Revisit VULCOID ...

[pombredanne]

• VULCOID have a confusing id numbering (base 36) that have a varying length. We should do something that is random and fixed size instead and eschew having something memorable.
• VULCOID should have a namespace to avoid collision between VCIO instances
• VULCOID could have a better name that's easier to pronounce

[Hritik14]

Related #695 (comment)

Further suggestions

VULCOID-YEAR-ABCD

* Year is hard to infer for all vulnerabilities.

VULCOID-ABC

* Variable length base 36 `ABC`

VULCOID-[NAMESPACE-]ABC

* Same as `VULCOID-ABC` but with a reserved space for `NAMESPACE` that could be an identifier AboutCode supplies via Scancode Toolkit or any other means. (Unique values such as github usernames could also be leveraged)

[Hritik14]

Here are some suggestions for name:

• Vulcan
• Vern
• Vlad (this ones my fav - vlad the impaler :p )
• vade
• vale
• veld
• verb
• vole

[mjherzog]

The name to replace VULCOID needs to be simple and short like "purl". Candidates along these lines are: VULCO_ID, VULN_ID (already in use by others per Google Search - e.g. https://source.whitehatsec.com/help/sentinel/admins/customize-or-accept-risk.html), VUL_ID, VULCODE_ID etc.. It is probably preferable if the name is something distinct for us.

[pombredanne]

Candidates along these lines are: VULCO_ID, VULN_ID

I would prefer avoiding underscore and dash in the name and use only letters

Also, for some background, these are common "names" in use: https://cve.mitre.org/data/refs/index.html

In addition several are not listed there ... that's another source of inspiration:

• GHSA for GitHub Security Advisory
• RHSA for RedHat Security Advisory
• ASB for Android Security Bulletin
• DSA for Debian Security Advisory
• GSD for Global Security Database
• GO for Golang
• OSV for the OSV DB from Google and mostly for OSS Fuzz
• PYSEC for Python
• ... and a few more

[mjherzog]

So it looks like all-caps is the preferred. We need a SOURCE name (as would be used if we post a new vulnerability to the NVD) and a name/abbreviation for the identifier. The logical SOURCE name would be VCDB and the identifier could be VCID meaning VulnerableCode ID. There is an unfortunate usage of VCID as an abbreviation for "Vascular Cognitive Impairment and Dementia" and other usage for Virtual Channel Identifier but those are far afield from our work.

[pombredanne]

We could use an XKCD-like password generator for ids https://preshing.com/20110811/xkcd-password-generator/ ? possibly with scary words. ? See https://github.com/rayraegah/xkcd936
https://github.com/redacted/XKCD-password-generator and https://github.com/rayraegah/xkcd936

[pombredanne]

After a long though I suggest that we use a uuid4() as '5a9b63ed-8092-4433-b9bd-8738661a101b' but that would not make the id memorable

[pombredanne]

@keshav-space said in the weekly call that it does not have a purpose to have a memorable id if the id is not unique and pointing to the same vulnerability globally.

[pombredanne]

So I suggest VULCODE or VULCO prefix and a UUID4 as in 5a9b63ed-8092-4433-b9bd-8738661a101b
Or ABCD, VULID, VCIO, VULCID, CODEVULN, VULN, VULNID as prefix. I just need some consensus!
So:

VULCODE-5a9b63ed-8092-4433-b9bd-8738661a101b or VULCO-5a9b63ed-8092-4433-b9bd-8738661a101b

[mjherzog]

My votes are:

1. VULNID for Vulnerability ID. Most commonly used in our context in variations like vulnid or Vuln id. Some unfortunate overlap with "Deviant Art" -https://www.deviantart.com/tag/vulnid, but this seems pretty obscure. The likely English pronunciations are "vuln id" or "vul nid" which see OK. We could conceivably take over as the primary reference point for VULNID. Preferred over VC or VULCO references because it is more descriptive to someone who does not know about our database yet.
2. VCID for VulnerableCode ID (despite the unfortunate overlap with "Vascular Cognitive Impairment and Dementia" - there will be no confusion about field of use)

[pombredanne]

This form is now up for votes:
Please +1 or -1
The id will be:
VULNID-5a9b63ed-8092-4433-b9bd-8738661a101b
And we can display it in a shorter form as needed

[TG1999]

+1

[johnmhoran]

+1 for VCID

[pombredanne]

• VCID: John, Michael, Ziad, Keshav: 4 votes
• VULNID: Tushar, Philippe, Michael: 3 votes

Many absentees have not voted: but the final is VCID!

The winning format is: VCID-5a9b63ed-8092-4433-b9bd-8738661a101b

Next steps:

• add uuid column, migrate data to new column (details TBD and some possible performance impact)
• replace any VULCOID reference by VCID in the code, UI, documentation and API

[pombredanne]

For reference:

$ grep -r . -e "VULCOID" -l
./vulnerablecode/static/api_doc/api_schema.yaml
./docs/source/tutorial_add_new_improver.rst
./vulnerabilities/tests/test_fix_api.py
./vulnerabilities/tests/test_models.py
./vulnerabilities/templates/vulnerability_details.html
./vulnerabilities/templates/index.html
./vulnerabilities/templates/vulnerabilities.html
./vulnerabilities/models.py
./vulnerabilities/migrations/0012_alter_vulnerability_vulnerability_id.py
./vulnerabilities/migrations/0001_initial.py
./vulnerabilities/migrations/0013_auto_20220503_0941.py
./vulnerabilities/fixtures/openssl.json
$ grep -r . -e "VULCOID" | wc -l
39