Bug#1001451: Candidate script updates
Hi,
On Wed, Jan 12, 2022 at 09:22:45AM +0000, Neil Williams wrote:
> On Wed, 12 Jan 2022 12:44:14 +0800
> Paul Wise <pabs@debian.org> wrote:
>
> > On Tue, 2022-01-11 at 11:20 +0000, Neil Williams wrote:
> >
> > > I might need to brush up on my Perl and make a patch for lintian
> > > which downloads the sec tracker JSON and checks the CVE list in the
> > > .changes file - warnings from lintian are more likely to get fixed
> > > prior to upload. Depends if you think this happens sufficiently
> > > often that it is a problem worth solving. (Considering how long
> > > it's been since I did that amount of code in Perl, maybe I'm better
> > > filing the bug against lintian and seeing if someone else can come
> > > up with a patch... - again, only if it happens sufficiently often.)
> > >
> >
> > FTR, lintian does not do any network requests, so this approach won't
> > be accepted. The best option you can get is a script to do the
> > download at the lintian release time. Unfortunately this means the
> > data will get outdated quickly and make the check less useful.
> >
> > This check could be added to devscripts, debsecan or duck.
>
> debsecan looks promising. It already has support for reporting a list
> of CVEs by source_package name, directly from
> https://security-tracker.debian.org/tracker/ and it's Python3. I'll
> have a look at a patch which accepts a .changes file or d.changelog
> entry and verifies if all listed CVEs actually exist for the source
> package of that change.
To jump in in that part of the discussion: debsecan's scope is
different what we want to tackle here. Its a tool which is used on
user systems to generate a list of vulnerabilities which affect the
installed Debian system, gathering data from the security-tracker and
comparing on what is installed.
Regards,
Salvatore
Reply to: