Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GHSA-qq97-vm5h-rrhg out-of sync. Why does it have different states? #224

Open
mayrstefan opened this issue Apr 26, 2022 · 2 comments
Open

GHSA-qq97-vm5h-rrhg out-of sync. Why does it have different states? #224

mayrstefan opened this issue Apr 26, 2022 · 2 comments

Comments

@mayrstefan
Copy link

@mayrstefan mayrstefan commented Apr 26, 2022

When analyzing aquasecurity/trivy#2034 I was surprised to find the advisory id GHSA-qq97-vm5h-rrhg in two different states:

  1. GHSA-qq97-vm5h-rrhg from the repo maintainers which seems to be the most up-to-date version, including the CVE number
  2. GHSA-qq97-vm5h-rrhg as a public Github Advisory which has not been updated

Because I did not find a machine readable format of the first one I have to ask:

  • is there any automation to keep the official advisories in-sync (bot for automated pull requests on updates)?
  • where is the official process documented?
  • one id, two links, different information: which one is expected to be used by the public? I guess the second one because the on mouse over preview has more details
@mayrstefan
Copy link
Author

@mayrstefan mayrstefan commented Apr 26, 2022

Even more confusing: both links have a different security rating. Although https://nvd.nist.gov/vuln/detail/CVE-2021-41190 mentions Github with a low scoring we can find this id on Github with a medium scoring.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants
@mayrstefan and others