Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
  • Sign in / Register
  • C cip-kernel-sec
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 2
    • Issues 2
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 0
    • Merge requests 0
  • Deployments
    • Deployments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • cip-project
  • cip-kernel
  • cip-kernel-sec
  • Issues
  • #8
Closed
Open
Created Dec 06, 2020 by Tad@IratePorcupineContributor

Missing CVEs

Currently import_debian and import_ubuntu ignore issues contained in their /retired folders. Issues in the retired folders will only be considered if it is already tracked in CIP.

However there is an issue with timing. Consider the following:

  • CIP import scripts are run/commited
  • Debian adds an issue
  • Debian moves this issue to /retired some time later
  • CIP import scripts are again run

The result is that issues fall through and end up never tracked.

Some examples:

  • CVE-2020-8834
  • CVE-2020-0429 thru CVE-2020-0433
  • CVE-2020-0066
  • CVE-2019-19338
  • CVE-2019-9458
  • CVE-2019-9456
  • CVE-2019-9454
  • CVE-2019-9444
  • CVE-2019-9162
  • CVE-2019-9003
  • many many more

Some are pretty minor/irrelevant, but they should probably still be considered.

I noticed this as I would rebase to master and run the import scripts every few days. I would then import that into my CVE repo. Some times I'd notice git diff showing CVEs being deleted. I currently work around this using:

scripts/import_debian.py
+    their_issues.update((os.path.basename(name), name) for name in
+                        glob.glob(IMPORT_DIR + '/retired/CVE-*')

That does end up including many ancient issues. So it should probably be tweaked to ignore anything before 2014 or whatever better you deem. I personally track back to 3.0 for some of the mobiles I support, so I'll continue using what I am.

I have a tree here that has all issues imported for example: https://gitlab.com/divested-mobile/cip-kernel-sec/-/tree/20201203-1

Edited Dec 06, 2020 by Tad
Assignee
Assign to
Time tracking