From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: Dealing with CVEs that apply to unspecified package versions Date: Fri, 10 Mar 2017 23:05:34 -0500 Message-ID: <20170311040534.GA31017@jasmine> References: <877f4284un.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:40850) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cmYHk-0005r2-Ah for guix-devel@gnu.org; Fri, 10 Mar 2017 23:05:42 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cmYHh-0002lK-5C for guix-devel@gnu.org; Fri, 10 Mar 2017 23:05:40 -0500 Content-Disposition: inline In-Reply-To: <877f4284un.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: guix-devel --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 06, 2017 at 10:36:48PM +0100, Ludovic Court=C3=A8s wrote: > Unfortunately, there=E2=80=99s no way to know whether such CVEs are actua= lly > fixed at a specific package version or not, and they=E2=80=99re not uncom= mon. > Consequently, =E2=80=98guix lint -c cve=E2=80=99 would now report old CVE= s that possibly > no longer apply to our package versions. I didn't notice any change in what the CVE checker reports after applying the diff. Did I miss a step? > In the patch, I added the ability to specify a =E2=80=98patched-vulnerabi= lities=E2=80=99 > property to work around that (with Coreutils as an example). The > downside is that we=E2=80=99d have to maintain these lists by ourselves, = which > is not great, but might still be better than the status quo. Overall, I think it's better for the CVE checker to omit some CVEs than to show a large number of false positives. Otherwise people may not pay attention to it at all. And the CVE checker will never be authoritative; Guix developers have to look for security advisories from a wide variety of sources. I wonder if we could maintain the set 'patched-vulnerabilities' fields satisfactorily. Changing the subject, this implementation of 'patched-vulnerabilities' doesn't preserve the valuable information of how we know the vulnerability was fixed (patch? update? only applicable to non-GNU platforms? et cetera). If we were to start collecting and curating this information, we should try to preserve it and make it useful to the other distros. In that case, we could instead update the CVE database through MITRE's new CVE form, which recently became the only way to get new CVEs from MITRE: https://cveform.mitre.org I think the goal is to reduce the friction of requesting and amending CVEs. Let's try it :) --CE+1k2dSO48ffgeK Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAljDd44ACgkQJkb6MLrK fwgR3w/7BN6fLnel+bIdragMSR1CHb2lG9CWhtn8Wom8Q9UMV11F4+BC3keRImdb MTFJGQV3mDCRm3OYDNtw0GYGlhX41wR52KF9yXrf1I/hqq0QSQKh4//VgVBCA6IR Gac6tHoBuUtmiHKLJgmy0n9rgmjuuLD6z3vwNF22TCiKNGXMgm1mOB+b5cxmg/3+ CyXiHfuqdHF6k4zuRxfUaVlL9FPXp0tsvV2vV7d36ZhkHOc2bWASDfbAAko0Kx5t Fc+tNkosvRJfztXbM7gKcZ48dpoUiyEY2KXTz9aeMv5KL9OirFt4zcLSBcX6K4LY vd9ZCvF4EWDNXQI0KsOeqev4mmwbd/gSmmjUHBmz38B21CXN66vdAOLCtv+a2HVB YMeZ8O3t/A97/7tVnMS1Z3Qax1WBA0XSrhUYnUZXWFtVxeP2w0fnNba5DQXDwoyR wvWgTGKbhlDulqbC+NLnt6gCQ9xkkapYumx1yxxUeePwDG7FaaycZK+NMBx0xGfY mqjMh6+yei2uO3PV7RadBuAJEExR7BVZneHAZRJRExAZzBpe5UDKdwkEaollyGFo ls83/YHjBq2FARvT/IpP89/o1FZXvtl1AlOpkCdznIhuoHyVix45ghH6CBY8x6qB qhy/34vrFHJ5vN1dMgCE4atOl9OYnzWSEBbdYZEFTy2Kndvz404= =yUY7 -----END PGP SIGNATURE----- --CE+1k2dSO48ffgeK--