-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add separate field for withdrawn reason & add guidelines for withdrawing #160
Comments
Hi there, thanks for the discussion! Would you be able to speak a bit more around the use case for a more detailed withdrawn field? The OSV Schema is primarily meant to help with enabling automation for common vulnerability management workflows (e.g. vulnerability scanning, vulnerability interchange between databases), and to be as minimal as possible. Is there a strong case to be made for a dedicated withdrawn reason and how a user would make use of this? |
First of all, as short disclaimer, at least for the GitHub Advisory Database the number of withdrawn advisories only represented a small percentage (~1,4% of all GitHub-reviewed advisories were withdrawn, see github/advisory-database#2420), so it is understandable if you think some of this is not worth the effort. For this university project we simply decided to explicitly look at the withdrawn advisories, which is why this issue is so focused on that.
I can imagine at least two situations where this would be useful: The other situation is when there are multiple vulnerability databases involved and the advisory is withdrawn in one (but without proper reason) but not the other. You might then wonder which information is correct, and the detailed withdrawal information might make this easier for you. Let's take for example GHSA-7mg7-m5c3-3hqj, as you see the advisory is withdrawn but it links to a RustSec advisory which has not been withdrawn. It turns out that first GitHub advisory is actually a duplicate of another one, but this is not obvious from the first GitHub advisory at all (this is also mentioned in github/advisory-database#2420). These are cases where I imagine more detailed withdrawal information would be useful, there might be more cases. Though the question is how often users actually encounter such situations, and what experience other users have made so far with withdrawn advisories. |
Hello,
for a university project a fellow student and I had a look in December 2022 at the back then 141 GitHub-reviewed withdrawn advisories in the GitHub Advisory Database, which uses the OSV schema. Back then we noticed the following main issues:
Based on this we suggest:
withdrawn_reason
(Markdown text field), which is mandatory when an advisory is withdrawnwithdrawn_reason
should be set. The originalsummary
anddetails
should remain unchanged. Vulnerability database UIs should properly indicate that an advisory is withdrawn without having to rely on special (non-standard)summary
texts.withdrawn_reason
should shortly describe the reason and optionally link to discussions (e.g. GitHub issues) for additional information. Only referring to a GitHub issue (especially without referring to a specific summarizing comment) should be avoided.withdrawn_reason
field. Or alternatively as proposed in Expand vuln id relationships #53, there should be standard relationship types to indicate the duplicated advisory.We hope this information is helpful. What do you think?
Here is the discussion specific to the GitHub Advisory Database: github/advisory-database#2420
Footnotes
Maybe this is also a bug / ambiguity in the documentation, because I assume you mean with "summary" here the
details
and not thesummary
field, since thesummary
is the plaintext title and you can hardly describe the reason there in much detail. ↩The text was updated successfully, but these errors were encountered: