On Mon, Feb 17, 2025 at 09:42:21PM -0500, Paul R. Tagliamonte wrote: > CVEs are not perfect. CVE count is, charitably, a proxy for how much > security attention / research it gets (hopefully that is, in turn, a proxy > for how important a package is). Not so charitably, it's perhaps a proxy > for how many people who want to build a reputation as an expert have spent > time finding something that would pass minimal scrutiny as a security > issue.
This is really the central point of the issue. In the instances I have observed, we are usually talking about a *real* issue, but most often not one that deserves to be considered a CVE, and even less deserves some arbitrarily inflated CVSS score. Fixing the issue is good, but dealing with all the CVE and CVSS noise is a pain. > There are plenty of security issues that are solved via normal bugfixes by > people who never realize the security implications of their bugfixes. In > important security sensitive places, too! In theory, any abnormal program behavior has the potential to carry a security implication. And in one project I have actually seen where there was a push to retroactively designate CVEs for past bug fixes that it turned out had some kind of specific security vulnerability associated with them. It was very bizarre, and I took it as a sign that the "everything has to have a CVE and every CVE must be fixed" mentality is infecting more and more parts of the software development world. > Updating to the latest upstreams is a good idea for lots of reasons, but I > don't totally understand the nexus to CVE here. Don't let me dissuade you > from doing good work here, but I reckon CVE counting is likely going to > lead to a lot of very weird non-security related biases which you may or > may not actually want. > FWIW this will solve one real problem: Lots of companies complain > endlessly and mindlessly about CVEs based on package version(s) without > regards to the issue being exploitable or even reachable (or built into > the binary, in some cases!). Closing CVEs out will no doubt make them > complain less, which sounds nice. I have seen lots of mindless complaining based on package versions, and I agree that something like this effort is likely to reduce the occurence of that sort of thing. And, yes, CVE is probably not a great proxy. But Santiago has discussed this with quite a few of us on the LTS team at various points along the way, and a better proxy hasn't been found. Regards, -Robeto -- Roberto C. Sánchez
