Hi,
On Montag, 9. März 2015, Raphael Hertzog wrote:
> I don't understand. IIRC we said the content of "repositories" and
> "releases" was supposed to have the same structure. The only difference
> was that it applied to different versions of packages.
I think the confusion might be because you stated something else than Paul..
Currently there are two dictionaries in the output, one called "releases"
containing dictionaries containing information about the status of a given
issue in a release, and another with repositories and the current version.
eg
"almanah": [
{
"debianbug": 702905,
"description": "Almanah Diary 0.9.0 and 0.10.0 does not encrypt the
database when closed, which allows local users to obtain sensitive information
by reading the database.",
"issue": "CVE-2013-1853",
"releases": {
"jessie": {
"status": "resolved",
"urgency": "low**",
"version": "0.9.1-1"
},
"sid": {
"status": "resolved",
"urgency": "low**",
"version": "0.9.1-1"
},
"squeeze": {
"status": "resolved",
"urgency": "unimportant",
"version": "0"
},
"wheezy": {
"status": "resolved",
"urgency": "low**",
"version": "0.9.1-1"
}
},
"repositories": {
"jessie": "0.11.1-1",
"sid": "0.11.1-1",
"squeeze": "0.7.3-1",
"wheezy": "0.9.1-1"
},
"scope": "local"
}
],
"repositories" has the current versions, "releases" has the fixed versions if
there are any. Oh well, why did I pick this example, sigh. so squeeze is not
affected...
I think I will release what I have now and we can look for further needed
tuning then.
> > > > And then I thought, urgency would be a per issue field (and thus
> > > > would be the same for different suites), with the exception that the
> > > > (suite specific) "end- of-life" information is also stored there.
> > > > Turned out I was wrong, there are many more cases where the urgency
> > > > of issues *is* suite-specific (plus, issues can affect several
> > > > packages.)
> > >
> > > I looked at some of the cases you listed, but the original CVE file
> > > only has a single urgency... it might be that this urgency is not in
> > > line with the urgency retrieved from NVD but that's OK. Our urgency
> > > should override that one for our needs.
> >
> > when there are suite specific urgencies, the json lists those...
>
> Well, I'm saying that I was agreeing with you. The severity ought to be a
> issue/package property, not a issue/package/repository one. And I don't
> understand the discrepancy you get because for me there are only two
> sources of "urgencies":
> - those set on lines like "- tcllib 1.16-dfsg-2 (low; bug #780100)"
> - those coming from the NVD database
the problem is that the urgency field is abused to also hold the information
about end-of-life, "not yet assigned" and unimportant, thats basically why
urgency has to be suite specific...
(and this is why I think the db needs a redesign: it has been abused to store
things which were not planned, and it shows.)
cheers,
Holger
Attachment:
signature.asc
Description: This is a digitally signed message part.