-
-
Notifications
You must be signed in to change notification settings - Fork 217
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch away from CVE-ID as primary id. #35
Comments
Either CVE or OSVDB would work for me, provided we pick one and stick with it ;) I thought the plan was to use CVE for everything, and in cases where there aren't CVEs, @kurtseifried could obtain CVEs through RedHat |
At the moment OSVDB has better coverage, and I don't want @kurtseifried to be a blocker for us since he has better things to do with his time. Getting more covered of Ruby gem vulnerabilities in CVE/NVD is good, but shouldn't necessarily be a goal of our project. OSVDB is really good at getting this information up themselves... Only downside is that OSVDB will have several vulnerabilities for things that we may only want to list as one advisory, for instance: http://www.osvdb.org/show/osvdb/91219 http://www.osvdb.org/show/osvdb/91218 http://www.osvdb.org/show/osvdb/91216 are all the same disclosure. On the other hand, having them as separate issues isn't too much of a problem... |
On Mon, Apr 1, 2013 at 6:02 PM, Max Veytsman notifications@github.comwrote:
http://www.openwall.com/lists/oss-security/2013/01/25/1 So yes it needs to be fixed, but because there is no way to exploit it (see
Sounds like you need some SPLIT/MERGE guidelines =) http://cve.mitre.org/cve/editorial_policies/cd_abstraction.html —
Kurt Seifried |
I think projects like brakeman are better suited for reporting security hardening issues (misconfigurations, lazy defaults, etc). |
Brakeman will help you with securing and hardening your app. I suppose this goes to: Is the database intended to cover packages with known exploitable vulnerabilities, or all packages that have security weaknesses that have been disclosed? |
I would say vulnerabilities that are (potentially) exploitable. |
You'll get stuff that is worth security fixing/etc but for whatever reason On Mon, Apr 1, 2013 at 7:00 PM, Postmodern notifications@github.com wrote:
Kurt Seifried |
So, shall we go with OSVDB with filename? @postmodern, thoughts? |
@mveytsman I don't see why not. If the advisories does not exist in the NVDB, but does exist in OSVDB, why not? Only real change is the prefix of the filen ame. |
OSVDB seems good... let's just standardize on something ;) |
I've updated all the advisodies with OSVDB IDs. We now have one advisory in the database (loofah/OSVDB-90945.yml) and several vulnerabilities in the queue that have OSVDB IDs but not CVE IDs. Based on Jericho's comments in the mailing list that is going to continue to be the case.
Would it make sense to switch to OSVDB as the canonical ID?
Alternatively we can implement a RUBYSEC-XXXX ID scheme. The only downside would be with conflicts when multiple people submit the same vulnerability, but I think this is actually non-issue since we have only a few people with commit-rights, we can just quickly resolve RUBYSEC-XXXX ID conflicts over github.
Thoughts?
The text was updated successfully, but these errors were encountered: