Improve references in RUSTSEC-2024-0359 #2202
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In some cases it is easy to see who discovered and reported a bug, but in the case of RUSTSEC-2024-0359 (GHSA-cx7h-h87r-jpgr) one would have had to follow a link to the issue (or look at the advisory-db commit history). Furthermore, the text of the advisory here is directly based on the text of that issue. So improving attribution seems worthwhile in this case. This adds brief explicit credit to @ssbr at the end of the body of the advisory. This is modeled roughly after how credit was given in RUSTSEC-2023-0064 (GHSA-rrjw-j4m2-mf34), another gitoxide advisory. Because the GitHub Advisory Database entry GHSA-cx7h-h87r-jpgr for RUSTSEC-2024-0359 is imported from here, I believe it will also (eventually) be updated with this change, even without being edited directly. Although that database supports credit metadata, it seems currently infeasible to add reporter or finder credit to an entry that is imported from RUSTSEC rather than, e.g., from a repo-local GHSA (github/advisory-database#4620). So this is also in effect a workaround for that.
The main metadata change here is to add the missing global GHSA alias (see GHSA-cx7h-h87r-jpgr). While I'm at it, I've also updated the reference issue URL, since the `gitoxide` repository is under `GitoixeLabs` now (moved from `Byron`).
EliahKagan
deleted the
gix-attributes-unsound-kstring-integration-next
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This improves credit and adds a missing GHSA alias in RUSTSEC-2024-0359 (which is based on GitoxideLabs/gitoxide#1460 and originally added in #2027). See commit messages for details, including rationale.
cc @Byron @ssbr