gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
__red__ has joined #nixos-security
rajivr has joined #nixos-security
justanotheruser has quit [Ping timeout: 240 seconds]
justanotheruser has joined #nixos-security
elvishjerricco has quit [Ping timeout: 272 seconds]
elvishjerricco has joined #nixos-security
justanotheruser has quit [Ping timeout: 240 seconds]
justanotheruser has joined #nixos-security
kalbasit has quit [Ping timeout: 272 seconds]
kalbasit has joined #nixos-security
rajivr has quit [Quit: Connection closed for inactivity]
<andi-> broken.sh is probably not show any new vulns for the coming future. NVD changed the data format and I'm only mildly motivated adjusting the code.
<gchristensen> ouch
<gchristensen> they can just ... do that?
<andi-> they bumped the version number and the old files throw 404s
<gchristensen> coolcoolcool
<andi-> It is not just a small change of format but they dropped the values I used to match packages. So now I'll have to implement a proper cpe2.3 parser.. Maybe some day
<Foxboron> Ouch. I'll point it out in an OpenSSF meeting if i get the chance :p
<Foxboron> I even started processing the NVD data for Arch recently...
<andi-> In their defense they always said that the JSON files are just "beta" quality. Has been for many years now.
<andi-> The XML files are probably still super stable
<Foxboron> Hmm, but i don't see any version bumps. I still just see 1.1
<Foxboron> But that only lists a change from 2019
<andi-> ah right, I did read it as 09-2020 m(
<andi-> anyway, doesn't change the fact that the old files are gone
<Foxboron> Which files are gone :)?
<andi-> the 1.0 format files
<Foxboron> Ahh, so the old-old format is gone
<andi-> I think it is just "old" not old-old ;)
<Foxboron> which implies the support is 2 years (from the changelog)
<andi-> the current is 1.1
<Foxboron> > 1.0 - 2018-10-30
<{^_^}> -2057
<andi-> but yeah, 2y make sense
<Foxboron> Nice. That cleared up the confusion. But the CPE parsing is done in vulnix afaik
<Foxboron> you can probably try port the CPE parsing logic it uses to Rust
<andi-> Yeah, a few years ago I saw that and the other patterns just felt better/nicer to implement. No dealing with wildcards etc..
<Foxboron> Yes, CPE isn't very nice
<andi-> Foxboron: is the OpenSSF in a position to issue CVE id's yet (aka a CNA)? Just saw the page about the disclosure wg.
<andi-> It could also be a non-goal, just working through the material
<Foxboron> andi-: No. Being a CNA isn't necessarily a goal in of it self. But helping to provide such a service or coordinate it better might be.
<Foxboron> But becomming a CNA isn't very hard since ~2 years ago.
<andi-> I was thinking of NixOS becoming a CNA at least for our own stuff. It is always annoying requesting it from someone else... my last interaction with MITRE (about a year ago, maybe 1.5h) took about ~2 days :/
<Foxboron> (everything is still a bit early/incubating)
<Foxboron> 2 days isn't too bad :)
<Foxboron> But if you find you need to assign 3-4 CVEs a year applying for CNA is something you should consider
<Foxboron> We have people from MITRE attending the meetings
<andi-> It's a bit weird to see no other non-commercial distributions (besides you for Arch Linux) on that list of disclosure wg members.
<Foxboron> Originally it had 0 distribution members :)
<Foxboron> I was the first applying IIRC
<andi-> wow
<Foxboron> I'm a bit unsure how many non-commercial distro sec teams there are :p
<andi-> I'd expected maybe Debian to be interested in the thing given that they are fairly active.
<andi-> But maybe those people are already drowning in work
<Foxboron> I'm way behind on sec work myself :p
<andi-> I actually wanted to sit down with a pot of tea and go through issues in the upcoming NixOS release... then I saw the CVE db isn't being updated anymore.. now a few hours later my window of time + motivation is gone /o\
<Foxboron> But yeah, last meeting was distro focused. I presented the arch tracker (a bit poorly prepared) and crob went over the redhat product security team. Also had Marcus frrom OpenSUSE and a Ubuntu guy (ebarreto?)