Open Foxboron opened 2 years ago
so for those like AVG-1342 where the CVE only applies to certain setups and there is a config option to use as a workaround for those setups it feels like another status might better express that
not sure about the name for that but something that expresses it affects certain setups when using the default config and a workaround for those is available
A status like Workaround Available
could work. Maybe a bit long? cc @SantiagoTorres our resident word smith.
@Foxboron can you please post all those AVG's here to better understand user stories and requirements.
AVG-1311 is a valid group and state, fix versions also exists our package is just stuck with version 2. patch seems trivial, should probably backport a similar fix to 2.x
A status like Workaround Available could work. Maybe a bit long? cc @SantiagoTorres our resident word smith.
Hmm, what about Mitigation Exists
? Not sure how shorter that makes it though :thinking:
I just went throught the CVSSv3.1 Spec and in section 5 Qualitative Severity Rating Scale
there is a rating of None
for 0.0
. I assume that one is meant for invalid CVEs. So for Hiding AVGs with only invalid CVEs rated as Severity None
from /todo
might be a thing but I'm not so sure marking disputed CVEs as Severity None is the right approach.
The issue linked in the CVE of AVG-2406 was closed as invalid but NVD still lists it as disputed with the original rating and it will probably stay that way until someone goes through the effort of reproducing it or proving it invalid.
With AVG-2394 the issue is still open, so stale
or waiting for upstream fix
might be an appropriate status, though I haven't fully read through the details. AVG-1915 looks the same.
AVG-2630 looks like a case for mitigation exists
AVGs
Currently we have several AVGs which are either "Disputed" or has a status where it's open but can't realistically be fixed. What should we do with those and how should they interact with our todo list?
We use the "Bumped packages" section as our work queue in many cases and currently it's being cluttered by a couple of AVGs we simply can't deal with.
My suggestion for additional statuses:
Disputed
- Hidden from/todo
and mainly just kept as a reference. No fixed version should be expectedWon't Fix
- Upstream can't or won't fix the issue, but it's a valid CVE. Hidden from the/todo
list.CVEs
An own status for
Investigating
on the CVEs would be usefull. We should also have a own list of them on the/todo
page so it's easier to see what is being worked on. "Unknown" isn't a great status and ambiguous.