Fix CVSS v3 and v4 parsing/output in GitHub advisory sync.#1129
Conversation
This change was generated using Claude Code, but fully reviewed, tested, and validated by me. This commit message was written by me.
|
Running the modified script on the whole database changes more |
|
Hmm, from what I can tell that's just due to re-serializing the files when there were changes, mainly to re-wrap with the 80 characters wrapping we have. If you change anything about the returned format (adding a new field, etc.) all of those same extra changes would happen automatically no matter what, regardless of this PR's changes. Should I commit those changes to this branch for consistency, or is there anything specific in the extra changes that we should figure out how to avoid? EDIT: Actually I guess some wrap at 90 instead of 80, I'm not totally sure why, I don't think my changes would cause that? |
|
My preference is to have no regressions and the "Catch Up" changes to the |
|
👍 I've updated all the advisories that were missing their CVSS v4 scores to include them now, so re-running the rake task should result in 0 further changes to these advisories. The only thing I intentionally excluded was net-new advisories, as those I assume should go in their own PRs. |
jasnow
left a comment
jasnow
left a comment
There was a problem hiding this comment.
- Checked out connorshea-fix-cvss-score branch.
- Pulled connorshea's change to branch.
- Ran "git diff" and find only "cvss_v4" lines and changes to lib/github_advisory_sync.rb file.
- Looks good to me.
- I will probably want to merge this in a hour so we get its benefit for the 18 advisories that arrived today and 8 yesterday.
|
Forgot - Thanks @connorshea for your contribution. |
2 participants
Disclaimer: This change was generated using Claude Code, but fully reviewed, tested, and validated by me. This PR description was written by me.
I noticed that generating the YML files for the recent nokogiri security advisories resulted in no CVSS score when the GHSA only had a CVSS v4 score. After investigating, I discovered that we were using a deprecated field in the GraphQL query on the GitHub API, and it did not return any v4 scores. This fixes that problem by updating the GraphQL query in the sync task and then the code for extracting the scores accordingly.
I can add further tests here if desired, the current tests for this file are fairly sparse so I wasn't sure what the project preferences were.
Fixes #1128.