Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usability feedback on multiple packages returned for a single package_url #1219

Open
tdruez opened this issue Jul 4, 2023 · 3 comments
Open

Usability feedback on multiple packages returned for a single package_url #1219

tdruez opened this issue Jul 4, 2023 · 3 comments

Comments

@tdruez
Copy link
Contributor

tdruez commented Jul 4, 2023

During a scan, a package with the following purl: pkg:alpine/[email protected]?arch=x86_64 was discovered.

Doing a lookup on the VulnerableCode API for the pkg:alpine/[email protected] purl returns 10 packages:

pkg:alpine/[email protected]?arch=aarch64&distroversion=edge&reponame=main
pkg:alpine/[email protected]?arch=aarch64&distroversion=v3.10&reponame=main
pkg:alpine/[email protected]?arch=aarch64&distroversion=v3.11&reponame=main
pkg:alpine/[email protected]?arch=aarch64&distroversion=v3.12&reponame=main
pkg:alpine/[email protected]?arch=aarch64&distroversion=v3.13&reponame=main
pkg:alpine/[email protected]?arch=aarch64&distroversion=v3.14&reponame=main
pkg:alpine/[email protected]?arch=aarch64&distroversion=v3.15&reponame=main
pkg:alpine/[email protected]?arch=aarch64&distroversion=v3.16&reponame=main
pkg:alpine/[email protected]?arch=aarch64&distroversion=v3.5&reponame=main
pkg:alpine/[email protected]?arch=aarch64&distroversion=v3.6&reponame=main

All those packages seem to share the same vulnerability data:

for package in data:
    print([vulnerability["vulnerability_id"] for vulnerability in package["fixing_vulnerabilities"]])

['VCID-9me2-5n8r-aaas', 'VCID-a5cr-256c-aaac', 'VCID-m7ct-1jfm-aaaj']
['VCID-9me2-5n8r-aaas', 'VCID-a5cr-256c-aaac', 'VCID-m7ct-1jfm-aaaj']
['VCID-9me2-5n8r-aaas', 'VCID-a5cr-256c-aaac', 'VCID-m7ct-1jfm-aaaj']
['VCID-9me2-5n8r-aaas', 'VCID-a5cr-256c-aaac', 'VCID-m7ct-1jfm-aaaj']
['VCID-9me2-5n8r-aaas', 'VCID-a5cr-256c-aaac', 'VCID-m7ct-1jfm-aaaj']
['VCID-9me2-5n8r-aaas', 'VCID-a5cr-256c-aaac', 'VCID-m7ct-1jfm-aaaj']
['VCID-9me2-5n8r-aaas', 'VCID-a5cr-256c-aaac', 'VCID-m7ct-1jfm-aaaj']
['VCID-9me2-5n8r-aaas', 'VCID-a5cr-256c-aaac', 'VCID-m7ct-1jfm-aaaj']
['VCID-9me2-5n8r-aaas', 'VCID-a5cr-256c-aaac', 'VCID-m7ct-1jfm-aaaj']
['VCID-9me2-5n8r-aaas', 'VCID-a5cr-256c-aaac', 'VCID-m7ct-1jfm-aaaj']

From the data consumer perspective, what should be the approach to deal with all the duplicated data?
Is there a reason to capture, store, and return all those variations of the same package when the vulnerabilities are identical?
@tdruez
Copy link
Contributor Author

tdruez commented Jul 4, 2023

Ideally, I should be able to provide the full purl (including qualifiers) pkg:alpine/[email protected]?arch=x86_64 and get a list of vulnerabilities objects, rather than packages.

@TG1999 is this available in the API?

@TG1999
Copy link
Contributor

TG1999 commented Jul 4, 2023

@tdruez IMO we need to have a different API endpoint for this, where a user can feed in a purl or list of purls and just get a list of vulnerability objects and nothing else apart from this.

@tdruez
Copy link
Contributor Author

tdruez commented Jul 31, 2023

@TG1999 any progress on this new API endpoint?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tdruez @TG1999