Bug#1001453: security-tracker: extend support for bug reporting to update the CVE list with the bug number
Package: security-tracker
Severity: wishlist
X-Debbugs-Cc: codehelp@debian.org
Adding this as a wishlist bug, arising from existing ideas and
discussions with the security team.
'bin/report-vuln' is useful to standardise reports to the BTS but there
is then a manual step of updating data/CVE/list with the bug number.
A tool to automate a syntactically correct change to a specific CVE
would be a useful extension of this support, not just to add the bug number
once the email is received from the BTS but to also make other standard
changes:
- mark CVE <ID> as fixed in unstable in version <VERSION>
- mark a given released suite (stable/oldstable/LTS) as <not-affected>
for a specific CVE ID
- add a bug number to an existing CVE entry
- add a NOTE: entry to an existing CVE
Implement with a view that the requests could be integrated into
tracker.d.o so that a merge request can be generated against the
security tracker or a syntactically valid snippet can be generated that
can be merged into the tracker after review.
The parsing support would be similar to existing scripts and tools and
to the support proposed for #1001451 - this tool is focused on changes
to a specific CVE.
Reply to: