Issues with monorepo CVE reporting

[logan-markewich]

Hey all!

Recently we've noticed that our python monorepo llama-index was flagged with a CVE (and there is likely more incoming in the future from huntr.com). While this is fine, GHSA seems to be incorrectly flagging our entire llama-index package for CVE's on completely different packages. This creates a lot of false noise for our users.

While I can open a PR to change this like this recently edited advisory I contributed here, it would be exhausting to keep up with this.

Is there a way that GHSA can better flag packages in our monorepo? Or will I have to change each one manually when they open?

Any help would be appreciated!

[shelbyc]

Hi @logan-markewich, there are a couple of things that you and I can do:

On my side:

• I let my colleagues know to keep an eye out for monorepos in pip, as monorepos in that ecosystem are uncommon and it doesn't hurt to have a reminder.
• I'm going to go through https://github.com/advisories?query=llama_index and see if there are any other advisories connected to https://github.com/run-llama/llama_index that need to have the affected package changed to better match the evidence in the advisory.

On your side:

• You're welcome to create repository GitHub Security Advisories for issues that affect packages in https://github.com/run-llama/llama_index and put whatever package name you want in the Package field.
• If you make a repository GitHub Security Advisory, you can either add a corresponding CVE from any CVE Numbering Authority (such as Huntr) to the CVE ID field or request a CVE from GitHub.

Is there anything else that you're already doing to improve communication about specific pip packages in https://github.com/run-llama/llama_index, in addition to the community contribution you've already made?