Solution for de-duplicating advisories with shared aliases #1293
Assignees
Labels
enhancement
New feature or request
Comments
|
The responses of all OSV entries from our API now include all transitive aliases. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We need a way to deduplicate the same vulnerability published in multiple advisories by different sources.
This can be useful for example when it's determined that a vulnerability is patched, and we wish to ignore that vuln, it would be inconvenient to have to ignore every advisory for that one specific vulnerability.
Currently it is common for each advisory to share a common alias (e.g. a CVE number), rather than aliasing each other directly, which makes de-duplicating difficult (and confusing) for API consumers. E.g. https://osv.dev/vulnerability/PYSEC-2022-42991 and https://osv.dev/vulnerability/GHSA-v3c5-jqr6-7qm8
A potential solution is to provide an API for finding all transitive aliases and return them, this is similar to what the frontend currently does.
Also see #888 for some reasons to not assume shared aliases mean they are the same vulnerability.
The text was updated successfully, but these errors were encountered: