Re: "Version less than 0.0" in OVAL definitions

To: seb@debian.org
Cc: Holger Levsen <holger@layer-acht.org>, Debian Security <debian-security@lists.debian.org>, Javier Fernandez-Sanguino <jfs@debian.org>
Subject: Re: "Version less than 0.0" in OVAL definitions
From: Serkan Özkan <serkan@vulniq.com>
Date: Mon, 17 May 2021 20:58:43 +0300
Message-id: <[🔎] CACoSkAM+kHS3jMjJSGkMfG+mTC6fkJr2OVXfvyjTOSWsXrcqbw@mail.gmail.com>
In-reply-to: <CACoSkAP8CMPt3fx0KN_C9Rkxc5_m32F=Dk=btuV_i2OvX4S7eg@mail.gmail.com>
References: <[🔎] CACoSkAMozE+58y7VyZe3oYZSyVops7EjxCBG6q=FjRit8SXe3A@mail.gmail.com> <[🔎] 20210517064055.GA23555@layer-acht.org> <[🔎] CACoSkAN+hW1HGTjo7SRvwYzJr=5COZV8fyH8hGb3ZdPDv96WXQ@mail.gmail.com> <[🔎] CAB9B7Ut02T9RE3Y7u2WfL3r6euV8+CSSbSbrsjWGzb+cS_yDHQ@mail.gmail.com> <CACoSkAP8CMPt3fx0KN_C9Rkxc5_m32F=Dk=btuV_i2OvX4S7eg@mail.gmail.com>

Hello Seb,

For some reason I didn't receive your email but saw it on the mailing list archive page.

OVAL definitions are important for us and we would like to fix them if possible. Can you please let me know where the code is?

Thank you,

Serkan

On Mon, 17 May 2021 at 12:22, Serkan Özkan <serkan@vulniq.com> wrote:

Hello,
Thanks for the information Javier. Not promising anything, but I can try to fix the script if you can point me to the script + setup.

Thank you,
Serkan

On Mon, 17 May 2021 at 12:14, Javier Fernandez-Sanguino <jfs@debian.org> wrote:

On Mon, 17 May 2021 at 09:58, Serkan Özkan <serkan@vulniq.com> wrote:
Hello,
In theory, from version number numbering point of view only, yes less than 0.0 is valid. But in practice, as they are used in Debian OVAL definitions, I don't think they are. I think these state values might be incorrect, probably unintentionally. And there are many, thousands, of these less than 0.0 versions, I don't think they are actually intended to test for pre version 0 releases.

Dear Serkan,

There is a problem with the OVAL definitions published in the website. The definitions are generated from the information available (in webwml files) in the source code of the website but this is missing version information in a way that can be properly interpreted by the scripts.

As a consequence, the output (the definitions) does not include an accurate value for the version. To implement this properly we would need to re-engineer the script that was created in 2010. Help here would be appreciated, I can point you to the script + setup if you could help.

Hope above clarifies. Best regards,

Javier

Reply to:

Follow-Ups:
- Re: "Version less than 0.0" in OVAL definitions
  - From: Javier Fernandez-Sanguino <jfs@debian.org>

References:
- "Version less than 0.0" in OVAL definitions
  - From: Serkan Özkan <serkan@vulniq.com>
- Re: "Version less than 0.0" in OVAL definitions
  - From: Holger Levsen <holger@layer-acht.org>
- Re: "Version less than 0.0" in OVAL definitions
  - From: Serkan Özkan <serkan@vulniq.com>
- Re: "Version less than 0.0" in OVAL definitions
  - From: Javier Fernandez-Sanguino <jfs@debian.org>

Prev by Date: Re: "Version less than 0.0" in OVAL definitions
Next by Date: Re: "Version less than 0.0" in OVAL definitions
Previous by thread: Re: "Version less than 0.0" in OVAL definitions
Next by thread: Re: "Version less than 0.0" in OVAL definitions
Index(es):
- Date
- Thread