Support direct linking by alias

[andrewpollock]

[redacted] linking to https://osv.dev/vulnerability/GHSA-jfh8-c2jp-5v3q for Log4Shell.

I wish it was possible to link to https://osv.dev/vulnerability/CVE-2021-44228

[oliverchang]

I wonder what the behaviour should be if there are multiple that link to the same alias.

[oliverchang]

I wonder what the behaviour should be if there are multiple that link to the same alias.

Oh, maybe we can redirect to the list page instead with the filter set to the alias in that case.

[andrewpollock]

I see in the case of https://osv.dev/vulnerability/GHSA-jfh8-c2jp-5v3q, it has three aliases, two of which link to other entries that cite each other. It's basically the (current) lack of an entry for the CVE that makes this not work.

I'm thinking we'd call this "done" once we're successfully importing the CVE record from the NVD?

[andrewpollock]

I'm thinking we'd call this "done" once we're successfully importing the CVE record from the NVD?

Are there other data sources than CVE that can get referenced as an alias without currently being imported?

[oliverchang]

I see in the case of https://osv.dev/vulnerability/GHSA-jfh8-c2jp-5v3q, it has three aliases, two of which link to other entries that cite each other. It's basically the (current) lack of an entry for the CVE that makes this not work.

I'm thinking we'd call this "done" once we're successfully importing the CVE record from the NVD?

Yes, that's one approach, but it does introduce questions around duplicates even if we can link them via aliases.

Are there other data sources than CVE that can get referenced as an alias without currently being imported?

Yes, there is no requirement that anything in aliases are OSV formatted. There are going to be things like SNYK-, RHSA- in there.

[zahraaalizadeh]

Is this issue still applicable or a matter of concern? @oliverchang

[another-rex]

I believe we do still want this, though the need for it is greatly reduced now that we are importing git CVE entries directly. E.g. The example given by Andrew is no longer an issue, since it now links to the GIT entry.

[andrewpollock]

This is essentially search-by-alias functionality, when the aliased record doesn't actually exist in OSV.dev.

e.g. when https://osv.dev/GHSA-9p26-698r-w4hx aliases CVE-2024-23650 and CVE-2024-23650 doesn't exist in OSV.dev.

Trying to go to https://OSV.dev/CVE-2024-23650 results in a 404.

There's an opportunity to search the AliasGroup in Data Store, determine that GHSA-9p26-698r-w4hx and GO-2024-2492 are existant aliases for this and present an interstitial page (or search results) that links to these instead of serving a 404.

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks