- Notifications
You must be signed in to change notification settings - Fork489
Can a repo-level advisory be created with an existing GHSA ID?#4620
-
Advisories are sometimes imported into the GitHub Advisory Database from other advisory databases, such as RUSTSEC. When the software to which they pertain is hosted on GitHub, its repository maintainer may or may not also have issued a local advisory to be shown in the repository's Security tab. But for projects that choose to publish repository-level advisories, it can be useful to have a local advisory in the Security tab for each known reported vulnerability, including vulnerabilities that were not originally reported in that way. Is there any way for a maintainer to create a repository-local advisory corresponding to an existing global advisory and sharing its GHSA ID, or to request that this be done? In some cases having a different GHSA ID for the repo-level advisory might be okay, but it has a few disadvantages:
This is motivated by the specific case ofRUSTSEC-2023-0064/GHSA-rrjw-j4m2-mf34. (This should not be confused with the related but distinct vulnerabilityRUSTSEC-2024-0335/CVE-2024-32884/GHSA-98p4-xjmm-8mfh which does, as is ideal, have both global and repo-level advisories with the same GHSA ID as each other.) The idea that it would be useful to have a repo-level advisory with the same GHSA ID asGHSA-rrjw-j4m2-mf34 is discussed inGitoxideLabs/gitoxide#1457. Although this is related to#4317, I believe my concern expressed there about obscuring the reporter was mostly misguided, and I am glad that PR was ultimately merged. The advisory text there does make clear who the reporter was, and readers are unlikely to misread my analyst credit. However, if I understand correctly, the credit situation could be further improved if there were a linked repo-local GHSA advisory, since then@vin01 could be credited there asreporter in its metadata, and that could be synced to the global advisory. I understand if this is not feasible, but I figured I'd check since it seems like it could be helpful and the maintainer@Byron isamenable to it. |
BetaWas this translation helpful?Give feedback.