Improve security advisory form - affected version ranges #339
-
|
I was looking to make an improvement suggestion for a vulnerability regarding the affected versions, but I am unsure how best to complete the 'Improve security advisory' form. For the purposes of my question I'm not sure the actual vulnerability matters, but for the curious I'm basing this on CVE-2022-1650. Presently, the affected version is listed as < 2.0.2 and has a patched version number of 2.0.2. Since the initial CVE, the fix has been backported, so 1.1.1 is also patched. As a consequence it would now be more accurate to say affected versions are: < 1.1.1 and >= 2.0.0 and < 2.0.2 - with patched versions being 1.1.1 and 2.0.2. Is there an example of how I would input those conditions on the 'Improve security advisory' form using the 'Affected versions' and 'Patched versions' fields? Is there a specific format or delimiter I should use? Many thanks, |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 7 replies
-
|
From a purely technical standpoint (I'm not on the research team so won't speak to the validity of the data), but you'd want to use the improvement form and then add a second affected product. That would look something like this
|
Beta Was this translation helpful? Give feedback.
-
|
I did consider that, but I confess I was disuaded from trying when looking at a couple of existing examples of CVEs which appeared to group the affected/patched version information together under a common product entry. I suppose I'll just give it a try and wait to be shouted at if its wrong. I appreciate the input; thanks @chrisbloom7. |
Beta Was this translation helpful? Give feedback.
-
|
Ah - seems that particular entry has already been updated. I guess I'll just keep an eye-out for a similar issue on a future CVE and I can try it out then! :) |
Beta Was this translation helpful? Give feedback.
-
These will end up being consolidated under a single package name in the /advisories view. See GHSA-hxqx-xwvh-44m2 as a recent example.
gets consolidated from
|
Beta Was this translation helpful? Give feedback.
-
|
I appreciate the confirmation; thanks again Chris. 👍 |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
Out of interest, are you saying v1.1.1 does not fix CVE-2022-1650? Or that there is another vulnerability? |
Beta Was this translation helpful? Give feedback.
-
|
@lukemaslany-next Sorry it was my confusion due to two advisories being fixed in 2.0.2, but only one was fixed in 1.1.1 |
Beta Was this translation helpful? Give feedback.
-
|
It would be helpful to have a help button to describe the format for specifying affected versions. There seems to be a need for whitespace after an equality or inequality operator. |
Beta Was this translation helpful? Give feedback.
-
|
😩 |
Beta Was this translation helpful? Give feedback.
From a purely technical standpoint (I'm not on the research team so won't speak to the validity of the data), but you'd want to use the improvement form and then add a second affected product. That would look something like this