Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[ANN]: refactor report id field to be auto-generating, Deadline: 10.11.2018

See original GitHub issue

Proposal

Instead of manually choosing report ids for vulnerabilities which is error-prone, hard to automate, and cumbersome manual process, we’d like to propose an automatically generated ID that will be assigned for reports.

Specifically, to convert the current millisecond timestamp to a large base representation, i.e:

new Date().getTime().toString(36)
// something like jlmn6im3

Which would be sustainable for quite a while - if we’re agreeing to use a milliseconds precision as base then we are currently at 8 characters length for the ID, which remains up until 2059 or so:

new Date('2059').getTime().toString(36)
// zu96s5c0

So that’s sustainable as a short 8 chars id for the next few decades. After that, we can still use the same method except the length is incremented by one more char for the next century or so 😃

new Date('2060').getTime().toString(36)
// 108qqi2o0

This is a request-for-comments announcement, and we’d be happy to discuss and consider other alternatives.

Report Format

To stick with the current system, the new report ID can be formatted like so:

NSWG-ECO-zu96s5c0

References

Discussed in https://github.com/nodejs/security-wg/issues/359#issuecomment-417505159 as part of moving to new database repository (https://github.com/nodejs/security-wg/issues/359) but not coupled to that change.

cc @nodejs/security-wg @nodejs/ecosystem-security

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:3
  • Comments:20 (20 by maintainers)

github_iconTop GitHub Comments

4reactions
lirantalcommented, Sep 11, 2018

With the slight correction that core will probably be /core/NSWG-CORE-zu96s5c1.json (notice CORE vs ECO) but that’s one option indeed.

Another question is how would the change affect the report id field? should it be:

{
  "id": "zu96s5c0",
  "// rest of the fields": ""
}

or

{
  "id": "NSWG-ECO-zu96s5c0",
  "// rest of the fields": ""
}

?

I’m voting for the 2nd option where it’s full name is used.

1reaction
pxlpnkcommented, Sep 11, 2018

Lowercase makes sense I think. Would the filename be something like:

/npm/$packagName/NSWG-ECO-zu96s5c0.json and respective: /core/NSWG-ECO-zu96s5c1.json

Or should core stay as it is in terms of naming?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Migrate vulnerability database to it own repo #359 - GitHub
should we change the current identifier (the nswg-eco ... [ANN]: refactor report id field to be auto-generating, Deadline: 10.11.2018 #402.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Please Review Vulnerability Escalation Procedures

Next page

Migrate vulnerability database to it own repo