How should OSV.dev consumers of Haskell Security Advisory DB records provide feedback on them?

[andrewpollock]

We're seeking to shorten the feedback loop by directly connecting OSV.dev downstream consumers of Haskell vulnerabilities with the Haskell Security Advisory DB for any corrective feedback on individual records.

Could you clearly define a feedback channel (file an issue, create a PR) for downstream users to follow to be able to correct a problem with an OSV record published in the Haskell Security Advisory DB?

See google/osv.dev#2191 for more context.

[mihaimaruseac]

I think an issue in this repo should work, or directly to the mailing list, but let's first discuss this within the Haskell SRT team meeting.

[andrewpollock]

If you do go down the GitHub issue route, using a template would provide the best UX in my opinion

[m15k]

Fraser can you assign this one to me

[blackheaven]

Hello @andrewpollock,

Sorry for the delay.

We will use either GitHub issues, or the mailing list for vulnerability reporting.

They are visible at https://haskell.github.io/security-advisories/

At some point, it was mentioned that our osv export should include a human_link attribute, but it is not present in the spec (https://ossf.github.io/osv-schema/), is it expected?

Should we set it elsewhere?

Thanks in advance for your help.

[blackheaven]

Handled in #291

• Add [..] model.affected.database_specific.{osv,human_link} in OSV exports