Review how pip-audit handles multiple vulnerabilities with the same alias
#231
Labels
component:vuln-sources
Components that provide sources of vulnerability information
pri:high
High(er) priority tasks
Comments
woodruffw
added
the
component:vuln-sources
|
Making sure I understand: each vulnerability has multiple potential aliases, e.g. multiple CVEs or other identifiers. With this behavior change, would we be checking whether two vulnerabilities have the exact same alias set, or have at least one alias in common? |
|
I believe the case we're interested in is when two vulnerability reports affect the same dependency and have a shared alias, but I'll let @oliverchang confirm. |
|
Yep! We'd want to group any vulnerabilities that have any aliases (including the id) common. E.g. given {"id": "PYSEC-2022-19", "aliases": ["CVE-2022-22818"]}{"id": "GHSA-95rw-fx8r-36v6", "aliases": ["CVE-2022-22818"]}{"id": "SOME-OTHER-ID", "aliases": ["GHSA-95rw-fx8r-36v6"]}We'd want to group them all of these together. |
That's an important detail! I'll make sure the changes in #232 include that. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We should review how
pip-audithandles multiple vulnerabilities with the same alias. In the future, it may be necessary to de-duplicate two or more vulnerabilities with different IDs, but the same alias.(cc @oliverchang)
The text was updated successfully, but these errors were encountered: