Open cberho opened 5 years ago
We have the processes in place and they are fully active, but, we are lacking on external communication.
@solrac901
@ahkok can you educate me on the process that you are following, please. We scan Clear Linux a couple of weeks ago and we receive a blank report no issues no vulnerabilities. do you have like a vulnerability database that we can check https://access.redhat.com/security/security-updates/#/cve we want to check if the tools that we are testing are working as we expect. Regards.
Beyond saying we actively scan for and patch CVEs, and that we constantly iterate on our tooling and processes to make them more effective, there's little we can and should say about the tools we use or our workflows publicly; which is really a pretty common security practice itself.
If there's ever an issue with Clear Linux OS that originates from Intel content or as a result of our integration efforts, then depending on the severity an advisory might appear on the Intel Security Advisory portal in the initial issue description.
I'm happy to hear your scans came up blank. :)
Lastly - we do recognize it would be nice to have a Clear specific portal akin to what other distros have. We can keep this issue open for when we have more to share about that.
We monitor CVE's posted ourselves and patch them aggressively. For now, the only record we have is our release notes and package git commit history. This will hopefully change and that's being worked on.
Secondary, since we also update packages relatively fast, we often update packages before CVE's are even posted.
we want to check if the tools that we are testing are working as we expect
In order to help you with that, I need to know what tools you are using, or alternatively, what API you need in order to do your scans.
Per the documentation found on clearlinux.org the distribution uses Intel CVA (CVE Numbering Authority) to have CVE publishing.
I'm not a doc/web person. What documentation are you referring to here?
We scan Clear Linux a couple of weeks ago and we receive a blank report no issues no vulnerabilities.
A good way to test your methodology is to download a really old version of clearlinux (e.g. live image) and scan that. :)
We scan Clear Linux a couple of weeks ago and we receive a blank report no issues no vulnerabilities
Can you share the tool used?
@nesiusra agree lets keep it open for now; we understand its a long shot, which also requires to have published a process definition for vulnerability management, eventually something that will land on the project page for Community reference.
Per the documentation found on clearlinux.org the distribution uses Intel CVA (CVE Numbering Authority) to have CVE publishing. After carefully reviewing https://www.intel.com/content/www/us/en/security-center/default.html and checking advisories; there are non-related to Clear Linux. While the Operating System adheres to the principle of bleeding edge; users and community require a documented reference, in the form of procedure or advisory, for risk mitigation. Connected to previous point, Security tools (scanners) rely on vulnerability databases, which are one support element on the path to remediation.
Reference documentation: CVE IDs and how to get them Key details phrasing - BKM to build descriptions CVE project documentation
Other distros supporting CVE process: RH Security data Suse CVE Debian CVE Ubuntu