Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add affected attribute format #175

Merged
merged 7 commits into from
Dec 14, 2023
Merged

Add affected attribute format #175

Changes from 4 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
5e61d9c
Add affected attribute format
darakian Dec 5, 2023
d46cc88
Update README.md
darakian Dec 5, 2023
3fc7e40
Update README.md
darakian Dec 5, 2023
f46a500
Add note about starting at top level module just to be explicit
darakian Dec 6, 2023
9898260
change the ImageFont/ImageFont2 example based on feedback and make js…
darakian Dec 12, 2023
8761c1b
Update README.md
darakian Dec 13, 2023
cbd0503
Update README.md
darakian Dec 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,34 @@ generate the `.yaml` entries here.

## Using this data

### Marking specific attributes
It can be helpful to know which specific code elements of a package are vulnerable and this is done by appending an attribute and list of module paths starting from the top level module of a package to the OSV payload. Eg.
oliverchang marked this conversation as resolved.
Show resolved Hide resolved
```json
{
"attribute": "ImageFont",
"modules": ["PIL"]
}
```
which is equivalent to `PIL:ImageFont`. If a second attribute `ImageFont2` is also affected then a second payload should be added and delimited with a `;`. Eg.
darakian marked this conversation as resolved.
Show resolved Hide resolved
```
{
attribute: "ImageFont",
modules: ["PIL"];
attribute: "ImageFont2",
modules: ["PIL"]
}
```
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0.02c: I don't think we should invent custom syntax at the serialization level here. If our goal is to express the dot product, maybe both can just be arrays?

{
  "attributes": ["ImageFont", "ImageFont2"],
  "modules": ["PIL"]
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This might have negative consequences I haven't thought of yet.)

Another option would be to have this represented as an array of these objects, e.g.:

[
  { "attribute": "ImageFont", "modules": ["PIL"] },
  { "attribute": "ImageFont2", "modules": ["PIL"] }
]

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I should have probably used a better example here, but the idea is that the two should be completely independent (code, paths, etc...) aside from the top level module. I prefer option two of your suggestions for this, but @oliverchang what do you think best fits the osv style?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to not inventing custom syntax. We should keep this as plain JSON.

[
  { "attribute": "ImageFont", "modules": ["PIL"] },
  { "attribute": "ImageFont2", "modules": ["PIL"] }
]

as @woodruffw suggested seems pretty good to me!


attributes which are accessible via multiple paths may be represented in a condensed form. Consider the attribute `django.db.models:JSONField` from the [django project](https://github.com/django/django/blob/0ee2b8c326d47387bacb713a3ab369fa9a7a22ee/django/db/models/__init__.py#L99)
darakian marked this conversation as resolved.
Show resolved Hide resolved
The attribute `django.db.models:JSONField` is a re-export of `django.db.models.fields.json:JSONField` and both are valid paths.
These can be condensed to a more compact OSV representation as
```
{
attribute: "JSONField",
modules: ["django.db.models", "django.db.models.fields.json"]
}
```

### Tooling

This data is exposed by [`pip-audit`](https://github.com/pypa/pip-audit),
Expand Down