-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add links to releases and latest releases on vulnerabilities docs page #781
Add links to releases and latest releases on vulnerabilities docs page #781
Conversation
Also, the osv.dev api no longer returns any vulnerabilities for those three packages (caddy, logrotate, and grafana) which previously returned vulnerabilities. This seems like it might have been a bug in the osv.dev api, as the versions of the packages shouldn't be affected by those CVEs (e.g. grafana build 2266 used grafana version 10.4.2, but the CVE says it only affects up through version 7.0.1. I just used the previous |
tools/create_vulnerability_doc.py
Outdated
@@ -88,9 +115,22 @@ def format_quantities(cves): | |||
for release, cves in releases.items(): | |||
# Dropdown for each release -- expand to show vulnerabilities | |||
file.write(f"<details>\n<summary>{release} -- {format_quantities(cves)}</summary>\n\n") | |||
|
|||
# Url of release page and url of latest release (if this is not the latest release) | |||
file.write(f"- Release URL: [{release}]({release_urls[release]})\n\n") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest changing this to Affected Release URL
tools/create_vulnerability_doc.py
Outdated
# Show if this vulnerability is resolved in the latest release | ||
if (release != latest_release_info[pkg]['name'] and | ||
cve['id'] not in latest_release_info[pkg]['cve_ids']): | ||
file.write(" - **This vulnerability is resolved in the latest release.**\n") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wondering if we should turn "latest release" into a link here and potentially remove the "Latest URL" link above.
Would if it would also be possible to report if there is no known fix yet?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Love it!
Great additions! |
If possible, please add placeholders to begin using package names in this format. Either in this PR or later. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Closes #777.
Adds links to each package release and the latest releases on the vulnerabilities docs page. This also adds notes under vulnerabilities that can be resolved by upgrading to the latest version.
Example: