-
Notifications
You must be signed in to change notification settings - Fork 38
docs: add documentation for CVE records #1182
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
0dc1b5b
f76731f
781cb53
1870449
a7d9fb9
c807853
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,16 @@ | ||||||||
| # CVE records | ||||||||
|
|
||||||||
| The tracker parses [CVE JSON 5.0](https://github.com/CVEProject/cve-schema) records from the [official CVE List](https://github.com/CVEProject/cvelistV5) and stores them in the database. | ||||||||
| The schema follows the upstream format; see the [CVE record content rules](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_5_CVE_Record_Content) and the [schema reference](https://cveproject.github.io/cve-schema/schema/docs/) for field definitions. | ||||||||
|
|
||||||||
| Implementation: [`src/shared/models/cve.py`](../src/shared/models/cve.py). | ||||||||
|
|
||||||||
| A `CveRecord` has one or more `Container`s (CNA or ADP). Matching mainly uses each container's `AffectedProduct` entries: vendor/product names, package names, CPE strings, and version constraints. | ||||||||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||
|
|
||||||||
| ## Why matching needs manual triage | ||||||||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is a good question to answer, but it may be better suited for a more high-level document such as a (to be added) entry point to the design decisions (or a note in one of them), or even the top-level README. But if there's no obvious other place, it's probably fine to leave it here for now.
Collaborator
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Let's discuss in sync, for now not moving this.
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Let's move it into a new |
||||||||
|
|
||||||||
| CVE records describe upstream software by vendor names, product names, and CPE strings. | ||||||||
| Nixpkgs identifies packages by attribute paths and derivation names. | ||||||||
| Those naming schemes rarely align one-to-one, and version information in CVE data is often incomplete or imprecise. | ||||||||
|
|
||||||||
| The tracker [proposes links automatically](../src/shared/listeners/automatic_linkage.py), but a human must verify each match, ignore irrelevant packages, and publish an issue when Nixpkgs is actually affected. | ||||||||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is conflating two ideas:
It's fine to link from this sentence to a document which talks about the implementation overall, like the upper part of the current file. But the specifics, including the link to the code, should be in that other document IMO. |
||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.