[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1073012: marked as done (Automatically rewrite incoming entries from some CNAs as NFUs)

Your message dated Sat, 1 Mar 2025 11:23:53 +0100
with message-id <04f26acd-f4dd-4241-b628-ecef099d0ef8@debian.org>
and subject line Re: Automatically rewrite incoming entries from some CNAs as NFUs
has caused the Debian Bug report #1073012,
regarding Automatically rewrite incoming entries from some CNAs as NFUs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1073012: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073012
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: security-tracker
Severity: wishlist

These days the scopes of CNAs are usually narrow and scoped to a specific vendor.
We should leverage this for pre-processing incoming data and to reduce toil.

We can do this by extending the "automatic update" job to automatically annotate CVEs assigned
by a given CNA as NFU entries. As an example all CVEs coming from the "Wordfence" CNA should
be automatically added as "NOT-FOR-US: WordPress plugin". This avoids cumbersome manual
triage (and review would still happen on the commited entries).

Same for many commercial software vendors, e.g. a company like SAP which has no ties to
FLOSS everything coming from their CNA should automatically be added as "NOT-FOR-US: SAP"
without human interaction. We should only extend this on a case-by-case basis. E.g. Oracle
has a lot of propietary software, but they also maintain mysql, Java and virtualbox, so
they need manual review still.

Cheers,
        Moritz

--- End Message ---
--- Begin Message --- 
On 18/02/2025 20:41, Emilio Pozuelo Monfort wrote:

On Tue, 11 Jun 2024 21:07:09 +0200 Moritz Muehlenhoff <jmm@debian.org> wrote:

Package: security-tracker
Severity: wishlist

These days the scopes of CNAs are usually narrow and scoped to a specific vendor.
We should leverage this for pre-processing incoming data and to reduce toil.
We can do this by extending the "automatic update" job to automatically annotate CVEs assigned by a given CNA as NFU entries. As an example all CVEs coming from the "Wordfence" CNA should be automatically added as "NOT-FOR-US: WordPress plugin". This avoids cumbersome manual 
triage (and review would still happen on the commited entries).
Same for many commercial software vendors, e.g. a company like SAP which has no ties to FLOSS everything coming from their CNA should automatically be added as "NOT- FOR-US: SAP" without human interaction. We should only extend this on a case-by-case basis. E.g. Oracle has a lot of propietary software, but they also maintain mysql, Java and virtualbox, so 
they need manual review still.
I have implemented this in [1]. For the Oracle case and others, we could define the rules and implement support for those, e.g. blacklist or whitelist some products. But we can do that in a followup issue.
All of that functionality has been implemented and merged now. We can write rules e.g. to mark issues coming from Oracle as NFU, except if they are Java, VirtualBox or MySQL... Or whatever rule we come up with. 

Cheers,
Emilio

--- End Message ---
Reply to: