Reuse a single issue for multiple CVEs of the same package version

[llakala]

I've been struggling to use the nixpkgs issues page since the introduction of nixpkgs-security-tracker. This is mainly due to the onslaught of issues posted at the exact same time, often for the same version of a package. As an example:

I think the issues are a great tool to make nixpkgs maintainers aware of CVEs for their packages. But duplicate issues for the same version of a package doesn't really serve anything.

My question is - could we group these into one issue? If the bot has access to metadata about the CVE, it could do a lookup if an open issue already exists for that version, and if so, add a comment for the additional CVEs. I brought this up on Matrix, and other nixpkgs contributors approved of the idea.

I'm not aware of how much metadata we have on each CVE, so there's a chance the proposal as described here wouldn't be possible. But even if that's true, we could still mitigate the issue by "grouping" CVEs posted at the same time. If we spin up the tracker once a day and it finds ten CVEs for discourse, it can just create one issue rather than ten. Sure, a CVE from the next day wouldn't be grouped in, but it creates a much better experience with minimal metadata requirements.

[fricklerhandwerk]

Thanks for the writeup! We're already aware of the problem, the security team has pointed it out a couple of weeks ago, but we had a slow phase and a backlog. Just today @florentc and I discussed how to design this.

It will take multiple steps to make it happen unfortunately, there seem to be no quick wins. But we'll make it first priority to reduce the noise.