[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Guidance for CVE triage and listing packages in dla-needed.txt

On Thu, Apr 11, 2024 at 10:01:49PM +0200, Ola Lundqvist wrote:
> Hi Roberto
> 
> Maybe there is some counting mishap still. We may get double counting
> due to the -A and -B flags. But it should not matter so much because
> the double counting will then be both for corrected and others (at
> least on average). When writing this I think I may get more
> over-counting on the corrected since the DLA tag is on the line just
> below the CVE line so it may hit a CVE before in certain cases. I can
> write a better counting function if you want, but do that matter much
> to the discussion?
> 
> Just to check. You commented on the clearly incorrect data. I hope you
> understood that the more correct data was further down in that email,
> right?
> Just want to double-check.
> 
Yes, sorry about that. I trimmed off the wrong part. I should rather
have kept this last part quoted:

====================
> So how many did we in fact fix?
> 
> 559+621+484+406+247-1-263-361-531-511=650
> 
> That is a much larger number. Phew. I should have checked it myself
> because I also found it a little strange.
> 
> The total number of buster CVEs were 8165.
> 
> We still have 281+209+329+294+199=1312 no-dsa and 71+49+24+38+11=193 postponed.
> 
> We clearly do not fix all no-dsa in any case.
====================

> I'm not completely sure what your list shows. You do not seem to try
> to filter out the CVEs that are related to buster or DLAs. What was
> your intention to show?
> 
My intention was to show the total number of CVEs fixed for each of the
years in question.

You seem to have compared the numbers from the start of 2023 and the
start of 2024 to get a count for the year 2023. This does something
similar:

$ for c in $(seq 2023 -1 2019) ; do echo -n "${c}: " ; cat data/DLA/list | sed -n '242,1587p' | egrep "CVE[-]${c}" | sed -r -e 's/[^-A-Z0-9 ]//g' -e 's/ /\n/g' | egrep "CVE[-]${c}" | sort -u | wc -l ; done
2023: 546
2022: 333
2021: 178
2020: 171
2019: 88

(The lines 242 and 1587 correspend to the end and beginning of the DLAs
for 2023, all of which would have been for buster.)

The total is 546+333+178+171+88 = 1316, more than double the count of
fixed CVEs that your count showed.

I tried re-reading your previous email several times and I am still not
able to figure out what you are trying to demonstrate by your counting.
If the conclusion is as you have it above, "We clearly do not fix all
no-dsa in any case," then I agree. But I don't see what significant
bearing that has on this discussion.

At this point, I don't see a good reason to continue this discussion.
Let me have an opportunity to think about how the FD and triage
guidelines should be articulated and then if there are still questions
after that we can revisit the topic.

Regards,

-Roberto

-- 
Roberto C. Sánchez
Reply to: