On Tue, 11 Jun 2024 21:07:09 +0200 Moritz Muehlenhoff <j...@debian.org> wrote:
Package: security-tracker
Severity: wishlist
These days the scopes of CNAs are usually narrow and scoped to a specific
vendor.
We should leverage this for pre-processing incoming data and to reduce toil.
We can do this by extending the "automatic update" job to automatically
annotate CVEs assigned
by a given CNA as NFU entries. As an example all CVEs coming from the
"Wordfence" CNA should
be automatically added as "NOT-FOR-US: WordPress plugin". This avoids
cumbersome manual
triage (and review would still happen on the commited entries).
Same for many commercial software vendors, e.g. a company like SAP which has no
ties to
FLOSS everything coming from their CNA should automatically be added as "NOT-FOR-US:
SAP"
without human interaction. We should only extend this on a case-by-case basis.
E.g. Oracle
has a lot of propietary software, but they also maintain mysql, Java and
virtualbox, so
they need manual review still.
I have implemented this in [1]. For the Oracle case and others, we could define
the rules and implement support for those, e.g. blacklist or whitelist some
products. But we can do that in a followup issue.
Cheers,
Emilio
