Improvement request: specify version ranges when reporting Security Alerts and Broken Version Notices

#1

When reporting a Security Alert or Broken Version Notice, you have to enter the affected versions by clicking the checkbox for every affected version. This is tedious, given that a vulnerability will often affect many (all, in some cases) previous versions.

It would be nice to have some way to enter a version range (e.g. “>0.9.0,<1.2.3”).

3 Likes
#2

Thank you, this is great feedback! Is there anything else you (or anyone else) feel might improve this task? I’ve shared this request with the team and we’ll post any follow up questions and keep you posted on progress here.

#3

One other thing I can think of would be to improve the display of security notices on the right-hand side of the page. Currently it lists every very with the description duplicated across all of them. With many affected versions, this view is unwieldy. Ideally there would be just one item per security notice, with the affected version range displayed.

1 Like
#4

Perfect, thank you. I’ll add this to the request.

#5

Hi, @sloria. You are now able to filter and select affected versions using semver selectors (the same ones that the semver module supports), and if you’re using release streams, you can filter out streams marked as deprecated.

Let us know if this change improves the workflow for you! We’re also looking into how to improve rollups of security notices/broken versions as well.

2 Likes