Community contributions does not support > operator

[KateCatlin]

Hi all,

As a few of you have noted in Issues, our new community contributions feature is not supported for advisories that use a > operator (as opposed to a < or >= operator) when describing affected versions of a product.

Unfortunately, that operator is incompatible with the OSV schema, which is the format we use in this database. We are working with our Curation team to change the advisories using the > operator to an OSV-compatible format, but there are some instances that pose difficulties due to limitations in our ability to describe affected versions without it.

There are currently about 3 dozen advisories out of ~14,000 that could not be exported to this advisory database repository because of that incompatibility. Community members cannot make suggestions on this handful of affected advisories. Even if you remove all of the unsupported > operators, the update would still fail because there is no file in this repository to commit a change against.

We do not have a workaround at present, but we're aware it's an issue and we're actively tracking it.

I'm starting this discussion post as a place to collect feedback and share updates as they arise!

Thank you all in advance,

Kate Catlin
Senior Product Manager, Advisory Database

[Laim]

Hey Kate,

I'm looking to update these to include the Affected Versions and Patched Versions as it currently says Unknown, I take it these would fall under the same error? I can't find them in the advisor-database repo.

GHSA-jc9p-889f-c7jp
GHSA-p28f-73x9-f7vr
GHSA-q4hp-w7cp-76mv

[KateCatlin]

Hey Liam,

This one should be able to be contributed on:
GHSA-q4hp-w7cp-76mv

The other two I'm not sure why they're missing. Let me check with the team
and I'll circle back.

Kate

[KateCatlin]

Hey @Laim I have a happy answer for you: They are not subject to the version operator problem and will be available in the repo very soon and open to community contributions.

It seems you are one step ahead of us! We are currently backfilling every historical advisory from NVD into our database (it was previously incomplete). These advisories are available in the UI, but we're still slowly getting them into the repository here. Once that happens, you'll be able to add the metadata as normal.

That said, we only accept community contributions if the advisory is part of our eight supported ecosystems. You can read more about that here. Otherwise, we're unable to verify the tagged metadata or alert on it, so we just don't accept contributions for those at all.

[DaleGardner]

@KateCatlin This advisory:
GHSA-6h5x-7c5m-7cr7

Points to this discussion with the note:
Improvements are not currently accepted on this advisory because it uses an unsupported versioning operator.

However, I do not see that it uses the '>' operator. Is this a mistake?

[KateCatlin]

Thanks @DaleGardner, it looks like they are accepted on this advisory, the "suggest improvements" link is showing now.

We did have a bug yesterday that we've since resolved, so I wonder if that's why the link was missing for you. It also looks like this advisory is being currently worked on:

I'll check in with the team to see if there are any other updates, but you should be good to go with a community contribution now.

[avivdolev]

Hey @KateCatlin
I'd like to update the package strings on GHSA-6qq8-5wq3-86rp , but it also references this issue.
Any idea when should I expect it to be open for PRs again?
Thanks!

Edit: if it helps, I think the ">v2.2.0" can simply be removed
Looks like the commit that introduced the issue is traefik/traefik@e2c5f37 , which was included since v2.0.0
It was fixed (as already referenced by the advisory) here traefik/traefik@e63db78 , so the correct "affected" value should be "< v2.2.8"

[KateCatlin]

Hi @avivdolev! Thanks for reaching out and for your effort to help the community. We haven't resolved this operator issue, but let me run this change by the Curation team to see if we want to edit it through backend channels. I'll report back!

[shelbyc]

@avivdolev @KateCatlin I just tried removing the > operator and it worked fine. @avivdolev do you want to submit the commit with the vulnerable code as a community contribution to get credit for finding it?

[chrisbloom7]

To follow up on @shelbyc's comment, if an improvement suggestion would remove all incompatible operators from the affected product version ranges then that would make the advisory compatible with our OSV converters and (barring any other validation errors) the form should submit without error.

[chrisbloom7]

To follow up on my comment, I'm totally wrong. I think in the very beginning you could still open the edit form even if we had an incompatible range operator, but we since changed that so that there is no link to the form (because there's also no underlying file to open a PR against). Sorry for the confusion, and thanks @KateCatlin for reminding me this was no longer the case.

[avivdolev]

@KateCatlin @chrisbloom7 @shelbyc thanks for helping!
@shelbyc The vulnerable code was already there so I don't deserve any credit :P I will submit a minor PR to fix package names

[KateCatlin]

Hello all! We've resolved this issue and replaced the > operator with inclusive versioning in our advisories. Our Curation team has been trained to no longer use this in the future.

There is one very specific edge case which is still unable to be translated to OSV, but since that case does not relate to the discussion here we'll consider it separately.

Thanks for chiming in here and providing us feedback along the way!