Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reducing code duplication between advisories #628

Open
mamccorm opened this issue Dec 19, 2023 · 1 comment
Open

Reducing code duplication between advisories #628

mamccorm opened this issue Dec 19, 2023 · 1 comment
Labels
enhancement New feature or request

Comments

@mamccorm
Copy link
Member

mamccorm commented Dec 19, 2023

Summary

Currently, we require a dedicated .yaml file for each application version, with it's own set of advisories. Often these can be more or less copy/paste between app versions.

Take for example grafana. There are (at the time of writing), three supported versions: v8, v9.5 and v10.x (latest). This would require us to create at least three advisory YAMLs (grafana-8.yaml, grafana9.5.yaml, grafana.yaml).

I believe this format is required for vulnerability feeds and scanners to parse, but perhaps there is a better way to generate these, whilst maintaining a single yaml file for each application?

Ideal outcome

A single .yaml file for each application, i.e we'd only ever have a 'grafana.yaml' with advisory data covering all releases.

How might we achieve this?

Perhaps we could introduce a 'affected_versions' parameter. By default when this is not set, the CVE advisory is only appliciable to the latest releases (or perhaps we default to being applicable to all?). Then we can use 'affected_versions' to pin an advisory to a specific version.

I guess we'd need to create some logic to then generate the individual .yamls for each release in the format the scanners are looking for? Which in itself might be challenging.

I'm sure there may be other options too, but the hope / goal would be to reduce engineering toil by having to make copies of the .yaml each time we need to produce a pinned version of an application, or update advisories in multiple files for multiple releases?

@mamccorm mamccorm added the enhancement New feature or request label Dec 19, 2023
@luhring
Copy link
Collaborator

luhring commented Dec 20, 2023

(Somewhat related to #278)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants