Support for historical/alternative package names #277
Labels
enhancement
New feature or request
schema
Describes a proposed change to the advisory document schema
Context
Every once in a while, a distro package's name changes. One reason for this is that we create a version stream for that package, such as in this PR when we renamed
php
tophp-8.2
.Advisory documents reference packages by their name (in
.package.name
). So one problem that can arise is if a distro package Melange file changes the package name without updating the corresponding advisory document, the link is broken. In this case, no distro package can be found for the given advisory document.A more user-visible problem with this scenario is that vulnerability scanners will no longer know to apply security data derived from our advisory document when analyzing the installed distro package. This can result in false positives and false negatives, depending on the scanner matching strategy being used.
One last consideration: it's also possible that simply updating the package name in both the Melange file and the advisory document causes a problem. Although we've updated the distro package name, the former package name has been used in published APKs and still exists "in the wild". If we update the package name in the advisory data, scans of installations of these former versions of the APK will can become less accurate, since relevant data is not being leveraged by the scanner.
Proposal
We could add a new field to the advisory document schema where we can list historical/alternative names for the package described in the given advisory document.
For example, in the above PHP example, we might have an advisory document that now looks like this:
Intended benefits of this change
"php-8.2"
and"php"
, ensuring that scanners are never in a place to miss out on this data.The text was updated successfully, but these errors were encountered: