✨feat: Add Private Vulnerability Reporting probe to Security-Policy check#4929
Open
Ironankit525 wants to merge 1 commit intoossf:mainfrom
Open
✨feat: Add Private Vulnerability Reporting probe to Security-Policy check#4929Ironankit525 wants to merge 1 commit intoossf:mainfrom
Ironankit525 wants to merge 1 commit intoossf:mainfrom
Conversation
Ironankit525
requested review from
raghavkaul and
spencerschrock
and removed request for
a team
dosubot
bot
added
the
size:L
Ironankit525
changed the title
This adds a new probe 'privateVulnerabilityReportingEnabled' that checks
if GitHub's Private Vulnerability Reporting feature is enabled for a
repository.
Changes:
- Add HasPrivateVulnerabilityReportingEnabled() to RepoClient interface
- Implement GitHub client with direct API call to
/repos/{owner}/{repo}/private-vulnerability-reporting
- Add stub implementations for non-GitHub clients (GitLab, localdir,
git, Azure DevOps, OSS-Fuzz) returning ErrUnsupportedFeature
- Create privateVulnerabilityReportingEnabled probe with OutcomeTrue,
OutcomeFalse, and OutcomeNotApplicable support
- Integrate probe into Security-Policy check evaluation
- Add comprehensive tests
The probe returns:
- OutcomeTrue: PVR is enabled
- OutcomeFalse: PVR is not enabled (but available)
- OutcomeNotApplicable: PVR not available (non-GitHub repos)
Signed-off-by: Ankit <[email protected]>
Signed-off-by: Ironankit525 <[email protected]>
Ironankit525
force-pushed
the
feature/private-vulnerability-reporting-check
branch
from
81ac668 to
f24596b
Compare
|
This pull request has been marked stale because it has been open for 10 days with no activity |
Comment on lines
+40
to
+45
| // Run checks if private vulnerability reporting is enabled for the repository. | ||
| // Returns: | ||
| // - OutcomeTrue: PVR is enabled | ||
| // - OutcomeFalse: PVR is not enabled (but available for this platform) | ||
| // - OutcomeNotApplicable: PVR is not available for this platform (e.g., non-GitHub repos) | ||
| func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { |
Member
There was a problem hiding this comment.
I would imagine this requires an admin token, how does this behave on repositories you don't own?
Comment on lines
47
to
+48
| GetOrgRepoClient(context.Context) (RepoClient, error) | ||
| HasPrivateVulnerabilityReportingEnabled() (bool, error) |
Member
There was a problem hiding this comment.
I would like to avoid having a client method for every little setting. The RepoClient interface is already too large, and adding methods is technically a breaking change, so it would be nice to minimize these.
This was previously discussed in #4049, and it would be nice to settle on something before we proceed.
Comment on lines
+40
to
+42
| // Check for private vulnerability reporting status. | ||
| // This is a GitHub-specific feature; other platforms will return ErrUnsupportedFeature. | ||
| pvrEnabled, pvrErr := c.RepoClient.HasPrivateVulnerabilityReportingEnabled() |
Member
There was a problem hiding this comment.
We could also, try doing some hacky type checking here to avoid putting this in the repoclient interface for now, while figuring out #4049 .
githubClient, ok := c.RepoClient.(*githubrepo.Client)
if !ok {
//not github client
}
//can access github specific methods
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
This PR introduces a new probe that detects whether GitHub's Private Vulnerability Reporting (PVR) feature is enabled on repositories, enhancing the Security-Policy check with visibility into GitHub's native vulnerability reporting mechanism.
Implementation Details
Core Changes
Interface Extension
HasPrivateVulnerabilityReportingEnabled()method to theRepoClientinterfaceGitHub Client Implementation
/repos/{owner}/{repo}/private-vulnerability-reportingendpointMulti-Platform Support
ErrUnsupportedFeaturefor:Probe Implementation
privateVulnerabilityReportingEnabledprobe with three outcome statesOutcome States
Change Type
Feature - New capability for detecting GitHub Private Vulnerability Reporting status
Behavioral Changes
Before
The Security-Policy check evaluated only:
After
The Security-Policy check now additionally evaluates:
Testing
Compliance Checklist
GitHub Issue
None - This is a new feature enhancement
Reviewer Notes
Important Considerations
Scoring Impact
Platform Compatibility
OutcomeNotApplicableAPI Requirements
User Impact
What Users Will See
Users running the Security-Policy check will now receive information about whether their GitHub repository has Private Vulnerability Reporting enabled. This helps teams understand their vulnerability disclosure posture and make informed decisions about security reporting mechanisms.
Example Output
Release Notes
Additional Context
Private Vulnerability Reporting is GitHub's built-in feature that allows security researchers to privately report vulnerabilities directly through the GitHub interface. This probe helps maintainers understand whether they're leveraging this native GitHub capability alongside traditional SECURITY.md files.