Re: CVE details page

On Wed, Mar 24, 2021 at 8:57 PM Jonathan S. Katz <jkatz@postgresql.org> wrote:
>
> On 3/24/21 2:26 PM, Magnus Hagander wrote:
> > On Mon, Mar 22, 2021 at 4:43 PM Jonathan S. Katz <jkatz@postgresql.org> wrote:
> >>
> >> 0002 refactors a function we used to generate our internal CVE IDs so it
> >> can be used in multiple places, e.g. its use in 0003.
> >
> > I applaud you for adding what may be the first docstring in pgweb :)
>
> There's some others that I've added! This may be the first one you caught ;)

Guilty as charged :)


> > * is there really a need to support case insensitive cve in the URL?
>
> ...I'm not quite sure what possessed me there. I think it's the fact
> that most sites tend to use the capital letters for CVE, both in the
> URLs and the listings, so one copying/pasting would copy that directly.

If we d it, we should really support (cve|CVE), not cVe for example.

There might be a point in supporting both "cve" and "CVE" but in that
case making it redirect to the canonical form.

(We all know the issues of having the same thing on multiple URLs)

The more I think about it, the more such a redirect seems like a good idea...


> > We don't support case insensitive URLs anywhere else... I suggest also
> > making the URLs we generate ourselves be lowercase, even if we keep
> > the insensitivity in the matching
>
> I would suggest the opposite, that we keep it uppercase as this seems
> consistent with how the others in the CVE game do it, e.g.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10925

That's a query param though, so that's slightly different. The fact
that it's a classic cgi also says a few things about the age :)


> https://nvd.nist.gov/vuln/detail/CVE-2018-10925

fair enough.

> https://access.redhat.com/security/cve/CVE-2018-1058

If that's not a beautiful contradiction of the two ways to do it, I
don't know what is :)


> I've modified the URL matching to be all uppercase, but keeping our
> matching logic case insensitive.

I do still prefer lowercase, but not enough to insist on it :)

But do consider the redirect, that might help some ppl.


> > * The query for "versions" needs a .elect_related('version')
>
> That I do agree with and somehow missed that. Thanks!

Thinking more, we should also have a struct.py in this directory, so
it goes ni the sitemap and becomes searchable. We should *already*
have had that, but it becomes more importantn ow that we have >1 page.
But already today you won't actually get search hits in our security
listing, which is a problem in itself... But let's fix them both at
once.

//Magnus