-
-
Notifications
You must be signed in to change notification settings - Fork 234
Closed
Milestone
Description
- Any change done on any package or vulnerability should be logged and should be shown on the UI as an activity on that entity.
- Add a log for each vulnerability with the data and advisory it has been formed, see also: Ingest npm data through github api #1025 #1027 (comment).
A log should have:
- action date
- actor (importer/ improver)
- object (package/vulnerability)
- supporting data (how object and actor are associated, source of the log for example: URL of the advisory)
- vulnerablecode version ( version of vulnerablecode that was used at that time )
In VCIO we have these kind of situations as of now that we want to log:
- Importing an Advisory into VCIO - We need to log when the advisory was actually published upstream for every vulnerability and by which data source we have imported that advisory into VCIO with the source URL.
- Package-Vulnerability relationship logs - If a package is affected by/fixing a vulnerability, we should log it on the package and vulnerability side with the date when this inference was drawn.
See related issues:
- Implement structured logging #590
- Enhancement: Make dates more visible and usable in VCIO #924
- Report newly added CVEs/vulnerabilities #536
Reported by @pombredanne
pombredanne