Missing CVEs
Currently import_debian and import_ubuntu ignore issues contained in their /retired folders. Issues in the retired folders will only be considered if it is already tracked in CIP.
However there is an issue with timing. Consider the following:
- CIP import scripts are run/commited
- Debian adds an issue
- Debian moves this issue to /retired some time later
- CIP import scripts are again run
The result is that issues fall through and end up never tracked.
Some examples:
- CVE-2020-8834
- CVE-2020-0429 thru CVE-2020-0433
- CVE-2020-0066
- CVE-2019-19338
- CVE-2019-9458
- CVE-2019-9456
- CVE-2019-9454
- CVE-2019-9444
- CVE-2019-9162
- CVE-2019-9003
- many many more
Some are pretty minor/irrelevant, but they should probably still be considered.
I noticed this as I would rebase to master and run the import scripts every few days. I would then import that into my CVE repo. Some times I'd notice git diff showing CVEs being deleted. I currently work around this using:
scripts/import_debian.py
+ their_issues.update((os.path.basename(name), name) for name in
+ glob.glob(IMPORT_DIR + '/retired/CVE-*')
That does end up including many ancient issues. So it should probably be tweaked to ignore anything before 2014 or whatever better you deem. I personally track back to 3.0 for some of the mobiles I support, so I'll continue using what I am.
I have a tree here that has all issues imported for example: https://gitlab.com/divested-mobile/cip-kernel-sec/-/tree/20201203-1