Add OSV information#232
Conversation
| node_type = project.get('type').split('_', maxsplit=1)[-1] | ||
|
|
||
| # Exception for : SA-CONTRIB-2019-074, SA-CONTRIB-2024-022 | ||
| if "for drupal " in node_type: |
There was a problem hiding this comment.
The name of these modules does include "for Drupal" which is a little odd. If this is not appropriate to have in the OSV summary then it seems OK to remove.
There was a problem hiding this comment.
I see the problem. I hesitated for a long time about the format for the summary.
This resulted in the following :
BAT online reservations for Drupal module for Drupal - Access Bypass - SA-CONTRIB-2019-074
It might be more appropriate to use this type of formatting; it will avoid repetition :
BAT online reservations for Drupal (Module) - Access Bypass - SA-CONTRIB-2019-074
There was a problem hiding this comment.
Tbh I think only the middle part is appropriate for the summary, as the other parts are already encoded in the advisory and would typically be displayed already as they're critical to doing anything with the advisory.
And then I'm not sure if the middle section is something that would stand well on its own...
There was a problem hiding this comment.
The summary can also be seen as the title or subject of the advisory email, even if some elements are already in the description.
Like this :
But no problem, i understand your opinion.
|
👋 thanks for the interest in improving our database! I'm not sure how valuable it is having both the summary and details, though looking at the generated advisories locally with this I will say the result does seem more consistent than I was expecting given the transformations we're doing. I'm also not sure if it's appropriate to use If you're ok waiting a couple of weeks I might run this by the OSV team to check what their recommendations are |
|
It may be more relevant to use the purl information only for packages that are in the ecosystem "Packagist" : if composer_package_name in drupal_packages_available_on_packagist:
purl = f'pkg:composer/{composer_package_name.lower()}' |
|
Of which there's only like two that have vulns here and one of those is "deprecated" in favour of the Drupal repo version, so I don't think it'd be useful 😅 |
3 participants
Adding purl information based on this standard : https://github.com/package-url/purl-spec/blob/main/types/composer-definition.json
Adding OSV summary information