-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft to extract release json #9210
base: main
Are you sure you want to change the base?
Changes from 3 commits
feceb78
8fb2912
23c2697
18393f0
2b34076
c557fd9
9f3bb26
3c4edb7
7ab6792
860c39e
96c507d
6f86483
6f4eccd
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
{ | ||
"cve-list": [ | ||
{ | ||
"cve-id": "CVE-2023-36049", | ||
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36049" | ||
}, | ||
{ | ||
"cve-id": "CVE-2023-36558", | ||
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36558" | ||
}, | ||
{ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How about this: {
"cve-id": "CVE-2023-36038",
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36038",
"ms-url": "https://github.com/dotnet/announcements/issues/286",
"affected-os" : ["windows"],
"affected-repos": [
{
"repo" : "https://github.com/dotnet/aspnetcore"
}
]
} The We could do something similar with operating system so that we could add architecture. I don't think that's worth it. There will always be some aspect we cannot represent. For example, this CVE only applies to IIS. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is there a similar concept like "affected-components" or "affected-products", so then it'd be "aspnetcore-runtime", "windowsdesktop", "sdk"? Trying to articulate something (badly) that's like a distributable unit that's more fine-grained than (or untied to) a specific GitHub repo. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That's a great point. {
"cve-id": "CVE-2023-36038",
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36038",
"ms-url": "https://github.com/dotnet/announcements/issues/286",
"affected-os" : ["windows"],
"affected-components": [
{
"component": "Microsoft.AspNetCore.App",
"versions" : "<8.0.0",
"repo" : "https://github.com/dotnet/aspnetcore"
}
]
} |
||
"cve-id": "CVE-2023-36038", | ||
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36038" | ||
} | ||
] | ||
} |
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
{ | ||
"cve-list": [ | ||
{ | ||
"cve-id": "CVE-2024-0056", | ||
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0056" | ||
}, | ||
{ | ||
"cve-id": "CVE-2024-0057", | ||
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0057" | ||
}, | ||
{ | ||
"cve-id": "CVE-2024-21319", | ||
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21319" | ||
} | ||
] | ||
} |
Large diffs are not rendered by default.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Additional (possibly interesting data):
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
"cve-list": [ | ||
{ | ||
"cve-id": "CVE-2024-21386", | ||
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21386" | ||
}, | ||
{ | ||
"cve-id": "CVE-2024-21404", | ||
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21404" | ||
} | ||
] | ||
} |
Large diffs are not rendered by default.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not sure if we want to only have a index file for all security fixes (similar to the |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
{ | ||
"cve-list": [ | ||
{ | ||
"release-version": "8.0.2", | ||
"cve.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/8.0.2/cve.json" | ||
}, | ||
{ | ||
"release-version": "8.0.1", | ||
"cve.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/8.0.1/cve.json" | ||
}, | ||
{ | ||
"release-version": "8.0.0", | ||
"cve.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/8.0.0/cve.json" | ||
}, | ||
{ | ||
"release-version": "8.0.0-rc.2", | ||
"cve.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/preview/8.0.0-rc.2.cve.json" | ||
}, | ||
{ | ||
"release-version": "8.0.0-rc.1", | ||
"cve.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/preview/8.0.0-rc.1.cve.json" | ||
} | ||
] | ||
} |
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
{ | ||
"cve-list": [ | ||
{ | ||
"cve-id": "CVE-2023-36799", | ||
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36799" | ||
}, | ||
{ | ||
"cve-id": "CVE-2023-36796", | ||
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36796" | ||
}, | ||
{ | ||
"cve-id": "CVE-2023-36792", | ||
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36792" | ||
}, | ||
{ | ||
"cve-id": "CVE-2023-36794", | ||
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36794" | ||
}, | ||
{ | ||
"cve-id": "CVE-2023-36793", | ||
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36793" | ||
} | ||
] | ||
} |
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
{ | ||
"cve-list": [ | ||
{ | ||
"cve-id": "CVE-2023-36435", | ||
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36435" | ||
}, | ||
{ | ||
"cve-id": "CVE-2023-38171", | ||
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38171" | ||
}, | ||
{ | ||
"cve-id": "CVE-2023-44487", | ||
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487" | ||
} | ||
] | ||
} |
Large diffs are not rendered by default.
Falco20019 marked this conversation as resolved.
Show resolved
Hide resolved
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
{ | ||
"channel-version": "8.0", | ||
"latest-release": "8.0.2", | ||
"latest-release-date": "2024-02-15", | ||
"latest-runtime": "8.0.2", | ||
"latest-sdk": "8.0.201", | ||
"release-type" : "lts", | ||
"support-phase": "active", | ||
"eol-date": "2026-11-10", | ||
"lifecycle-policy": "https://aka.ms/dotnetcoresupport", | ||
"cve-index.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/cve-index.json", | ||
Falco20019 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
"releases": [ | ||
{ | ||
"release-date": "2024-02-13", | ||
"release-version": "8.0.2", | ||
"security": true, | ||
"release-notes": "https://github.com/dotnet/core/blob/main/release-notes/8.0/8.0.2/8.0.2.md", | ||
"release.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/8.0.2/release.json", | ||
"cve.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/8.0.2/cve.json" | ||
}, | ||
{ | ||
"release-date": "2024-01-09", | ||
"release-version": "8.0.1", | ||
"security": true, | ||
"release-notes": "https://github.com/dotnet/core/blob/main/release-notes/8.0/8.0.1/8.0.1.md", | ||
"release.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/8.0.1/release.json", | ||
"cve.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/8.0.1/cve.json" | ||
}, | ||
{ | ||
"release-date": "2023-11-14", | ||
"release-version": "8.0.0", | ||
"security": true, | ||
"release-notes": "https://github.com/dotnet/core/blob/main/release-notes/8.0/8.0.0/8.0.0.md", | ||
"release.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/8.0.0/release.json", | ||
"cve.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/8.0.0/cve.json" | ||
}, | ||
{ | ||
"release-date": "2023-10-10", | ||
"release-version": "8.0.0-rc.2", | ||
"security": true, | ||
"release-notes": "https://github.com/dotnet/core/blob/main/release-notes/8.0/preview/8.0.0-rc.2.md", | ||
"release.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/preview/8.0.0-rc.2.release.json", | ||
"cve.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/preview/8.0.0-rc.2.cve.json" | ||
}, | ||
{ | ||
"release-date": "2023-09-14", | ||
"release-version": "8.0.0-rc.1", | ||
"security": true, | ||
"release-notes": "https://github.com/dotnet/core/blob/main/release-notes/8.0/preview/8.0.0-rc.1.md", | ||
"release.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/preview/8.0.0-rc.1.release.json", | ||
"cve.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/preview/8.0.0-rc.1.cve.json" | ||
}, | ||
{ | ||
"release-date": "2023-08-08", | ||
"release-version": "8.0.0-preview.7", | ||
"security": false, | ||
Falco20019 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
"release-notes": "https://github.com/dotnet/core/blob/main/release-notes/8.0/preview/8.0.0-preview.7.md", | ||
"release.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/preview/8.0.0-preview.7.release.json" | ||
}, | ||
{ | ||
"release-date": "2023-07-11", | ||
"release-version": "8.0.0-preview.6", | ||
"security": false, | ||
"release-notes": "https://github.com/dotnet/core/blob/main/release-notes/8.0/preview/8.0.0-preview.6.md", | ||
"release.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/preview/8.0.0-preview.6.release.json" | ||
}, | ||
{ | ||
"release-date": "2023-06-13", | ||
"release-version": "8.0.0-preview.5", | ||
"security": false, | ||
"release-notes": "https://github.com/dotnet/core/blob/main/release-notes/8.0/preview/8.0.0-preview.5.md", | ||
"release.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/preview/8.0.0-preview.5.release.json" | ||
}, | ||
{ | ||
"release-date": "2023-05-16", | ||
"release-version": "8.0.0-preview.4", | ||
"security": false, | ||
"release-notes": "https://github.com/dotnet/core/blob/main/release-notes/8.0/preview/8.0.0-preview.4.md", | ||
"release.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/preview/8.0.0-preview.4.release.json" | ||
}, | ||
{ | ||
"release-date": "2023-04-11", | ||
"release-version": "8.0.0-preview.3", | ||
"security": false, | ||
"release-notes": "https://github.com/dotnet/core/blob/main/release-notes/8.0/preview/8.0.0-preview.3.md", | ||
"release.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/preview/8.0.0-preview.3.release.json" | ||
}, | ||
{ | ||
"release-date": "2023-03-14", | ||
"release-version": "8.0.0-preview.2", | ||
"security": false, | ||
"release-notes": "https://github.com/dotnet/core/blob/main/release-notes/8.0/preview/8.0.0-preview.2.md", | ||
"release.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/preview/8.0.0-preview.2.release.json" | ||
}, | ||
{ | ||
"release-date": "2023-02-21", | ||
"release-version": "8.0.0-preview.1", | ||
"security": false, | ||
"release-notes": "https://github.com/dotnet/core/blob/main/release-notes/8.0/preview/8.0.0-preview.1.md", | ||
"release.json": "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/preview/8.0.0-preview.1.release.json" | ||
} | ||
] | ||
} |
Falco20019 marked this conversation as resolved.
Show resolved
Hide resolved
Falco20019 marked this conversation as resolved.
Show resolved
Hide resolved
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
{ | ||
"cve-list": [] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a bit bare. I think we should include a date and .NET version.
Many folks will probably follow the links to this file and then use this content for the actual deserialization step and want a bit more data than just the CVEs. Certainly, there are other ways to do it, but this approach could be very convenient.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, only the existing data so far. It's one of the points that I wanted to discuss what data could make sense in here. Since we want to generate those, the data this would be generated from would (in my view) also have more information, as this is duplicated per version it was fixed in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO, "duplication" isn't really the right metric to use. People are going to deserialize these objects. What data will they want? Imagine adding those objects to a dictionary and/or using LINQ on them. Having a bit more information would make that flow super nice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added the date and .NET version to them. I think we still have an open discussion on what other information might be useful. In my opinion, having the affected version in there might be valuable. There is also the discussion about having a monthly set of those centrally (over all channels) that's not in the draft yet as I wanted to wait for what data we want to have.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need a date in the front matter. If you follow the links from cve-index.json, there are no dates. You'd have to also read releases-index.json to get the dates. I think that's the only addition we need for CVEs.
I don't think we need "also applies to" unless we get asked for that. That is calculatable by looking at all the cve.json files for that date for supported versions.