Hi Samuel, On Tue, Oct 29, 2024 at 07:06:23PM +0000, Samuel Henrique wrote: > Hello everyone, > > On Wed, 4 Sept 2024 at 12:47, Emilio Pozuelo Monfort <po...@debian.org> wrote: > > One issue I see with using not-affected for this is that not-affected > > effectively marks all older versions as that. However, in this case, a > > source > > could be affected (e.g. in bookworm) and then in sid we've stopped building > > the > > affected files. If we mark sid as not-affected, then all older suites would > > be > > marked as such too, which would be wrong/confusing. Perhaps in situations > > like > > that, we could mark the sid version as fixed in x.y version, leaving the > > older > > suites open until they are triaged (fix released, or marked as no-dsa etc). > > I think that's sensible, if a more complete solution is needed for this use > case, we could change the parsing logic to allow this to happen as well. > > > In general though, I think this is sensible. > > Thank you Emilio, > > 2 months have passed since my last email, so I would like to ping the security > team for feedback on this. > > To confirm the expectations from this change, I've recently scanned a debian > minimal image for CVEs and found out: > > 18 out of 67 affected packages/CVE are false positives due to this issue, this > represents 26% of false-positives > > 7 out out 33 unique affecting CVEs are false positives due to this issue, this > represents 21% of false-positives. > > Depending on whether you care more about unique affecting CVE IDs or affected > packages (a single CVE can affect multiple packages), the number of > false-positives is either 21% or 26%. > > I'm using a container just as a sampling source here, it is a specially good > way of sampling this because a lot of important and highly downloaded docker > containers are based on the Debian images. > > Take the two most downloaded container images from dockerhub as an example: > memcached and nginx. Memcached was pulled 12,377,951,846 times and nginx > 12,035,807,525. Both of them are based on Debian, the impact of > false-positives > is considerable.
As mentioned in an earlier message: What I would love to see is to actually have a substate which makes the situation clear, and still beeing technically correct. I was envisioning something which would be a substate like we have for the substate of no-dsa (ignored, postponed). > One of the false-positives is a specially interesting case: > https://security-tracker.debian.org/tracker/CVE-2019-19882Quoting a part of > it: > > > shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, > > and Void Linux, allows local... > > That's a CVE which was created for Gentoo, Arch Linux, and Void Linux. They > have all fixed this already, but Debian ends up "stuck" with it, we report > ourselves as affected for something we can't fix. While the affected distros > fixed it and the other non-affected distros marked as not-affected, we are the > only ones still left with the CVE. Can it be that in this case the "unimportant" part of the CVE was ignored? In this case even if it would have been still unfixed, it was marked from the beginning as unimportant. What I have seen often here was that scannings were not taking into account that the whole CVE was classified unimportant. Regards, Salvatore
