Hi,

It appears that advisories imported by GitHub have incorrect affected 
eco-systems.

I noticed that CVEs:

   - CVE-2023-32732 <https://www.cve.org/CVERecord?id=CVE-2023-32732>
   - CVE-2023-1428 <https://www.cve.org/CVERecord?id=CVE-2023-1428>
   - CVE-2023-32731 <https://www.cve.org/CVERecord?id=CVE-2023-32731>

Have all been imported into github.com/advisories as affecting something 
like:

   - Grpc.AspNetCore.Server (NuGet) < 2.52.0
   - Grpc.Net.Client (NuGet) < 2.52.0
   - grpc (Pub) < 3.2.0
   - grpc (RubyGems) < 1.53.0
   - grpcio (pip) < 1.53.0
   - io.grpc:grpc-protobuf (Maven) < 1.53.0

See:

   - github.com/advisories/GHSA-6628-q6j9-w8vg
   - github.com/advisories/GHSA-9hxf-ppjv-w6rq
   - github.com/advisories/GHSA-cfgp-2977-2fmm

I've filed corrections:

   - github.com/github/advisory-database/pull/2486
   - github.com/github/advisory-database/pull/2487
   - github.com/github/advisory-database/pull/2488

I noticed that the CVE database does have a "versions" section, saying 
something like:
"affected from 1.53 through 1.54".
Which probably got carried over into other ecosystems.
I know the "pub" package (Dart) is unaffected because it's entirely written 
in Dart, so fixes in C++ probably doesn't fix anything related to the Dart 
implementation.

Is there some other meta-data the GRPC team could provide to distinguish 
ecosystems?
Or should consider we consider updating the "gRPC CVE Process" 
<https://github.com/grpc/proposal/blob/master/P4-grpc-cve-process.md> to 
publish the CVEs on Github directly (either exclusively or alongside the 
CVE database):

Afaik, publishing advisories through: https://github.com/grpc/grpc/security
Will allow better control of affected ecosystems and version ranges.

The Github advisory database is afaik used by dependabot, thus, incorrect 
information here will flag advisories for users who are not affected. I 
think repository owners are likely to get security alerts.
So it might be nice to provide the best possible metadata.

Regards Jonas Finnemann Jensen.

-- 
You received this message because you are subscribed to the Google Groups 
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/grpc-io/8c8cf371-6056-44b4-b30f-6ff05f365022n%40googlegroups.com.

Reply via email to