Open Foxboron opened 2 years ago
djerun
commented
2 years ago so for those like AVG-1342 where the CVE only applies to certain setups and there is a config option to use as a workaround for those setups it feels like another status might better express that
not sure about the name for that but something that expresses it affects certain setups when using the default config and a workaround for those is available
Foxboron
commented
2 years ago A status like Workaround Available could work. Maybe a bit long? cc @SantiagoTorres our resident word smith.
anthraxx
commented
2 years ago @Foxboron can you please post all those AVG's here to better understand user stories and requirements.
Foxboron
commented
2 years ago anthraxx
commented
2 years ago AVG-1311 is a valid group and state, fix versions also exists our package is just stuck with version 2. patch seems trivial, should probably backport a similar fix to 2.x
SantiagoTorres
commented
2 years ago A status like Workaround Available could work. Maybe a bit long? cc @SantiagoTorres our resident word smith.
Hmm, what about Mitigation Exists ? Not sure how shorter that makes it though :thinking:
djerun
commented
2 years ago I just went throught the CVSSv3.1 Spec and in section 5 Qualitative Severity Rating Scale there is a rating of None for 0.0. I assume that one is meant for invalid CVEs. So for Hiding AVGs with only invalid CVEs rated as Severity None from /todo might be a thing but I'm not so sure marking disputed CVEs as Severity None is the right approach.
The issue linked in the CVE of AVG-2406 was closed as invalid but NVD still lists it as disputed with the original rating and it will probably stay that way until someone goes through the effort of reproducing it or proving it invalid.
With AVG-2394 the issue is still open, so stale or waiting for upstream fix might be an appropriate status, though I haven't fully read through the details. AVG-1915 looks the same.
AVG-2630 looks like a case for mitigation exists
AVGs
Currently we have several AVGs which are either "Disputed" or has a status where it's open but can't realistically be fixed. What should we do with those and how should they interact with our todo list?
We use the "Bumped packages" section as our work queue in many cases and currently it's being cluttered by a couple of AVGs we simply can't deal with.
My suggestion for additional statuses:
Disputed- Hidden from/todoand mainly just kept as a reference. No fixed version should be expectedWon't Fix- Upstream can't or won't fix the issue, but it's a valid CVE. Hidden from the/todolist.CVEs
An own status for
Investigatingon the CVEs would be usefull. We should also have a own list of them on the/todopage so it's easier to see what is being worked on. "Unknown" isn't a great status and ambiguous.