You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We need to create a vulnerability API for Aurora Editors backend that will detect if the users project dependencies has any vulnerabilities in them.
Due to there being a standard(OpenSSF OSV Format) in how this data should be rendered when receiving it from the backend. Overall, the approach of this schema is to define only the fields that absolutely must be shared between databases, leaving customizations to the “ecosystem_specific” and “database_specific” blocks.
By creating this api we can integrate the vulnerability check system within Aurora Editor. Every time the user builds their project we will check in the background for any possible vulnerabilities and if there are we will show a notification in the editor.
Based on the severity of the vulnerability we could either allow the user to build and successfully run their project or we can block the user from running their project until their vulnerability issues has been sorted.
Below is an in detail explanation of how we will handle user projects if vulnerabilities are detected.
Vulnerability Severity Notification and restrictions:
High: If the vulnerability level is high we will block all actions that allows the user to build or run their project.
Medium: We will show an alert when the user runs their project notifying them that their is a vulnerability in their project and action should be taken. But other than that they are allowed to run their project with no issues.
Low: If a vulnerability is seen as a low risk the user can run their project without issues. But we will send a silent notification to the user letting them know of vulnerabilities in their project.
Will I be able to disable this feature?
By default we will have the vulnerability system enabled for the safety of you and any other projects you may use with Aurora Editor. But you will be allowed to disable the vulnerability system at any given moment if you so choose.
This discussion was converted from issue #410 on June 27, 2024 12:00.
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Aurora Editor
-
We need to create a vulnerability API for Aurora Editors backend that will detect if the users project dependencies has any vulnerabilities in them.
Due to there being a standard(OpenSSF OSV Format) in how this data should be rendered when receiving it from the backend. Overall, the approach of this schema is to define only the fields that absolutely must be shared between databases, leaving customizations to the “ecosystem_specific” and “database_specific” blocks.
By creating this api we can integrate the vulnerability check system within Aurora Editor. Every time the user builds their project we will check in the background for any possible vulnerabilities and if there are we will show a notification in the editor.
Based on the severity of the vulnerability we could either allow the user to build and successfully run their project or we can block the user from running their project until their vulnerability issues has been sorted.
Below is an in detail explanation of how we will handle user projects if vulnerabilities are detected.
Vulnerability Severity Notification and restrictions:
High: If the vulnerability level is high we will block all actions that allows the user to build or run their project.
Medium: We will show an alert when the user runs their project notifying them that their is a vulnerability in their project and action should be taken. But other than that they are allowed to run their project with no issues.
Low: If a vulnerability is seen as a low risk the user can run their project without issues. But we will send a silent notification to the user letting them know of vulnerabilities in their project.
Will I be able to disable this feature?
By default we will have the vulnerability system enabled for the safety of you and any other projects you may use with Aurora Editor. But you will be allowed to disable the vulnerability system at any given moment if you so choose.
Beta Was this translation helpful? Give feedback.
All reactions