gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
Yakulu has left #nixos-security ["Disconnected: closed"]
tilpner has quit [Quit: WeeChat 2.4]
tilpner has joined #nixos-security
Yakulu has joined #nixos-security
justanotheruser has quit [Ping timeout: 246 seconds]
justanotheruser has joined #nixos-security
pie_ has quit [Ping timeout: 252 seconds]
justanotheruser has quit [Ping timeout: 250 seconds]
justanotheruser has joined #nixos-security
justanotheruser has quit [Read error: Connection reset by peer]
justanotheruser has joined #nixos-security
<andi-> Just played around with adding CVE scores to my thingy. Clicked through a few issues and lost all motivation again :/ That is really the most challenging issue IMO
<gchristensen> what caused you to lose motivation, do you think?
<andi-> First seeing plenty of perfect scores (10) and then seeing what a mess it is to get any reasonable information about them.
<andi-> well more like 9.8, 10 seems to be really rare
<gchristensen> right :?
<gchristensen> yeah... CVEs are so hard :(
<andi-> And that I should ignore packages that are marked as broken... e.g. hhvm
<andi-> On the other hand it feels good to see how many things were already fixed but just didn't get a channel bump yet :-)
<gchristensen> oh yeah that sounds pretty good
<samueldr> 8 days gap ought to do it
<andi-> and many false positives since someone tags all those jenkins plugins wrongly..
<samueldr> hm?
<samueldr> something that we can fix or from your data set?
<andi-> seems like it is wrong in the NVD database
<andi-> `Jenkins InfluxDB` is being added as `InfluxDB`
<andi-> same for a few others
<samueldr> oof
<andi-> https://nvd.nist.gov/vuln/detail/CVE-2019-10329 oh well maybe not? Not sure if that means it is only a configuration with jenkins
<samueldr> >>
<samueldr> InfluxDB Plugin stored target passwords unencrypted in its global configuration file on the Jenkins master. These credentials could be viewed by users with access to the master file system.
<samueldr> sounds like jenkins specific issue
<andi-> yeah but if you look at the bottom it shows you the CPE strings
<andi-> and that just shows the `influxdb` product in some weird configuration with a (free text?) field saying jenkins
<andi-> I can not infer the "vendor" from within nixpkgs so I can not avoid that kind of false positives. And if the vendor would also provide a plugin the I still wouldn't be able to distinguish between a plugin for something else or the actual thing :/
<samueldr> what's eficode?
<andi-> some vendor
<andi-> e.g. a person, company, non-profit, …
<samueldr> right
<samueldr> so it's "influxdb from eficode, and look here we have that string for jenkins"?
<andi-> I could probably add support for that and see what the diff is
<andi-> e.h. if `target product` is set only match against that
<andi-> but then again the version strings are for the `product` (not `target product`)
<samueldr> through their (slow) search engine it looks like it's sometimes used for jenkins
<samueldr> though not always
<samueldr> ah
<samueldr> one I found that wasn't used for it, it is jenkins itself
<samueldr> eek
<samueldr> edge case~osh
<samueldr> ish*
<samueldr> the product is "jenkins_plugin", for the software sonarqube
<samueldr> though, thinking for 2s it seems alright, the right way around
pie_ has joined #nixos-security
pie_ has quit [Remote host closed the connection]
pie_ has joined #nixos-security
pie_ has quit [Remote host closed the connection]
pie_ has joined #nixos-security
<andi-> Everyone needs their own JPEG library written in C… grml
<gchristensen> people looove to do that.
* andi- preparse a nix PR with `builtins.compressJPEG`
<pie_> jpeg, not even once
<gchristensen> lol