[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: jquery CVEs: no-dsa or unsupported? + snyk.io

On Fri, Jan 19, 2018 at 11:52 PM, Antoine Beaupré wrote:

> I have found that Snyk had issues in its database that weren't in Mitre:
> https://snyk.io/vuln/npm:jquery

I note that nodesecurity also has some CVE-less issues:


> Finally, I wanted to bring Snyk.io to the teams' attention. I'm a little
> disturbed by that new service - I feel there's significant overlap
> between their vulnerability reporting process and Mitre's DWF/DNA
> process, even down to using Google forms to welcome submissions, in the
> case of DWF (!!). The Snyk (closed) database tracks vulnerabilities in
> web apps, mostly, covering the following languages: Golang, Java
> (maven), Javascript (npm), .NET (nuget), PHP (composer), Python (pip),
> and Ruby (rubygems). I haven't done a formal study, but a quick glance
> at the latest issues show that only a small fraction of the issues
> reported there have CVE IDs at all.
> This connects with the question of how to track issues without CVEs. In
> general, that is a problem we have in the security tracker because it's
> so bound to CVE identifiers. But this is a new problem as well: by
> opening a new process for submitting vulnerabilities, this system
> potentially bypasses the CVE system altogether, using a
> commercial/proprietary backend. I am worried about the impact this will
> have on our triaging efforts and wonder where we should go from here.
> Food for thought?

I would guess there are a lot of different vuln databases out there:

Competition for Mitre & CVEs (Snyk)
Language communities (NodeSecurity)
OS vendors (RH/SUSE)
Upstream projects (Xen, Linux etc)
Security community (oss-sec, fulldisclosure, conferences etc)

Each of them have their own identifiers and possibly also link to CVEs.

I'd suggest we need (semi-)automated ingestion of all of the above,
like we currently have for CVEs.



Reply to: