Documentation: what *is* a PVE? #2345
Comments
|
Hi @sparrowt , thanks for bringing this up, PVE is the name for our own vulnerabilities found by PyUp (Without a CVE assigned), these vulnerabilities are assessed using CVSSv3 by the PyUp team (Available for paid plans). There are multiple improvements in Safety/Safety data in the coming weeks and these things will be explained and well documented.
Nothing external, these are the vulnerabilities found by the PyUp team
Agreed! Actually, we are improving our documentation this will be included for sure! I'll leave this issue open and I'll close this when the documentation is updated. |
When investigating a vulnerability reported by
safety.check()I found the entry ininsecure_full.jsonand noticed that thecvefields refers toPVE-2021-42497. Searching online doesn't show up anything except a CVE with the same number which is reserved and presumably unrelated (?) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42497Searching more generally I haven't managed to find anything about "PVE" so I began to wonder if this was something invented by the
safetyproject itself?Then I realised that the final part of the "PVE" matched the "id" which looks pyup.io-specific:
so is it correct that these PVEs don't actually reference anything external?
I think it could be helpful to document what a PVE actually is (and what is the allocation process, is there more info elsewhere, etc) possibly in the README on this repository, to make this clearer to newcomers?
If this should be done over on https://github.com/pyupio/safety/ instead (or as well) then by all means transfer this issue there.
Many thanks.
The text was updated successfully, but these errors were encountered: