search

CPAN-Security / cpan-advisory-database

5 stars 1 forks source link

advisory categories #7

Open garu opened 9 months ago

garu commented 9 months ago

Some package managers like Rust's provide a category to their issues' metadata. I think it really helps keep things organized. A given advisory could have multiple categories, even though I believe most will fall under just one.

I'd like us to decide which advisory categories to use, if any. RustSec defines the following categories on their advisories:

  1. code-execution - issue lets attackers run arbitrary code;
  2. crypto-failure - issue related to cryptography and ciphers (man in the middle, recover plaintext, break cipher, etc);
  3. denial-of-service - issue lets attackers hang the program or the entire system;
  4. file-disclosure - issue lets attackers read the contents of an arbitrary file or directory;
  5. format-injection - wrong evaluation of input;
  6. memory-corruption - null pointers, OOB writes, use-after-free, etc;
  7. memory-exposure - issue lets attackers read memory contents;
  8. privilege-escalation - issue lets attackers bypass user permissions;
  9. thread-safety - code is not thread-safe;

For CPANSEC I would also like to consider:

  1. malware - the distribution is or contains explicit malicious code;
  2. memory-leak - circular references and general memory leaks;
  3. unmaintained - distribution is abandoned;
  4. deprecated - author recommends distribution should not be used;

What do you think?

I plan on reviewing all relevant CVEs and adding at least one category for each of them. At the end, we should have a good enough list (we can always add more later).

stigtsp commented 9 months ago

Some thoughs:

garu commented 9 months ago

good point, @stigtsp. At first I considered escalating the type of vulnerability from the third party, but "depends on vulnerable third-party component" without specifying the actual issue may be better as it points out the 3rd party library may expose users to other risks outside their perl code - not to mention it makes things much easier for reporters.