Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

On Wed, 3 Apr 2024 at 17:04, Gian Piero Carrubba wrote: > > * [Wed, Apr 03, 2024 at 09:21:41AM +0100] Samuel Henrique: > ># Alternative solutions: > >If we really want to distinguish the case when we don't produce any affected > >packages but the source contains the vulnerability (a build with dif

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

* [Wed, Apr 03, 2024 at 09:21:41AM +0100] Samuel Henrique: # Alternative solutions: If we really want to distinguish the case when we don't produce any affected packages but the source contains the vulnerability (a build with different flags might result in an affected package), we can create a n

Fw: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

-- Forwarded message -- From: Samuel Henrique Date: On Wed, Apr 3, 2024 at 3:21 AM Subject: Fw: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped) To: Cc: Hello everyon

security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello everyone, I would like to propose something which will lower the amount of reported false-positive CVEs to our users. # tl;dr We don't have a unique way of stating a CVE does not affect us when we don't build the affected package's feature or hardening blocks exploits, this leads to our user