Start at describing structure and meaning of the vuln json schema #34
Conversation
|
@nstarke or @evilpacket can you look at the PR content and comment on the open questions about the meaning of the data fields? |
|
@sam-github Nick is no longer on the node security / lift security team and thus may not have time anymore to work on any of this? I'll let him confirm that etc. I went through and gave some quick comments. |
| |`vulnerable_versions`|semver-spec|vulnerable versions?|"<99.999.9999"| | ||
| XXX What is exact syntax of semver-spec? Is it https://www.npmjs.com/package/semver#ranges ? | ||
|
|
||
| |`patched_versions`|semver-spec|versions after fixed?|"<0.0.0"| |
There was a problem hiding this comment.
If there is no available fix can this be null or undefined or something like that? (Hmmm... perhaps an empty string?)
There was a problem hiding this comment.
can be <0.0.0, both a valid semver, and an empty set
| XXX do we need this, or is it just a mongo internal field? | ||
|
|
||
| |`title`|String|Short readable description|"Directory Traversal"| | ||
| |`author`|String|Finder of vuln|"Liang Gong"| |
There was a problem hiding this comment.
i think credit is more appropriate. it also better suited when there are more than one researchers to credit.
| XXX see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3743 for example | ||
|
|
||
| |`vulnerable_versions`|semver-spec|vulnerable versions?|"<99.999.9999"| | ||
| XXX What is exact syntax of semver-spec? Is it https://www.npmjs.com/package/semver#ranges ? |
| |`vulnerable_versions`|semver-spec|vulnerable versions?|"<99.999.9999"| | ||
| XXX What is exact syntax of semver-spec? Is it https://www.npmjs.com/package/semver#ranges ? | ||
|
|
||
| |`patched_versions`|semver-spec|versions after fixed?|"<0.0.0"| |
There was a problem hiding this comment.
can be <0.0.0, both a valid semver, and an empty set
| XXX What is exact syntax of semver-spec? Is it https://www.npmjs.com/package/semver#ranges ? | ||
|
|
||
| |`patched_versions`|semver-spec|versions after fixed?|"<0.0.0"| | ||
| XXX so vulnerable versions are `vulnerable_versions` MINUS `patched_versions`? And any other versions are assumed not vulnerable? |
There was a problem hiding this comment.
i believe having the vulnerable_versions only is enough. (no need for patched_versions)
| |`references`|String, multiline markdown bullet list|URLs of interest?|"* [PoC by Liang Gong](https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/badjs-sourcemap-server)"| | ||
| XXX what is structure? do they have to be markdown URLs? | ||
|
|
||
| |`cvss_vector`|CVSS vector|CVSS vector|"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"| |
There was a problem hiding this comment.
should be clear whether v2 or v3. v3 is preferred, and indeed appears in the example vector.
No description provided.