Publishing security advisories to GitHub?

[Arnout Engelen <en...@apache.org>]

Hi,

It seems sometimes, GitHub publishes advisories about Apache projects,
such as this one:

    https://github.com/advisories/GHSA-gw4j-4229-q4px

This one is correctly linked to our CVE record
(https://www.cve.org/CVERecord?id=CVE-2021-25640), but not to the
Apache Dubbo GitHub repository. It seems somewhat useless in this form
since there is already the CVE. I suppose we could ask them not to
publish advisories for Apache projects (I didn't find any criteria for
which projects are in scope for them) - but I guess we can't really
stop them from publishing what they like.

Alternatively, we could consider taking more ownership of the
advisory, linking it to the Apache Dubbo GitHub repository[0] and
making it show up at
https://github.com/apache/dubbo/security/advisories . Being in OSV
format[1] that potentially also provides an opportunity to be more
precise than CVE's can be, for example in specifying the affected
artifacts. If we'd do that, however, we should probably get some
tooling in place to publish *all* Dubbo advisories there (in addition
to publishing corresponding CVE's), and make sure they stay reasonably
in sync.

Do you think that might be an interesting thing to explore, or would
you prefer we somehow try to discourage creating GitHub advisories for
Apache projects?


Kind regards,

Arnout

[0]: I assume that is possible, though it is not entirely clear from
https://docs.github.com/en/code-security/security-advisories
[1]: https://ossf.github.io/osv-schema/

---------------------------------------------------------------------
To unsubscribe, e-mail: security-discuss-unsubscribe@community.apache.org
For additional commands, e-mail: security-discuss-help@community.apache.org

Re: Publishing security advisories to GitHub?

[Mike Drob <md...@apache.org>]

One thing I’ve noticed is that the database at osv.dev seems to pull from
GHSA but not directly from NIST for CVEs. So letting GH Alia’s the CVEs
published seems ok. As long as they are accurate, I only see benefit to
having them in more places, not less.

On Fri, Jan 13, 2023 at 7:18 AM Arnout Engelen <en...@apache.org> wrote:

> Hi,
>
> It seems sometimes, GitHub publishes advisories about Apache projects,
> such as this one:
>
>     https://github.com/advisories/GHSA-gw4j-4229-q4px
>
> This one is correctly linked to our CVE record
> (https://www.cve.org/CVERecord?id=CVE-2021-25640), but not to the
> Apache Dubbo GitHub repository. It seems somewhat useless in this form
> since there is already the CVE. I suppose we could ask them not to
> publish advisories for Apache projects (I didn't find any criteria for
> which projects are in scope for them) - but I guess we can't really
> stop them from publishing what they like.
>
> Alternatively, we could consider taking more ownership of the
> advisory, linking it to the Apache Dubbo GitHub repository[0] and
> making it show up at
> https://github.com/apache/dubbo/security/advisories . Being in OSV
> format[1] that potentially also provides an opportunity to be more
> precise than CVE's can be, for example in specifying the affected
> artifacts. If we'd do that, however, we should probably get some
> tooling in place to publish *all* Dubbo advisories there (in addition
> to publishing corresponding CVE's), and make sure they stay reasonably
> in sync.
>
> Do you think that might be an interesting thing to explore, or would
> you prefer we somehow try to discourage creating GitHub advisories for
> Apache projects?
>
>
> Kind regards,
>
> Arnout
>
> [0]: I assume that is possible, though it is not entirely clear from
> https://docs.github.com/en/code-security/security-advisories
> [1]: https://ossf.github.io/osv-schema/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: security-discuss-unsubscribe@community.apache.org
> For additional commands, e-mail:
> security-discuss-help@community.apache.org
>
>