Re: CVE details page
| От | Magnus Hagander |
|---|---|
| Тема | Re: CVE details page |
| Дата | |
| Msg-id | CABUevExAYNieYAZSkCdN8_TA3NGHZVky4rL++HyFG-MdeNm0CQ@mail.gmail.com обсуждение исходный текст |
| Ответ на | CVE details page ("Jonathan S. Katz" <jkatz@postgresql.org>) |
| Ответы |
Re: CVE details page
|
| Список | pgsql-www |
On Mon, Mar 22, 2021 at 4:43 PM Jonathan S. Katz <jkatz@postgresql.org> wrote:
>
> Hi,
>
> When we have a release that contains CVEs, we currently link to a CVE
> authority to display the full details about that CVE. This has presented
> a few issues:
>
> - The CVE authority does not publish the CVE details when the release is
> made; the window for this happening can vary
> - As a result, we can't link to that page from the news announcement;
> when we have in the past, we'll get reports about the URL 404ing
>
> This patchset aims to remedy this by creating a page that houses the
> details about a CVE. It includes the additional description that is
> provided to the CVE authority and allows for the details to be published
> as soon as the CVE is published. See attached screenshot.
>
> 0001 updates the current CVE ID validator to match what MITRE has put
> forth on the numbering (7 digits! It does say in places it can be
> "arbitrary amounts" but the official examples go up to 7 digits), and
This one should probably change the error message as well?
> 0002 refactors a function we used to generate our internal CVE IDs so it
> can be used in multiple places, e.g. its use in 0003.
I applaud you for adding what may be the first docstring in pgweb :)
I don't think you need to be consistent with the previous error since
it's a "never happens" error, you can just let the ValidationError
through. I also don't mind if you prefer keeping it :)
0003
* can we make the purging a bit more specific? That is only purge the
actually edited one? See for example how news/ does it.
* is there really a need to support case insensitive cve in the URL?
We don't support case insensitive URLs anywhere else... I suggest also
making the URLs we generate ourselves be lowercase, even if we keep
the insensitivity in the matching
* The query for "versions" needs a .elect_related('version')
Rest LGTM. (did not review the HTML itself, but since the output looks
good and has already been approved..)
--
Magnus Hagander
Me: https://www.hagander.net/
Work: https://www.redpill-linpro.com/
В списке pgsql-www по дате отправления: