Affected eco-systems and version ranges in advisories

[Jonas Jensen]

Hi,

It appears that advisories imported by GitHub have incorrect affected eco-systems.

I noticed that CVEs:

• CVE-2023-32732
• CVE-2023-1428
• CVE-2023-32731

Have all been imported into github.com/advisories as affecting something like:

• Grpc.AspNetCore.Server (NuGet) < 2.52.0
• Grpc.Net.Client (NuGet) < 2.52.0
• grpc (Pub) < 3.2.0
• grpc (RubyGems) < 1.53.0
• grpcio (pip) < 1.53.0
• io.grpc:grpc-protobuf (Maven) < 1.53.0

See:

• github.com/advisories/GHSA-6628-q6j9-w8vg
• github.com/advisories/GHSA-9hxf-ppjv-w6rq
• github.com/advisories/GHSA-cfgp-2977-2fmm

I've filed corrections:

• github.com/github/advisory-database/pull/2486
• github.com/github/advisory-database/pull/2487
• github.com/github/advisory-database/pull/2488

I noticed that the CVE database does have a "versions" section, saying something like:
"affected from 1.53 through 1.54".

Which probably got carried over into other ecosystems.

I know the "pub" package (Dart) is unaffected because it's entirely written in Dart, so fixes in C++ probably doesn't fix anything related to the Dart implementation.

Is there some other meta-data the GRPC team could provide to distinguish ecosystems?

Or should consider we consider updating the "gRPC CVE Process" to publish the CVEs on Github directly (either exclusively or alongside the CVE database):

Afaik, publishing advisories through: https://github.com/grpc/grpc/security

Will allow better control of affected ecosystems and version ranges.

The Github advisory database is afaik used by dependabot, thus, incorrect information here will flag advisories for users who are not affected. I think repository owners are likely to get security alerts.

So it might be nice to provide the best possible metadata.

Regards Jonas Finnemann Jensen.