Should we try to get a repo-local advisory for RUSTSEC-2023-0064?

[EliahKagan]

The old vulnerability RUSTSEC-2023-0064 has GHSA-rrjw-j4m2-mf34 in the GitHub Advisory Database, but no repository-local advisory.

• Maybe we shouldn't: A repo-local advisory is not needed to help users receive updates--plus, this was from some time ago and so probably no one is using an affected version anymore anyway.
• Maybe we can't: I am not sure it is actually possible to create one for it properly. This is something I would have to look into. Just opening a new repo-local advisory would give it a different GHSA identifier which I think would increase, rather than decreasing, confusion.

But there are also a couple of reasons it may be beneficial to have one, if it is somehow possible:

• It is convenient and useful for people to be able to see advisories for all vulnerabilities in the history of the project by looking on the Security tab.
• As discussed in http://github/advisory-database#4317, a repository-local advisory would make it possible to credit the original reporter both there and in the global advisory. (To be clear, I think my concern expressed in comments there was, while having some merit, in hindsight overstated. The PR was later merged, which I think was the right thing to do. Even with me being the only contributor credited in metadata, the advisory text does make the original reporter clear.)

I reiterate that I don't know if there is actually a way to make a repo-local advisory with the same GHSA ID as an entry in the GitHub Advisory Database that was imported into it from an external database. (In this case the RUSTSEC Advisory Database.)

I do not think a repo-local advisory for that should be made unless that can be done. A second GHSA ID for GHSA-rrjw-j4m2-mf34 itself would make the situation with GHSA-rrjw-j4m2-mf34 and its sequel GHSA-98p4-xjmm-8mfh basically impossible to understand.

But if having a repo-local advisory for GHSA-rrjw-j4m2-mf34 is judged valuable, then I'd be interested to look/ask into it.

[Byron]

Thanks for bringing this up.

I wouldn't hurt to ask if that's possible if IDs can remain the same, which is certainly something the staff would have to do. If the 223,080 unreviewed advisories are any indication, they are probably very busy, but it might be worth a shot anyway.

The value to me would primarily lie in crediting the original reporter properly, as I also think nobody has to discover the advisory anymore as it has been fixed for quite a while now.

[EliahKagan]

Thanks. I've opened github/advisory-database#4620 to see.