Skip to content

docs: add documentation for CVE records#1182

Draft
DarshanCode2005 wants to merge 6 commits into
NixOS:mainfrom
DarshanCode2005:document-issue
Draft

docs: add documentation for CVE records#1182
DarshanCode2005 wants to merge 6 commits into
NixOS:mainfrom
DarshanCode2005:document-issue

Conversation

@DarshanCode2005

Copy link
Copy Markdown
Collaborator

Closes #182

Adding information on what the tracker stores on each CVE

@fricklerhandwerk fricklerhandwerk left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is pretty good and can just be made even simpler by not repeating what's already in the code.

Comment thread docs/cve_records.md Outdated
Comment thread docs/cve_records.md Outdated
| `assigner` / `requester` | CNA organizations that assigned or requested the ID |
| `date_published`, `date_updated`, `date_reserved` | Timestamps from the CVE Program |
| `serial` | Record revision number |
| `triaged` | Internal flag: a security team member has reviewed this CVE |

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's not correct IIRC, it simply says whether it was touched by the system on ingestion (or matching, not sure). But we're not using that for anything. It was originally intended to avoid matching over a CVE twice. The new rematching logic by @adekoder allows displacing that with the fact that a suggestion is linked to it (modulo naming changes proposed by @florentc).

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I mixed that up, because it is not doing any useful work , I will remove it from the doc

Comment thread docs/cve_records.md Outdated

Implementation: [`src/shared/models/cve.py`](../src/shared/models/cve.py).

## Top-level record (`CveRecord`)

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm very skeptical whether we should duplicate information that already lives in the code. It should be either avoided entirely or have an extraordinarily strong justification. You already linked to the implementation, so why repeat anything that we can find there?

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair point. The field tables mostly restated the model, and anyone who needs the details can read cve.py or the upstream schema. I'll drop them and keep the doc focused on structure and why triage is still manual.

Comment thread docs/cve_records.md

Each `Version` entry expresses a constraint: exact version (`version`), upper bound (`less_than`, `less_equal`), and whether that range is affected.

## Why matching needs manual triage

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good question to answer, but it may be better suited for a more high-level document such as a (to be added) entry point to the design decisions (or a note in one of them), or even the top-level README. But if there's no obvious other place, it's probably fine to leave it here for now.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's discuss in sync, for now not moving this.

Comment thread docs/cve_records.md Outdated
Comment thread docs/cve_records.md Outdated

CVE records describe upstream software by vendor names, product names, and CPE strings. Nixpkgs identifies packages by attribute paths and derivation names. Those naming schemes rarely align one-to-one, and version comparison in CVE data is often incomplete or imprecise.

The tracker proposes links automatically, but a human must verify each match, ignore irrelevant packages, and publish an issue when Nixpkgs is actually affected.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A good opportunity to link to the implementation!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Document what exacty is contained in a CVE record in the Readme

2 participants