Missing CVEs

Currently import_debian and import_ubuntu ignore issues contained in their /retired folders. Issues in the retired folders will only be considered if it is already tracked in CIP.

However there is an issue with timing. Consider the following:

CIP import scripts are run/commited
Debian adds an issue
Debian moves this issue to /retired some time later
CIP import scripts are again run

The result is that issues fall through and end up never tracked.

Some examples:

CVE-2020-8834
CVE-2020-0429 thru CVE-2020-0433
CVE-2020-0066
CVE-2019-19338
CVE-2019-9458
CVE-2019-9456
CVE-2019-9454
CVE-2019-9444
CVE-2019-9162
CVE-2019-9003
many many more

Some are pretty minor/irrelevant, but they should probably still be considered.

I noticed this as I would rebase to master and run the import scripts every few days. I would then import that into my CVE repo. Some times I'd notice git diff showing CVEs being deleted. I currently work around this using:

scripts/import_debian.py
+    their_issues.update((os.path.basename(name), name) for name in
+                        glob.glob(IMPORT_DIR + '/retired/CVE-*')

That does end up including many ancient issues. So it should probably be tweaked to ignore anything before 2014 or whatever better you deem. I personally track back to 3.0 for some of the mobiles I support, so I'll continue using what I am.

I have a tree here that has all issues imported for example: https://gitlab.com/divested-mobile/cip-kernel-sec/-/tree/20201203-1

Edited Dec 06, 2020 by Tad