Re: Guidance for CVE triage and listing packages in dla-needed.txt

[Ola Lundqvist <ola@inguza.com>]

Hi Roberto

Maybe there is some counting mishap still. We may get double counting
due to the -A and -B flags. But it should not matter so much because
the double counting will then be both for corrected and others (at
least on average). When writing this I think I may get more
over-counting on the corrected since the DLA tag is on the line just
below the CVE line so it may hit a CVE before in certain cases. I can
write a better counting function if you want, but do that matter much
to the discussion?

Just to check. You commented on the clearly incorrect data. I hope you
understood that the more correct data was further down in that email,
right?
Just want to double-check.

I'm not completely sure what your list shows. You do not seem to try
to filter out the CVEs that are related to buster or DLAs. What was
your intention to show?

This was my script

#!/bin/sh
echo YEAR CVES CORR EOL NA NODSA POST IGN FIX
for Y in 2023 2022 2021 2020 2019 ; do
    CVES=$(grep -B 5 '\[buster\]' list | grep -A 5 "^CVE-$Y-" | grep
'\[buster\]' | wc -l)
    CORR=$(grep -B 5 '\{DLA-' list | grep -A 5 "^CVE-$Y-" | grep
'\{DLA-' | wc -l)
    EOL=$(grep -B 5 '\[buster\]' list | grep -A 5 "^CVE-$Y-" | grep
'\[buster\]' | grep end-of-life | wc -l)
    NA=$(grep -B 5 '\[buster\]' list | grep -A 5 "^CVE-$Y-" | grep
'\[buster\]' | grep not-affected | wc -l)
    NODSA=$(grep -B 5 '\[buster\]' list | grep -A 5 "^CVE-$Y-" | grep
'\[buster\]' | grep no-dsa | wc -l)
    POST=$(grep -B 5 '\[buster\]' list | grep -A 5 "^CVE-$Y-" | grep
'\[buster\]' | grep postponed | wc -l)
    IGN=$(grep -B 5 '\[buster\]' list | grep -A 5 "^CVE-$Y-" | grep
'\[buster\]' | grep ignored | wc -l)
    XCVES=$(echo $CVES+$CORR | bc)
    FIX=$(echo $CVES-$EOL-$NA-$NODSA-$POST-$IGN | bc)
    echo $Y $XCVES $CORR $EOL $NA $NODSA $POST $IGN $FIX
done

Cheers

// Ola

On Thu, 11 Apr 2024 at 19:31, Roberto C. Sánchez <roberto@debian.org> wrote:
>
> Hi Ola,
>
> On Wed, Apr 10, 2024 at 09:42:48PM +0200, Ola Lundqvist wrote:
> >
> > You can see that in 1 year and 3 months we have fixed
> > 2023: 58
> > 2022: 15
> > 2021: 78
> > 2020: 11
> > 2019: 1
> >
> > Total (not counting CVEs for 2018 and earlier) 162.
> >
> > It is still a low number.
> >
> > And I think I found the counting mishap. :-)
> >
>
> I think that your counting method is still faulty:
>
> $ for c in $(seq 2023 -1 2019) ; do echo -n "${c}: " ; egrep "CVE[-]${c}" ../security-tracker/data/DLA/list | sed -r -e 's/[^-A-Z0-9 ]//g' -e 's/ /\n/g' | egrep "CVE[-]${c}" | sort -u | wc -l ; done
> 2023: 643
> 2022: 962
> 2021: 900
> 2020: 1098
> 2019: 983
>
> Regards,
>
> -Roberto
>
> --
> Roberto C. Sánchez
>


--
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------