Currently import_debian and import_ubuntu ignore issues contained in their /retired folders. Issues in the retired folders will only be considered if it is already tracked in CIP.
However there is an issue with timing. Consider the following:
- CIP import scripts are run/commited
- Debian adds an issue
- Debian moves this issue to /retired some time later
- CIP import scripts are again run
The result is that issues fall through and end up never tracked.
- CVE-2020-0429 thru CVE-2020-0433
- many many more
Some are pretty minor/irrelevant, but they should probably still be considered.
I noticed this as I would rebase to master and run the import scripts every few days. I would then import that into my CVE repo. Some times I'd notice git diff showing CVEs being deleted. I currently work around this using:
scripts/import_debian.py + their_issues.update((os.path.basename(name), name) for name in + glob.glob(IMPORT_DIR + '/retired/CVE-*')
That does end up including many ancient issues. So it should probably be tweaked to ignore anything before 2014 or whatever better you deem. I personally track back to 3.0 for some of the mobiles I support, so I'll continue using what I am.
I have a tree here that has all issues imported for example: https://gitlab.com/divested-mobile/cip-kernel-sec/-/tree/20201203-1