Best Practices: GitHub Security Advisories; One CVE impacts multiple packaging ecosystems

[JLLeitschuh]

What's the best practice for disclosing, with GitHub Security Advisories, one advisory that impacts multiple packing ecosystems or has a common root cause?

For example, assume that there's a vulnerability in some Kotlin code that is cross-compiled to both NPM and Java ecosystems and published in both ecosystems. Do you create multiple advisories with the exact contents duplicated?

Do you create one "meta" advisory that both other advisories point to with links?

[rschultheis]

So this is a situation where we do not have a great answer...

the current "best practice" is to file a distinct advisory/GHSA for each ecosystem. Each advisory should have the same CVE ID.
We will curate the ones with ecosystems we are able to broadcast and do so.

One example of this is CVE-2019-8331 on bootstrap which you can see has a few GHSA IDs, one for each ecosystem.

We do have an initiative in progress to allow us to broadcast one GHSA with many ecosystems. Once that is done the best practice will to simply file on GHSA with all the ecosystem/packages and it will be broadcast as one advisory.

Is this the info you need @JLLeitschuh ?

[JLLeitschuh]

Is this the info you need @JLLeitschuh ?

It is, is there any insights on the timeline. IE. Should I hold off on disclosing multi-ecosystem vulnerabilities for a month because everything will be nicer then?

[rschultheis]

So I do expect that we will support multi-ecosystem advisories by the end of the year. Unfortunately I don't see it happening in the first half of this year though. Therefore you should not delay any disclosures in anticipation of this support.