Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not leak internal database ids in the API #1001

Open
pombredanne opened this issue Nov 12, 2022 · 12 comments · May be fixed by #1781
Open

Do not leak internal database ids in the API #1001

pombredanne opened this issue Nov 12, 2022 · 12 comments · May be fixed by #1781
Assignees
@TG1999
Labels
API good first issue Priority: medium

Comments

@pombredanne
Copy link
Member

In this we have URLs such as

[
  {
    "url": "http://public.vulnerablecode.io/api/packages/168702",
    "purl": "pkg:maven/junit/junit@4.12",
    "type": "maven",
    "namespace": "junit",
    "name": "junit",
    "version": "4.12",
    "qualifiers": {},
    "subpath": "",
    "affected_by_vulnerabilities": [
      {
        "url": "http://public.vulnerablecode.io/api/vulnerabilities/1265",
        "vulnerability_id": "VCID-e1bu-4uh4-aaac",
        "summary": "",
....
@TG1999 TG1999 self-assigned this Nov 15, 2022
@TG1999 TG1999 added this to the v33.0.0 milestone Jan 13, 2023
@uzaxirr
Copy link

uzaxirr commented Jan 21, 2023

Hey, I have a question.
what's the expected result you wanna have?
from what i've understood it's this

For example, instead of:
"http://public.vulnerablecode.io/api/vulnerabilities/1265"

It could be:
"http://public.vulnerablecode.io/api/vulnerabilities/abcdefg-1234-5678-90ab-cdefghijklmn"

Please correct me if i'm wrong

@uzaxirr
Copy link

uzaxirr commented Jan 28, 2023

@TG1999 @pombredanne ^^

@Hritik14
Copy link
Collaborator

Hritik14 commented Jan 29, 2023
edited
Loading

How about VCID and purl in public urls ? This would make the URLs independent of database deletion/re-creation, if it so happens. Also, multiple instances will be very explicit about which vulnerability/package they're pointing at by just looking at the url.

EDIT: Just realized VCID is based on UUID so this might not be as good.

@pombredanne
Copy link
Member Author

IMHO we should use the natural keys of each model: vcid and purl

@suraj-mandal
Copy link

As I can infer from the discussion, is it okay to reference the URLs via the natural key instead of UUID. This means that the natural key is a different entity other than the primary key right?

@TG1999 TG1999 removed this from the v33.0.0 milestone Aug 15, 2023
@Mohit-majumdar
Copy link

I checked, and this problem still exists. If you are willing to work on a solution, I would like to take up the case.

@TG1999
Copy link
Contributor

TG1999 commented Jan 19, 2024

@Mohit-majumdar sure, feel free to work on this issue

@Mohit-majumdar
Copy link

I have discovered the true cause of this primary key, which is that the HyperlinkModel Serializer is being used. The question at hand is: will we use the VCID field or something else in place of the PK field? @TG1999 or @Hritik14 can someone please help me with this?

@pombredanne
Copy link
Member Author

@Mohit-majumdar we would want to use either a natural key (may be VCID or package_url) or a UUID

@saransh1307
Copy link

@pombredanne @TG1999 after reviewing the source code, it seems that replacing the Record IDs with UUIDs (generated using the UUID module, specifically UUID4) would be more efficient by Python scripting, rather than relying on a manual process. Would it be okay for me to start working on this issue?

@Dedsec0098
Copy link

Hey is the issue still there, I would like to work on this issue by replacing internal IDs with PURLs

@Mukund-Menon Mukund-Menon linked a pull request Feb 19, 2025 that will close this issue
Open
@Mukund-Menon
Copy link

I've sent a PR for this- PTAL!

#1781

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TG1999 TG1999

Labels
API good first issue Priority: medium
Projects
None yet
Milestone
No milestone
9 participants
@pombredanne @Hritik14 @suraj-mandal @TG1999 @Mohit-majumdar @uzaxirr @Mukund-Menon @Dedsec0098 @saransh1307