Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dosc: move glossary and add some more details about vulnerabilities and advisories #1106

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

ctron
Copy link
Contributor

@ctron ctron commented Dec 17, 2024

No description provided.

@ctron ctron requested review from jcrossley3 and ritz303 December 17, 2024 15:59
@ritz303
Copy link

ritz303 commented Dec 17, 2024

@ctron : Thanks for tagging me for a review! I will try to review this before the end of the week.

docs/book/modules/concepts/pages/a_v.adoc Outdated Show resolved Hide resolved
docs/book/modules/concepts/pages/a_v.adoc Outdated Show resolved Hide resolved
xref:index.adoc#vulnerability[Vulnerabilities] are learned from ingesting advisories. During the ingestion process,
Trustify will extract and aggregate vulnerability information, grouped by their vulnerability identifier.

Advisories may contain multiple vulnerabilities and may scope the application of statements the advisories make to
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should avoid using the word "may" in technical documentation, unless you are using it to indicate permission. Consider replacing "may" with "can" or "might".

For example: Advisories might contain many vulnerabilities, and can scope the application of statements that advisories make to certain packages.

As a side note, the phrase, "... the application of statements ..." sounds like it doesn't fit when I read this sentence out loud. What do you mean by this phrase?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My intention was so say that, statements this advisory makes about certain packages (like what the score of a vulnerability is) are limited to the scope of the advisory.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, okay, that makes more sense. Thank you!

Advisories may contain multiple vulnerabilities and may scope the application of statements the advisories make to
certain packages. This means that trustify has an aggregated set of information for a vulnerability, where information
from the CVE project supersedes information from more specific advisories. And has "vulnerabilities of an advisory",
which contains the specific information provided by this advisory.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the sentences starting on line 7 ending on line 9.

trustify --> Trustify

On the first use of an acronym, we should spell it out, then you can use the acronym elsewhere in the doc.
CVE --> Common Vulnerabilities and Exposures (CVE)

I would suggest ending this sentence a little earlier.

For example: This means that Trustify has an aggregated set of information for a vulnerability.

Then start the next sentence, for example: The information from the Common Vulnerabilities and Exposures (CVE) project supersedes the information from more specific advisories.

We should avoid starting a sentence with "And ...". I'm not sure what is meant by this last sentence. Does the CVE project contain the "vulnerabilities of an advisory" information, or does this information come from somewhere else? Consider rewriting this last sentence, or remove it completely.

For example: The CVE project tracks the vulnerabilities for a specific advisory.

Putting all three of my sentence suggestions together gives us this paragraph:

Advisories can contain many vulnerabilities, and can scope the application of statements that advisories make to certain packages. The information from the Common Vulnerabilities and Exposures (CVE) project supersedes the information from more specific advisories. The CVE project tracks the vulnerabilities for a specific advisory.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tried to rephrase the last sentence:


Trustify also has "vulnerabilities belonging to an advisory", which contain specific vulnerability information,
provided by that advisory.

docs/book/modules/concepts/pages/index.adoc Outdated Show resolved Hide resolved
docs/book/modules/concepts/pages/index.adoc Outdated Show resolved Hide resolved
docs/book/modules/concepts/pages/index.adoc Outdated Show resolved Hide resolved
docs/book/modules/concepts/pages/index.adoc Outdated Show resolved Hide resolved
Given `log4j-1.2.3.jar`, seventeen different people could compile the same source with the same arguments, and still end
up with 17 distinct Java jars (due to non-reproducible builds).
Each is an artifact of the *same* package.
Each may (will probably) have its own SHA-256 related to it.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Drop the phrase "will propably" from the sentence.

For example: Each can have its own SHA-256 related to it.

Copy link
Contributor Author

@ctron ctron Dec 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the idea was to state not only the possibility that it can, but also that, most likely, it actually will have.

Changed that into: Each might, and most likely will, have its own SHA-256 related to it.

docs/book/modules/concepts/pages/index.adoc Outdated Show resolved Hide resolved
@ctron ctron force-pushed the feature/move_glossary_1 branch 2 times, most recently from 31fd614 to 4de809b Compare December 20, 2024 08:45
@ctron
Copy link
Contributor Author

ctron commented Dec 20, 2024

@ritz303 thanks for the review, learned a few more things :) I pushed some changes, I hope I covered all of it.

@ctron ctron enabled auto-merge December 20, 2024 08:45
@ctron
Copy link
Contributor Author

ctron commented Dec 20, 2024

I marked it "merge when ready", so if you're ok with it, give a +1 and it should merge, even when I'm already in 🎄 mode 😉

@ritz303
Copy link

ritz303 commented Dec 20, 2024

@ctron : I just found one more minor nit-pick, regarding capitalization, but overall this doc looks much better. Thank you for making these updates.

@ctron ctron force-pushed the feature/move_glossary_1 branch from 4de809b to a0be4b3 Compare December 20, 2024 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants