New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add missing OSV schema fields to vulnerability page #2132
base: master
Are you sure you want to change the base?
Add missing OSV schema fields to vulnerability page #2132
Conversation
7eeb0bd
to
22f43d3
Compare
@@ -163,57 +200,57 @@ <h3 class="mdc-layout-grid__cell--span-3"> | |||
</dd> | |||
</dl> | |||
{% endfor -%} | |||
</div> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also have per-range ecosystem/database_specific: https://ossf.github.io/osv-schema/#affectedecosystem_specific-field
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To clarify, in total there's 3 variations here:
- affected[].ranges[].database_specific
- affected[].database_specific field
- affected[].ecosystem_specific field
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a commit to expose it: 47f2185
Also looking at the data models, I reckon currently this data is not recorded on the Bug
model:
Lines 185 to 194 in 47f2185
class AffectedRange2(ndb.Model): | |
"""Affected range.""" | |
# Type of range. | |
type = ndb.StringProperty(validator=_check_valid_range_type) | |
# Repo URL. | |
repo_url = ndb.StringProperty() | |
# Events. | |
events = ndb.LocalStructuredProperty(AffectedEvent, repeated=True) | |
(Please correct me if I'm missing something.)
It might be worth mentioning, I couldn't find any bug that include database_specific
on their ranges
though.
sample output:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@oliverchang - FYI added ecae833 to render the on the fly database_specific
data too.
{%- if 'purl' in affected.package -%} | ||
<dt>Purl</dt> | ||
<dd>{{ affected.package.purl }}</dd> | ||
{%- endif -%} | ||
{%- endif -%} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also a per-affected severity field: https://ossf.github.io/osv-schema/#affectedseverity-field
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rendering of this is different from the rendering for the top level severity (e.g. on GHSA-76v2-48w6-crxr). Can we make this the same as the top level rendering?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
update in 212c8f1
Earlier in the html, there is a duplicated `if` statement to display the pacjange if it existed in the affected payload. This change removes the duplicated `if` statement in favour of the parent `if` statement.
Priorly, affected database specific was linked to affected range database specific. This change updates the link to point to the correct address.
22f43d3
to
47f2185
Compare
{% for credit in vulnerability.credits -%} | ||
<li class="credit"> | ||
<ul> | ||
<li>{{ credit.name }}{%- if 'type' in credit -%} - {{ credit.type }}{%- endif -%}</li> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a space after the name and before the first "-" ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated: 3c62c56
pre { | ||
white-space: pre-wrap; | ||
overflow: auto; | ||
} | ||
|
||
|
||
.purl{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you add a space here after "purl" ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated 511d314
{%- if 'purl' in affected.package -%} | ||
<dt>Purl</dt> | ||
<dd>{{ affected.package.purl }}</dd> | ||
{%- endif -%} | ||
{%- endif -%} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rendering of this is different from the rendering for the top level severity (e.g. on GHSA-76v2-48w6-crxr). Can we make this the same as the top level rendering?
This change adds the following info to the vulnerability page:
resolves #2081
Regarding the second items on the issue: per-range ecosystem/database_specific fields I left a question on the issue.