Your message dated Sat, 1 Mar 2025 11:23:53 +0100
with message-id <[email protected]>
and subject line Re: Automatically rewrite incoming entries from some CNAs as
NFUs
has caused the Debian Bug report #1073012,
regarding Automatically rewrite incoming entries from some CNAs as NFUs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1073012: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073012
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: security-tracker
Severity: wishlist
These days the scopes of CNAs are usually narrow and scoped to a specific
vendor.
We should leverage this for pre-processing incoming data and to reduce toil.
We can do this by extending the "automatic update" job to automatically
annotate CVEs assigned
by a given CNA as NFU entries. As an example all CVEs coming from the
"Wordfence" CNA should
be automatically added as "NOT-FOR-US: WordPress plugin". This avoids
cumbersome manual
triage (and review would still happen on the commited entries).
Same for many commercial software vendors, e.g. a company like SAP which has no
ties to
FLOSS everything coming from their CNA should automatically be added as
"NOT-FOR-US: SAP"
without human interaction. We should only extend this on a case-by-case basis.
E.g. Oracle
has a lot of propietary software, but they also maintain mysql, Java and
virtualbox, so
they need manual review still.
Cheers,
Moritz
--- End Message ---
--- Begin Message ---
On 18/02/2025 20:41, Emilio Pozuelo Monfort wrote:
On Tue, 11 Jun 2024 21:07:09 +0200 Moritz Muehlenhoff <[email protected]> wrote:
Package: security-tracker
Severity: wishlist
These days the scopes of CNAs are usually narrow and scoped to a specific
vendor.
We should leverage this for pre-processing incoming data and to reduce toil.
We can do this by extending the "automatic update" job to automatically
annotate CVEs assigned
by a given CNA as NFU entries. As an example all CVEs coming from the
"Wordfence" CNA should
be automatically added as "NOT-FOR-US: WordPress plugin". This avoids
cumbersome manual
triage (and review would still happen on the commited entries).
Same for many commercial software vendors, e.g. a company like SAP which has
no ties to
FLOSS everything coming from their CNA should automatically be added as "NOT-
FOR-US: SAP"
without human interaction. We should only extend this on a case-by-case basis.
E.g. Oracle
has a lot of propietary software, but they also maintain mysql, Java and
virtualbox, so
they need manual review still.
I have implemented this in [1]. For the Oracle case and others, we could define
the rules and implement support for those, e.g. blacklist or whitelist some
products. But we can do that in a followup issue.
All of that functionality has been implemented and merged now. We can write
rules e.g. to mark issues coming from Oracle as NFU, except if they are Java,
VirtualBox or MySQL... Or whatever rule we come up with.
Cheers,
Emilio
--- End Message ---
