Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

What upper vulnerable version should be set in reports?

See original GitHub issue

In reports that we triage, we have had it as a standard so far to specify the latest version that exists at the time of the report as the upper bound.

So if library coolmodule had a report for affecting versions <= 1.0.0 and its current latest release is 1.0.0, we’d set in the report:

vulnerable_versions: '<= 1.0.0'

Pros

forgiving approach which sets an upper limit to what the report has triaged

Cons

newer versions coming out won’t be considered vulnerable even though this might actually be the case

See example use-case https://github.com/nodejs/security-wg/pull/513/files where harp is triaged for vulnerable_versions <=0.29.0 but soon after the report was triaged, versions 0.30.0 released, and is probably still vulnerable.

What should we do?

We can specify a vulnerable_versions: '*' to account for everything when no fixes that we know of are applied.
Keep the existing forgiving upper limit
?

Issue Analytics

State:
Created 4 years ago
Comments:7 (7 by maintainers)

Top GitHub Comments

2reactions

sam-githubcommented, May 1, 2019

I find option 1 attractive. It puts the onus on us to do the initial eval, but once the report is accepted, we shouldn’t have to do a polling loop on every package with an open vuln, checking if a more recent one exists, and updating the vuln DB if it is still vulnerable. Setting an open-ended max puts the onus back on the package maintainers to notify us when a fix is made, preferably with a PR that updates the DB.

@lirantal do you have a preference among your options?

0reactions

sam-githubcommented, Jun 17, 2019

Discussed at #541 , removing from agenda (but please add back if it should be discussed again).

Top Results From Across the Web

How to write a vulnerability report - Infosec Resources

A good vulnerability report should address all of these needs and should contain several key sections, including:.

Creating a basic report | Nexpose Documentation

The security administrator can create reports that contain information about a specific type of vulnerability or vulnerabilities in a specific list of ...

Vulnerability Report - GitLab Documentation

The Vulnerability Report provides information about vulnerabilities from scans of the default branch. It contains cumulative results of all successful jobs, ...

A Developer Guide to Reporting Vulnerabilities

This post explains how to report a vulnerability and why it's important to do so responsibly.

Guidance for preventing, detecting, and hunting for ... - Microsoft

As of December 27, 2021, discovery is based on installed application CPEs that are known to be vulnerable to Log4j RCE, as well...