-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle Gitlab false positive #1447
Comments
Some input from today's weekly call:
|
Adding to above, In the git based design, the original data sources persist in our storage. The import operations do not overwrite the existing data from the same data source, instead it maintains a diff-based (call it git?) record of all the changes an advisory goes through. This shows a timeline of the advisory as it grows. The benefits are:
The implementation of such a model needs to be discussed in detail after the idea sounds convincing enough. |
This https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.owasp.antisamy/antisamy/CVE-2023-49093.yml started as an advisory and then became a "False positive"
Gitlab updates the description and title in these cases, and there are 150+ such advisories.
The outcome is invalid data. We should support these and update accordingly
See https://public.vulnerablecode.io/packages/pkg:maven/org.owasp.antisamy/[email protected]?search=antisamy
There https://public.vulnerablecode.io/vulnerabilities/VCID-zx5k-4m3n-aaaj does NOT apply to antisamy
See attached for a list of patterns found in GitLab advisories
fp.txt
@julianthome gentle ping... do you know if there is a list of patterns we can track? Thanks!
In the same domain, we should also find is there are other related unstructured patterns in GitLab and also:
The text was updated successfully, but these errors were encountered: