Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)
On Wed, 3 Apr 2024 at 17:04, Gian Piero Carrubba <gpiero@rm-rf.it> wrote:
>
> * [Wed, Apr 03, 2024 at 09:21:41AM +0100] Samuel Henrique:
> ># Alternative solutions:
> >If we really want to distinguish the case when we don't produce any affected
> >packages but the source contains the vulnerability (a build with different
> >flags might result in an affected package), we can create a new tag to show
> >this: not-affected-build-artifacts.
>
> This. Just marking the CVE as not-affected does not distinguish between
> deb and deb-src, that are still part of (and shipped by) Debian.
On the proposed solution I also mention that we can use the "(free text
comment)" section to indicate that, while sticking to "not-affected", this
would simplify things as no new value is needed. But parsing the cases where
only the sources contain the vulnerable code might be a bit harder.
I'm curious though as to what is the usecase of that, no other Linux
distribution specifies the case where only the source carries the
vulnerability.
What would be the need for this as a user? If this is a need you have, could
you clarify it, please?
Regards,
--
Samuel Henrique <samueloph>
Reply to: