-
Notifications
You must be signed in to change notification settings - Fork 174
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document the properties of a high quality OSV record #2193
base: master
Are you sure you want to change the base?
Conversation
e64bb03
to
12cd78b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great doc! I left some very soft suggestions and nits along with a few grammatical fixes
Co-authored-by: Jon <darakian@github.com>
Feedback was that it was possible to perceive this as known unfixed vulnerabilities as being of lower quality than ones with known/available fixes, and that is not the case, as such known unfixed vulnerabilities can and do legitimately exist (as is the case when the vulnerable package is orphaned). These are a legitimate true positive with no available fixed version.
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Reviewer feedback.
…ev into document_quality_bar
"Managing the Perishability of OSV Records" is in the early ideation phase.
Thanks @chrisbloom7 I really appreciate you and @darakian taking the time to give it a thorough review, it's all the better for your time and effort. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❤️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me 👍
Co-authored-by: Jon <darakian@github.com>
Feedback was that it was possible to perceive this as known unfixed vulnerabilities as being of lower quality than ones with known/available fixes, and that is not the case, as such known unfixed vulnerabilities can and do legitimately exist (as is the case when the vulnerable package is orphaned). These are a legitimate true positive with no available fixed version.
Reviewer feedback.
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com>
"Managing the Perishability of OSV Records" is in the early ideation phase.
I realised I'd omitted the `events[]` array in the JSON path when talking about `introduced` and `fixed`/`last_affected`. Explicitly refer to commits *and* versions when discussing temporal ordering of `introduced` and `fixed`/`last_affected`.
…ev into document_quality_bar
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the clarification in the documentation. I think this will be very useful to the OSV community & downstream consumers.
Based on feedback from Duy Truong about Android's patching approach.
Reference from existing documentation on data.
Part of #2186