@@ -193,6 +193,33 @@ _________________
193193 - Takes a JSON of known vulnerabilities affecting a repo & creates GitHub Issues
194194 in said repo for any vulnerabilities, which do not yet have a GitHub Issue
195195
196+ security-issues
197+ ^^^^^^^^^^^^^^^
198+ The `security-issues/action.yml ` creates GitHub Issues for known vulnerabilities
199+ for `maven ` and `pip-audit `.
200+ The following steps are taken:
201+
202+ 1. Convert a JSON of known vulnerabilities into a common format (`class Issue `)
203+ 2. Filter out vulnerabilities which already have an existing GitHub Issue via CVE
204+ 3. Create new GitHub Issues
205+ 4. Return a JSON of the newly created GitHub Issues
206+
207+ Known Issues
208+ ~~~~~~~~~~~~~
209+ The `security-issues/action.yml ` assumes that eventually every known vulnerability will
210+ be associated with a singular CVE.
211+
212+ * This can be problematic as vulnerabilities may be initially reported to different
213+ services and not receive a CVE until a few days later or, in some cases, never. This
214+ could mean that some vulnerabilities are initially missed or, in some cases,
215+ never propagated by our action.
216+ * Additionally, reporting tools like `pip-audit ` must link a vulnerability with the
217+ different vulnerability IDs from different reporting services. Typically, this is done
218+ by selecting 1 of the vulnerability IDs as the unique identifier of the vulnerability.
219+ This, as is the case for `pip-audit `, is not the CVE, so it is possible if the linked
220+ vulnerability IDs were to change (i.e. wrongly linked CVE) that we could end up with
221+ multiple GitHub Issues for the same underlying vulnerability.
222+
196223
197224Known Issues
198225------------
0 commit comments