-
Notifications
You must be signed in to change notification settings - Fork 306
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Import advisories from the Github security vulnerability database automatically #626
Comments
@klausi FWIW, https://github.com/Roave/SecurityAdvisoriesBuilder already aggregates this repo's contents together with the Github advisories into https://github.com/Roave/SecurityAdvisories This repo is a source of advisories, not a derived artifact 🤔 |
Ah ok, did not realize that. Then my confusion comes from https://github.com/fabpot/local-php-security-checker , which does not seem to use https://github.com/Roave/SecurityAdvisories and missed the dompdf security update. Not sure if @fabpot would want to use your database as source then for https://github.com/fabpot/local-php-security-checker ? |
@Ocramius checked the mission for this repo from the README: "This database must not serve as the primary source of information for security issues, it is not authoritative for any referenced software, but it allows to centralize information for convenience and easy consumption." So it seems this repo is not a source anyway, and its purpose is to aggregate information. So then the automated import would make sense? Maybe we can copy from your approach how to scrape Github for the advisories :) |
At that point, given that the advisories DB is already a repository, why not using that one directly? See https://github.com/github/advisory-database - their |
Sweet, very good info! their JSON format contains I see 2 distinct options:
What is better for the PHP ecosystem? Is it valuable if security info is copied here to FriendsOfPHP/security-advisories? |
Note: this repo could also adopt the OSV format, which would make collaborating much easier: #599. |
If you want the information from both GitHub and this FriendsOfPHP repository, you can use the packagist.org database https://packagist.org/apidoc#list-security-advisories which aggregates both of them and handles de-duplication already. |
Drive by comment from an OSV maintainer: ++++1 !! Other DBs such as https://github.com/github/advisory-database also use the OSV format, which will make sharing vulnerability data (import/export) much easier. @naderman this could also simplify the Packagist infrastructure greatly to only have to import a single, consistent format. |
For what it's worth, any discussion of adopting the OSV format belongs on the issue for that topic: #576 I think this issue should be closed. It seems like the discussion on the topic has already been resolved. |
I also think this issue can be closed now.
You could switch from |
Problem: Maintainers use the Github security advisory database to publish security issues. Currently random developers like me find out about them when Github's dependabot flags them in a composer.lock file in one of my repositories. That is how the FriendsOfPHP/security-advisories database missed the Dompdf security issue #625 for 3 weeks, oopsie doodle.
Proposed Solution: Write a Github action that imports Github security advisories fully automatic into this repository. It could work something like this:
This could be a nice Google Summer of Code project or similar for a student :-)
The text was updated successfully, but these errors were encountered: