Enhance human link support (#2031)

andrewpollock · web-flow · commit db128932e909 · 2024-03-07T16:05:13.000+10:00
Support more complex human-friendly upstream bug URLs by allowing
templating rather than simple appending of the the bug ID to a URL.

This allows AlmaLinux and Curl human-friendly links to be added to the
frontend UI in addition the what's already there.

Also add an FAQ about data fixes, which can be referenced from the bug
template
diff --git a/docs/faq.md b/docs/faq.md
@@ -80,7 +80,7 @@ Vulnerability databases can also benefit from easier interchange and vulnerabili
 
 Yes!
 
-The database in available in a GCS bucket maintained by OSV: [gs://osv-vulnerabilities](https://osv-vulnerabilities.storage.googleapis.com/) (also [publicly browseable via the Google Cloud Console](https://console.cloud.google.com/storage/browser/osv-vulnerabilities) with a login)
+The database in available in a GCS bucket maintained by OSV: [gs://osv-vulnerabilities](https://storage.googleapis.com/osv-vulnerabilities/index.html) (also [publicly browseable via the Google Cloud Console](https://console.cloud.google.com/storage/browser/osv-vulnerabilities) with a login)
 
 More information about how to download the database is available [here](data.md#data-dumps).
 
@@ -111,3 +111,23 @@ If you work on a project (like a Linux distribution) and would like to contribut
 ## Is the API rate limited?
 
 No. Currently there is not a limit on the API.
+
+## I've found something wrong with the data
+
+Data quality is very important to us. Please remember that OSV.dev is an
+aggregator of OSV records from a [variety of
+sources](https://github.com/google/osv.dev/blob/master/source.yaml) and the most
+appropriate place to correct the data is at the source.
+
+We prefer to avoid needing to act as a broker between downstream consumers of
+the data and upstream sources, as this adds limited value, and only adds delays.
+
+Where available, a human-friendly link to the authoritative record source is
+available as the `Source` field on the individual vulnerability page. You should
+follow the source-specific process for updating the data.
+
+For sources that are a Git repository, the `Import Source` field points to the
+authoritative source of the data, and you may be able to create a pull/merge
+request or file an issue against the repository.
+
+If you are not able to get satisfaction after dealing directly with the source of the data, please [file an issue](https://github.com/google/osv.dev/issues?q=is%3Aissue+is%3Aopen+label%3A%22data+quality%22) tagged with `data quality`.
diff --git a/gcp/appengine/frontend_handlers.py b/gcp/appengine/frontend_handlers.py
@@ -23,7 +23,7 @@
 from flask import Blueprint
 from flask import make_response
 from flask import redirect
-from flask import render_template
+from flask import render_template, render_template_string
 from flask import request
 from flask import url_for
 from flask import send_from_directory
@@ -300,7 +300,10 @@ def add_source_info(bug, response):
   response['source'] = source_repo.link + source_path
   response['source_link'] = response['source']
   if source_repo.human_link:
-    response['human_source_link'] = source_repo.human_link + bug.id()
+    ecosystems = bug.ecosystem
+    bug_id = bug.id()
+    response['human_source_link'] = render_template_string(
+        source_repo.human_link, ECOSYSTEMS=ecosystems, BUG_ID=bug_id)
 
 
 def _commit_to_link(repo_url, commit):
diff --git a/source.yaml b/source.yaml
@@ -94,6 +94,7 @@
   bucket: debian-osv
   db_prefix: DLA-
   ignore_git: True
+  human_link: 'https://security-tracker.debian.org/tracker/'
   link: https://storage.googleapis.com/debian-osv/
   editable: False
 
@@ -119,6 +120,7 @@
   bucket: debian-osv
   db_prefix: DTSA-
   ignore_git: True
+  human_link: 'https://security-tracker.debian.org/tracker/'
   link: https://storage.googleapis.com/debian-osv/
   editable: False
 
diff --git a/source_test.yaml b/source_test.yaml
@@ -9,6 +9,7 @@
   extension: '.json'
   db_prefix: 'ALBA-'
   ignore_git: False
+  human_link: 'https://errata.almalinux.org/{{ ECOSYSTEMS[1].split(":")[1] }}/{{ BUG_ID | replace(":", "-", 1) }}.html'
   link: 'https://github.com/AlmaLinux/osv-database/blob/master/'
   editable: False
 
@@ -22,6 +23,7 @@
   extension: '.json'
   db_prefix: 'ALEA-'
   ignore_git: False
+  human_link: 'https://errata.almalinux.org/{{ ECOSYSTEMS[1].split(":")[1] }}/{{ BUG_ID | replace(":", "-", 1) }}.html'
   link: 'https://github.com/AlmaLinux/osv-database/blob/master/'
   editable: False
 
@@ -35,6 +37,7 @@
   extension: '.json'
   db_prefix: 'ALSA-'
   ignore_git: False
+  human_link: 'https://errata.almalinux.org/{{ ECOSYSTEMS[1].split(":")[1] }}/{{ BUG_ID | replace(":", "-", 1) }}.html'
   link: 'https://github.com/AlmaLinux/osv-database/blob/master/'
   editable: False
 
@@ -71,6 +74,7 @@
   extension: '.json'
   db_prefix: 'CURL-'
   ignore_git: True
+  human_link: 'https://curl.se/docs/{{ BUG_ID | replace("CURL-", "") }}.html'
   link: 'https://curl.se/docs/'
   editable: False
 
@@ -83,7 +87,7 @@
   bucket: 'osv-test-cve-osv-conversion'
   db_prefix: 'CVE-'
   ignore_git: False
-  human_link: 'https://nvd.nist.gov/vuln/detail/'
+  human_link: 'https://nvd.nist.gov/vuln/detail/{{ BUG_ID }}'
   link: 'https://storage.googleapis.com/osv-test-cve-osv-conversion/'
   editable: False
 
@@ -96,6 +100,7 @@
   bucket: 'osv-test-debian-osv'
   db_prefix: 'DLA-'
   ignore_git: True
+  human_link: 'https://security-tracker.debian.org/tracker/{{ BUG_ID }}'
   link: 'https://storage.googleapis.com/debian-osv/'
   editable: False
 
@@ -108,7 +113,7 @@
   bucket: 'osv-test-debian-osv'
   db_prefix: 'DSA-'
   ignore_git: True
-  human_link: 'https://security-tracker.debian.org/tracker/'
+  human_link: 'https://security-tracker.debian.org/tracker/{{ BUG_ID }}'
   link: 'https://storage.googleapis.com/debian-osv/'
   editable: False
 
@@ -121,6 +126,7 @@
   bucket: 'osv-test-debian-osv'
   db_prefix: 'DTSA-'
   ignore_git: True
+  human_link: 'https://security-tracker.debian.org/tracker/{{ BUG_ID }}'
   link: 'https://storage.googleapis.com/debian-osv/'
   editable: False
 
@@ -133,7 +139,7 @@
   extension: '.json'
   db_prefix: 'GHSA-'
   ignore_git: True
-  human_link: 'https://github.com/advisories/'
+  human_link: 'https://github.com/advisories/{{ BUG_ID }}'
   link: 'https://github.com/github/advisory-database/blob/main/'
   editable: False
 
@@ -147,7 +153,7 @@
   bucket: 'go-vulndb'
   db_prefix: 'GO-'
   ignore_git: True
-  human_link: 'https://pkg.go.dev/vuln/'
+  human_link: 'https://pkg.go.dev/vuln/{{ BUG_ID }}'
   link: 'https://vuln.go.dev/'
   editable: False
 
@@ -236,7 +242,7 @@
   extension: '.json'
   db_prefix: 'RUSTSEC-'
   ignore_git: False
-  human_link: 'https://rustsec.org/advisories/'
+  human_link: 'https://rustsec.org/advisories/{{ BUG_ID }}'
   link: 'https://github.com/rustsec/advisory-db/blob/osv/'
   editable: False
   repo_username: 'git'
@@ -277,5 +283,4 @@
   link: 'https://github.com/cloudsecurityalliance/gsd-database/blob/main/'
   editable: False
   key_path: 'OSV'
-  repo_username: 'git'
-
+  repo_username: 'git'
