Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend the status usage in the tracker #205

Open
Foxboron opened this issue Apr 13, 2022 · 7 comments
Open

Extend the status usage in the tracker #205

Foxboron opened this issue Apr 13, 2022 · 7 comments
Labels
enhancement good first issue help wanted

Comments

@Foxboron
Copy link
Member

Foxboron commented Apr 13, 2022
edited
Loading

AVGs

Currently we have several AVGs which are either "Disputed" or has a status where it's open but can't realistically be fixed. What should we do with those and how should they interact with our todo list?

We use the "Bumped packages" section as our work queue in many cases and currently it's being cluttered by a couple of AVGs we simply can't deal with.

My suggestion for additional statuses:

  • Disputed - Hidden from /todo and mainly just kept as a reference. No fixed version should be expected
  • Won't Fix - Upstream can't or won't fix the issue, but it's a valid CVE. Hidden from the /todo list.

CVEs

An own status for Investigating on the CVEs would be usefull. We should also have a own list of them on the /todo page so it's easier to see what is being worked on. "Unknown" isn't a great status and ambiguous.
@djerun
Copy link

djerun commented Apr 13, 2022

so for those like AVG-1342 where the CVE only applies to certain setups and there is a config option to use as a workaround for those setups it feels like another status might better express that

not sure about the name for that but something that expresses it affects certain setups when using the default config and a workaround for those is available

@Foxboron
Copy link
Member Author

A status like Workaround Available could work. Maybe a bit long? cc @SantiagoTorres our resident word smith.

@anthraxx
Copy link
Member

@Foxboron can you please post all those AVG's here to better understand user stories and requirements.

@Foxboron
Copy link
Member Author

@anthraxx
Copy link
Member

AVG-1311 is a valid group and state, fix versions also exists our package is just stuck with version 2. patch seems trivial, should probably backport a similar fix to 2.x

@SantiagoTorres
Copy link
Collaborator

A status like Workaround Available could work. Maybe a bit long? cc @SantiagoTorres our resident word smith.

Hmm, what about Mitigation Exists ? Not sure how shorter that makes it though 🤔

@djerun
Copy link

djerun commented Apr 15, 2022

I just went throught the CVSSv3.1 Spec and in section 5 Qualitative Severity Rating Scale there is a rating of None for 0.0. I assume that one is meant for invalid CVEs. So for Hiding AVGs with only invalid CVEs rated as Severity None from /todo might be a thing but I'm not so sure marking disputed CVEs as Severity None is the right approach.

The issue linked in the CVE of AVG-2406 was closed as invalid but NVD still lists it as disputed with the original rating and it will probably stay that way until someone goes through the effort of reproducing it or proving it invalid.

With AVG-2394 the issue is still open, so stale or waiting for upstream fix might be an appropriate status, though I haven't fully read through the details. AVG-1915 looks the same.

AVG-2630 looks like a case for mitigation exists

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement good first issue help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@anthraxx @Foxboron @SantiagoTorres @djerun