Thanks for the comments! Perhaps we can start with the range-specific @rsc, what do you think of all of this? |
|
Maybe we can do both options 1 and 2? They serve different purposes, and having both options available would be useful on our side to clean up our round-trip transformation process. |
|
It is a design goal for OSV for all clients to be able to determine in an algorithmically precise way whether a particular version is affected. Having "database_specific" in the affected object would harm that goal, because now the meaning depends on knowing about each particular database. So I'd very very much like to avoid doing that. Changing the algorithm has similar problems. That leaves the potential for adding a <= operator in some form. Since we did that for CVE JSON 5.0 and we ideally want to be able to convert losslessly between CVE and OSV, it does seem reasonable to add <=. Today we have "introduced" and "fixed". If we added <=, I assume the way it would work is that we'd add "last_affected", and an entry can have either "last_affected" or "fixed" but not both. And then the test would be < fixed or else <= last_effected. I think that matches CVE JSON 5.0's lessThan and lessThanOrEqual. Do I have that right? |
Right, in this case though, I don't think
I'm also leaning toward this given the CVE JSON 5.0 support and the closer alignment with GHSA. I can draft up a PR for this if we all agree here.
|
|
Might I suggest that if we're willing to add |
|
(Also, selfishly, that would solve soooo many problems on our translation side) |
|
I do think we want to optimise more for the consumers of these entries to be able to consume/edit them more simply. As @rsc also explored in #31 (comment), there are other reasons to not add operators like "last_known_good", including lack of CVE 5.0 support and inaccurate encodings. Given the compatibility constraints of our schema, adding new fields/semantics is expensive and I think we should be a bit cautious here in introducing too many new fields at once. |
|
I agree with @oliverchang about being very selective in how many different constraints we add, for all the reasons he enumerated. I suggest we start with just "last_affected". |
This is intended only for metadata that enables databases to losslessly convert OSV entries back into their original representation. Part of #35.
* Add `last_affected` event type. Part of #35. * Update docs/schema.md Co-authored-by: Chris Bloom <[email protected]> * JSON validation Co-authored-by: Chris Bloom <[email protected]>
* Add database_specific to `affected[].ranges[]`. This is intended only for metadata that enables databases to losslessly convert OSV entries back into their original representation. Part of #35. * Update docs/schema.md Co-authored-by: Chris Bloom <[email protected]> Co-authored-by: Chris Bloom <[email protected]>
* Add `last_affected` event type. (#38) * Add `last_affected` event type. Part of #35. * Update docs/schema.md Co-authored-by: Chris Bloom <[email protected]> * JSON validation Co-authored-by: Chris Bloom <[email protected]> * Add database_specific to `affected[].ranges[]`. (#37) * Add database_specific to `affected[].ranges[]`. This is intended only for metadata that enables databases to losslessly convert OSV entries back into their original representation. Part of #35. * Update docs/schema.md Co-authored-by: Chris Bloom <[email protected]> Co-authored-by: Chris Bloom <[email protected]> * Bump version and add change log. Co-authored-by: Chris Bloom <[email protected]>
|
@oliverchang I'm just in the process of implementing support for Should that last |
Good catch, thanks! That was indeed a bad copy/paste. I've fixed up the original post, and renamed this to the actual field name we went with ( |
|
@oliverchang awesome, thanks for that! I've landed support for |
Context
Currently, GitHub's Advisory Database encodes pairs of (introduced, fixed) events in separate
affectedobjects. This is because GitHub needs to preserve these pairs when converting the OSV entry back into their internal database represenation.An example: https://github.com/github/advisory-database/blob/d6004eb8de91ad341605da869ab1b9f1e4abe433/advisories/github-reviewed/2017/10/GHSA-xgr2-v94m-rc9g/GHSA-xgr2-v94m-rc9g.json#L14
One obvious alternative here is to use a single
affectedentry and have two separateECOSYSTEMranges in there:However, I believe this wasn't done, because GitHub needs to record version metadata using a <= operator, and relies on
database_specificto this. One example: https://github.com/github/advisory-database/blob/d6004eb8de91ad341605da869ab1b9f1e4abe433/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.jsonThis has a bunch of affected entries that look like:
GHSA-gww7-p5w4-wrfv.json
{ "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 2.0.6" } },Problems
There are a number of problems here:
Using the the current evaluation pseudo-code, the semantics of the GHSA-gww7-p5w4-wrfv.json entry above would mean: everything after
2.0.0is affected, regardless of any fixes that are encoded afterwards in otheraffectedentries.This advisory has fixes later specified in 2.8.11.5 and 2.9.10.1, but they're not going to be considered under the current evaluation algorithm. Any version after
2.0.0will be incorrectly considered to be vulnerable.Having duplicate package entries makes the entry a lot less lean than it should be
Proposed solutions
Add
database_specifictoaffected[].ranges[]If we instead add
database_specifictoaffected[].ranges[], we could encode GHSA-gww7-p5w4-wrfv as{ "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.core:jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, ], "database_specific": { "last_known_affected_version_range": "<= 2.0.6" } }, { "type": "ECOSYSTEM", "events": [ { "introduced": "2.1.0" }, ], "database_specific": { "last_known_affected_version_range": "<= 2.1.5" } }, ... ],The pseudo-code as is should work as intended with this encoding (with minor changes re sorting), and the resulting JSON has far less duplication.
Support a <= event
Similar to above, rather than encoding this in
database_specific, we support a "last_affected" event or something similar:In the vast majority of cases, GitHub does actually know the exact fix version (example), but they would still like to record this <= information for use in tools such as Dependabot.
Supporting this would mean we potentially complicate our version specification, and potentially encourage entries that only use
last_affectedwhen we really wantfixedin all cases. On the other hand, CVE 5.0 does support alessThanOrEqual, and perhaps OSV was missing this.Fix the evaluation algorithm to consider all
affectedentries for the same package.We could alternatively make the pseudo-code handle these problematic cases, but it doesn't seem ideal as it:
affectedentries for the same package was to encode things like platform configurations where the set of affected versions are not the same.The text was updated successfully, but these errors were encountered: