Add optional severity field override for affected packages. #106
Conversation
|
Looks good. |
docs/schema.md
Outdated
| @@ -356,6 +364,11 @@ The `purl` field is a string following the | |||
| [Package URL specification](https://github.com/package-url/purl-spec) that | |||
| identifies the package. This field is optional but recommended. | |||
|
|
|||
| The `severity` field is an optional JSON array that allows generating systems to | |||
| describe the severity of a vulnerability using one or more quantitative scoring | |||
| methods. Each `severity` item is a JSON object specifying a `type` and `score` | |||
There was a problem hiding this comment.
Instead of "Each severity item is a JSON object specifying a type and score",
can we just say that this array is identical to the top level severity field (ideally with an anchored link?)
There was a problem hiding this comment.
@oliverchang I've made the changes.
Signed-off-by: Palash Oswal <oswalpalash@gmail.com>
Co-authored-by: Chris Bloom <chrisbloom7@github.com> Signed-off-by: Palash Oswal <oswalpalash@gmail.com>
docs/schema.md
Outdated
| @@ -356,6 +364,12 @@ The `purl` field is a string following the | |||
| [Package URL specification](https://github.com/package-url/purl-spec) that | |||
| identifies the package. This field is optional but recommended. | |||
|
|
|||
| The `severity` field is an optional element [defined here](#severity-field). | |||
| Per package severity override is optional for different packages. It is only | |||
There was a problem hiding this comment.
Thinking more I'd suggest enforcing that either the top level severity or the per-package severites are set, but not both.
It doesn't make much sense to me, and it enforces a bit more consistency. We should also validate this with our JSON schema, but that can come later.
Maybe we can replace everything from the second paragraph onwards with:
This `severity` field applies to a specific package, in cases where affected packages have
differing severities for the same vulnerability. If any package level `severity` fields are set,
the top level `severity` (add hyperlink) must not be set.
There was a problem hiding this comment.
Done! Ready for another review
Signed-off-by: Palash Oswal <oswalpalash@gmail.com>
Signed-off-by: Palash Oswal <oswalpalash@gmail.com>
Signed-off-by: Palash Oswal <oswalpalash@gmail.com>
docs/schema.md
Outdated
| @@ -324,6 +332,12 @@ platform information that doesn't apply equally to all listed versions and | |||
| ranges, a separate entry with the same `package` in the `affected` array may be | |||
| needed. | |||
|
|
|||
| The `severity` field is an optional element [defined here](#severity-field). | |||
There was a problem hiding this comment.
Sorry one more comment: Can you just move this text down to under the heading on line 411? That makes this text a bit more easily discoverable since it can be found from the ToC.
The other text here around the relevant fields (e.g. "versions", "ranges") live here because they offer some context relevant to both of them.
There was a problem hiding this comment.
Makes sense @oliverchang ! All set
Signed-off-by: Palash Oswal <oswalpalash@gmail.com>
There was a problem hiding this comment.
thank you! will also let @rsc and @chrisbloom7 sign off on this.
Based on #40 (comment)