Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specify which distro package versions are affected in each advisory #287

Open
luhring opened this issue Oct 2, 2023 · 0 comments
Open

Specify which distro package versions are affected in each advisory #287

luhring opened this issue Oct 2, 2023 · 0 comments
Labels
enhancement New feature or request schema Describes a proposed change to the advisory document schema

Comments

@luhring
Copy link
Collaborator

luhring commented Oct 2, 2023

One of the vestigial aspects of our advisory data today that lingers from our beginning with the Alpine "secfixes" approach is that we don't actually enumerate a list or range of distro package versions affected by a given vulnerability, we only record the fixed version of the distro package.

As the advisory data continues to become more full-featured, we should encode the full set of affected package versions, using either ranges or discrete sets.

This will help scanners produce more reliable results, since they won't need to guess about whether an installed version less than the noted fixed version is affected.

Schema suggestions welcome!
@luhring luhring added enhancement New feature or request schema Describes a proposed change to the advisory document schema labels Oct 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request schema Describes a proposed change to the advisory document schema
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@imjasonh @luhring