Add links to releases and latest releases on vulnerabilities docs page #781
Conversation
KeplerBoyce
requested review from
IgorTodorovskiIBM,
MikeFultonDev,
DevonianTeuchter,
HarithaIBM and
v1gnesh
as code owners
|
Also, the osv.dev api no longer returns any vulnerabilities for those three packages (caddy, logrotate, and grafana) which previously returned vulnerabilities. This seems like it might have been a bug in the osv.dev api, as the versions of the packages shouldn't be affected by those CVEs (e.g. grafana build 2266 used grafana version 10.4.2, but the CVE says it only affects up through version 7.0.1. I just used the previous |
tools/create_vulnerability_doc.py
Outdated
| @@ -88,9 +115,22 @@ def format_quantities(cves): | |||
| for release, cves in releases.items(): | |||
| # Dropdown for each release -- expand to show vulnerabilities | |||
| file.write(f"<details>\n<summary>{release} -- {format_quantities(cves)}</summary>\n\n") | |||
|
|
|||
| # Url of release page and url of latest release (if this is not the latest release) | |||
| file.write(f"- Release URL: [{release}]({release_urls[release]})\n\n") | |||
There was a problem hiding this comment.
I would suggest changing this to Affected Release URL
tools/create_vulnerability_doc.py
Outdated
| # Show if this vulnerability is resolved in the latest release | ||
| if (release != latest_release_info[pkg]['name'] and | ||
| cve['id'] not in latest_release_info[pkg]['cve_ids']): | ||
| file.write(" - **This vulnerability is resolved in the latest release.**\n") |
There was a problem hiding this comment.
Wondering if we should turn "latest release" into a link here and potentially remove the "Latest URL" link above.
Would if it would also be possible to report if there is no known fix yet?
There was a problem hiding this comment.
How about this format?
If it is the latest release, you can use the affected release URL above, and otherwise, it provides the latest release URL below every vulnerability and says whether the vuln has been resolved or not.
|
Great additions! |
|
If possible, please add placeholders to begin using package names in this format. Either in this PR or later. |
Closes #777.
Adds links to each package release and the latest releases on the vulnerabilities docs page. This also adds notes under vulnerabilities that can be resolved by upgrading to the latest version.
Example: