On Fri, Jan 19, 2018 at 11:52 PM, Antoine Beaupré wrote: > I have found that Snyk had issues in its database that weren't in Mitre: > > https://snyk.io/vuln/npm:jquery
I note that nodesecurity also has some CVE-less issues: https://nodesecurity.io/advisories?search=jquery > Finally, I wanted to bring Snyk.io to the teams' attention. I'm a little > disturbed by that new service - I feel there's significant overlap > between their vulnerability reporting process and Mitre's DWF/DNA > process, even down to using Google forms to welcome submissions, in the > case of DWF (!!). The Snyk (closed) database tracks vulnerabilities in > web apps, mostly, covering the following languages: Golang, Java > (maven), Javascript (npm), .NET (nuget), PHP (composer), Python (pip), > and Ruby (rubygems). I haven't done a formal study, but a quick glance > at the latest issues show that only a small fraction of the issues > reported there have CVE IDs at all. > > This connects with the question of how to track issues without CVEs. In > general, that is a problem we have in the security tracker because it's > so bound to CVE identifiers. But this is a new problem as well: by > opening a new process for submitting vulnerabilities, this system > potentially bypasses the CVE system altogether, using a > commercial/proprietary backend. I am worried about the impact this will > have on our triaging efforts and wonder where we should go from here. > > Food for thought? I would guess there are a lot of different vuln databases out there: Competition for Mitre & CVEs (Snyk) Language communities (NodeSecurity) OS vendors (RH/SUSE) Upstream projects (Xen, Linux etc) Security community (oss-sec, fulldisclosure, conferences etc) Each of them have their own identifiers and possibly also link to CVEs. I'd suggest we need (semi-)automated ingestion of all of the above, like we currently have for CVEs. -- bye, pabs https://wiki.debian.org/PaulWise
