justanotheruser has quit [Ping timeout: 240 seconds]
justanotheruser has joined #nixos-security
elvishjerricco has quit [Ping timeout: 272 seconds]
elvishjerricco has joined #nixos-security
justanotheruser has quit [Ping timeout: 240 seconds]
justanotheruser has joined #nixos-security
kalbasit has quit [Ping timeout: 272 seconds]
kalbasit has joined #nixos-security
rajivr has quit [Quit: Connection closed for inactivity]
<andi->
broken.sh is probably not show any new vulns for the coming future. NVD changed the data format and I'm only mildly motivated adjusting the code.
<gchristensen>
ouch
<gchristensen>
they can just ... do that?
<andi->
they bumped the version number and the old files throw 404s
<gchristensen>
coolcoolcool
<andi->
It is not just a small change of format but they dropped the values I used to match packages. So now I'll have to implement a proper cpe2.3 parser.. Maybe some day
<Foxboron>
Ouch. I'll point it out in an OpenSSF meeting if i get the chance :p
<Foxboron>
I even started processing the NVD data for Arch recently...
<andi->
In their defense they always said that the JSON files are just "beta" quality. Has been for many years now.
<andi->
The XML files are probably still super stable
<Foxboron>
Hmm, but i don't see any version bumps. I still just see 1.1
<andi->
anyway, doesn't change the fact that the old files are gone
<Foxboron>
Which files are gone :)?
<andi->
the 1.0 format files
<Foxboron>
Ahh, so the old-old format is gone
<andi->
I think it is just "old" not old-old ;)
<Foxboron>
which implies the support is 2 years (from the changelog)
<andi->
the current is 1.1
<Foxboron>
> 1.0 - 2018-10-30
<{^_^}>
-2057
<andi->
but yeah, 2y make sense
<Foxboron>
Nice. That cleared up the confusion. But the CPE parsing is done in vulnix afaik
<Foxboron>
you can probably try port the CPE parsing logic it uses to Rust
<andi->
Yeah, a few years ago I saw that and the other patterns just felt better/nicer to implement. No dealing with wildcards etc..
<Foxboron>
Yes, CPE isn't very nice
<andi->
Foxboron: is the OpenSSF in a position to issue CVE id's yet (aka a CNA)? Just saw the page about the disclosure wg.
<andi->
It could also be a non-goal, just working through the material
<Foxboron>
andi-: No. Being a CNA isn't necessarily a goal in of it self. But helping to provide such a service or coordinate it better might be.
<Foxboron>
But becomming a CNA isn't very hard since ~2 years ago.
<andi->
I was thinking of NixOS becoming a CNA at least for our own stuff. It is always annoying requesting it from someone else... my last interaction with MITRE (about a year ago, maybe 1.5h) took about ~2 days :/
<Foxboron>
(everything is still a bit early/incubating)
<Foxboron>
2 days isn't too bad :)
<Foxboron>
But if you find you need to assign 3-4 CVEs a year applying for CNA is something you should consider
<Foxboron>
We have people from MITRE attending the meetings
<andi->
It's a bit weird to see no other non-commercial distributions (besides you for Arch Linux) on that list of disclosure wg members.
<Foxboron>
Originally it had 0 distribution members :)
<Foxboron>
I was the first applying IIRC
<andi->
wow
<Foxboron>
I'm a bit unsure how many non-commercial distro sec teams there are :p
<andi->
I'd expected maybe Debian to be interested in the thing given that they are fairly active.
<andi->
But maybe those people are already drowning in work
<Foxboron>
I'm way behind on sec work myself :p
<andi->
I actually wanted to sit down with a pot of tea and go through issues in the upcoming NixOS release... then I saw the CVE db isn't being updated anymore.. now a few hours later my window of time + motivation is gone /o\
<Foxboron>
But yeah, last meeting was distro focused. I presented the arch tracker (a bit poorly prepared) and crob went over the redhat product security team. Also had Marcus frrom OpenSUSE and a Ubuntu guy (ebarreto?)