| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org> |
| Cc: | PostgreSQL WWW <pgsql-www(at)postgresql(dot)org> |
| Subject: | Re: CVE details page |
| Date: | 2021-03-24 18:26:41 |
| Message-ID: | CABUevExAYNieYAZSkCdN8_TA3NGHZVky4rL++HyFG-MdeNm0CQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
On Mon, Mar 22, 2021 at 4:43 PM Jonathan S. Katz <jkatz(at)postgresql(dot)org> wrote:
>
> Hi,
>
> When we have a release that contains CVEs, we currently link to a CVE
> authority to display the full details about that CVE. This has presented
> a few issues:
>
> - The CVE authority does not publish the CVE details when the release is
> made; the window for this happening can vary
> - As a result, we can't link to that page from the news announcement;
> when we have in the past, we'll get reports about the URL 404ing
>
> This patchset aims to remedy this by creating a page that houses the
> details about a CVE. It includes the additional description that is
> provided to the CVE authority and allows for the details to be published
> as soon as the CVE is published. See attached screenshot.
>
> 0001 updates the current CVE ID validator to match what MITRE has put
> forth on the numbering (7 digits! It does say in places it can be
> "arbitrary amounts" but the official examples go up to 7 digits), and
This one should probably change the error message as well?
> 0002 refactors a function we used to generate our internal CVE IDs so it
> can be used in multiple places, e.g. its use in 0003.
I applaud you for adding what may be the first docstring in pgweb :)
I don't think you need to be consistent with the previous error since
it's a "never happens" error, you can just let the ValidationError
through. I also don't mind if you prefer keeping it :)
0003
* can we make the purging a bit more specific? That is only purge the
actually edited one? See for example how news/ does it.
* is there really a need to support case insensitive cve in the URL?
We don't support case insensitive URLs anywhere else... I suggest also
making the URLs we generate ourselves be lowercase, even if we keep
the insensitivity in the matching
* The query for "versions" needs a .elect_related('version')
Rest LGTM. (did not review the HTML itself, but since the output looks
good and has already been approved..)
--
Magnus Hagander
Me: https://www.hagander.net/
Work: https://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jonathan S. Katz | 2021-03-24 19:57:07 | Re: CVE details page |
| Previous Message | Jonathan S. Katz | 2021-03-22 15:43:41 | CVE details page |