Hi, It appears that advisories imported by GitHub have incorrect affected eco-systems.
I noticed that CVEs: - CVE-2023-32732 <https://www.cve.org/CVERecord?id=CVE-2023-32732> - CVE-2023-1428 <https://www.cve.org/CVERecord?id=CVE-2023-1428> - CVE-2023-32731 <https://www.cve.org/CVERecord?id=CVE-2023-32731> Have all been imported into github.com/advisories as affecting something like: - Grpc.AspNetCore.Server (NuGet) < 2.52.0 - Grpc.Net.Client (NuGet) < 2.52.0 - grpc (Pub) < 3.2.0 - grpc (RubyGems) < 1.53.0 - grpcio (pip) < 1.53.0 - io.grpc:grpc-protobuf (Maven) < 1.53.0 See: - github.com/advisories/GHSA-6628-q6j9-w8vg - github.com/advisories/GHSA-9hxf-ppjv-w6rq - github.com/advisories/GHSA-cfgp-2977-2fmm I've filed corrections: - github.com/github/advisory-database/pull/2486 - github.com/github/advisory-database/pull/2487 - github.com/github/advisory-database/pull/2488 I noticed that the CVE database does have a "versions" section, saying something like: "affected from 1.53 through 1.54". Which probably got carried over into other ecosystems. I know the "pub" package (Dart) is unaffected because it's entirely written in Dart, so fixes in C++ probably doesn't fix anything related to the Dart implementation. Is there some other meta-data the GRPC team could provide to distinguish ecosystems? Or should consider we consider updating the "gRPC CVE Process" <https://github.com/grpc/proposal/blob/master/P4-grpc-cve-process.md> to publish the CVEs on Github directly (either exclusively or alongside the CVE database): Afaik, publishing advisories through: https://github.com/grpc/grpc/security Will allow better control of affected ecosystems and version ranges. The Github advisory database is afaik used by dependabot, thus, incorrect information here will flag advisories for users who are not affected. I think repository owners are likely to get security alerts. So it might be nice to provide the best possible metadata. Regards Jonas Finnemann Jensen. -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/8c8cf371-6056-44b4-b30f-6ff05f365022n%40googlegroups.com.
