feat[docs]: bugs by version

[trocher]

What I did

Created a file bugs.json containing, for all security advisory:

• the ghsa ID
• a meaningful name
• a short summary
• link the advisory
• version where the issue was introduced
• version where the issue was first fixed
• severity

Using a simple script, this bugs.json file can be used to then generate the file bugs_by_version.json which list all affected bugs in a given version.

Anything earlier than 0.2.0 was grouped under 0.1.0-beta.

How I did it

GH API was not helpful unfortunately, bugs.json was created manually and should be kept up to date over time if new security advisories are published.
EDIT: There's a gh api that can be used as detailed below in the messages, should be able to craft a small script to generate bugs.json

bugs_by_version.json can be easily regenerated each time bugs.json is updated.

How to verify it

Checking the json files.

Commit message

feat[docs]: add bugs per versions list

Description for the changelog

added bugs per versions list

Cute Animal Picture

[pcaversaccio]

That's very cool and super useful to have!

[cyberthirst]

thank you, looks great :)

would be great to automate this so we don't have to update with each released advisory. There seems to be an API for the advisories to fetch them in json (https://docs.github.com/en/rest/security-advisories/repository-advisories?apiVersion=2022-11-28)

then we'd have a similar script to yours which would parse by version. it would have to be unprivileged to avoid the risk of leaking some unreleased advisory

[cyberthirst]

thank you, looks great :)

would be great to automate this so we don't have to update with each released advisory. There seems to be an API for the advisories to fetch them in json (https://docs.github.com/en/rest/security-advisories/repository-advisories?apiVersion=2022-11-28)

then we'd have a similar script to yours which would parse by version. it would have to be unprivileged to avoid the risk of leaking some unreleased advisory

oh i just skimmed the PR description. i see you tried to use the API - can you please add what's the problem with it?

[trocher]

thank you, looks great :)
would be great to automate this so we don't have to update with each released advisory. There seems to be an API for the advisories to fetch them in json (https://docs.github.com/en/rest/security-advisories/repository-advisories?apiVersion=2022-11-28)
then we'd have a similar script to yours which would parse by version. it would have to be unprivileged to avoid the risk of leaking some unreleased advisory

oh i just skimmed the PR description. i see you tried to use the API - can you please add what's the problem with it?

Yeah, I was using the wrong API. This looks great and should do the job. Only missing thing would be: filling name and summary fields, which had to be done manually given that advisories have no short consistent name. And summaries are sometime missing or not really good.

[cyberthirst]

Yeah, I was using the wrong API. This looks great and should do the job. Only missing thing would be: filling name and summary fields, which had to be done manually given that advisories have no short consistent name. And summaries are sometime missing or not really good.

yeah, understand. agree that the name and summary would be great - although in the end, we want the user to read the full advisory to understand the full consequences

My worry about doing this manually is that we'll forget to update the list one day, and someone else will rely on it to contain up-to-date information.

[charles-cooper]

yea, would be good to have a script instead of manually updating this. in fact, bugs_by_version.json looks like a processed form of bugs.json?