On Mon, Nov 08, 2021 at 08:07:00AM +0100, Sébastien Delafond wrote: > The other approach is for the OVAL code to simply skip a CVE entirely if > the target distribution was never affected: it would remove the current > false positives, and the only downside would be the lack of an alert is > someone was to accidentally downgrade or hang on to a vulnerable version > (from a previous stable suite for instance). I'm not sure if our OVAL > exports should really for such a scenario, so maybe that's the better > option here.
I think that's probably reasonable. Practically speaking, it only makes sense for us to include data about CVEs that actually impact the given release for which we're generating the feed. We've basically agreed on this in the discussion on webwml mr !737[1]. So if we take that approach, then the following change should do the right thing. So far, all the CVEs that I've checked that are omitted under this change are legitimately omitted (e.g. PHP issues that are only relevant on Windows, issues with code that is not compiled at all in Debian, or code that was fixed prior to the release of a given Debian release.) However, there are quite a lot of CVEs omitted by this change, and more sanity checking is probably a really good idea. You can find generated OVAL feeds, as well as the debug output from the generator, at https://people.debian.org/~noahm/oval/ You can see what CVEs were omitted from a given release's feed with by looking for strings like "bullseye not affected by" in the log. Note that this change is implemented on top of the changes from webwml mr !737. >From b13f0185aa73b7dcf40c1e204cde5ba79d1b9226 Mon Sep 17 00:00:00 2001 From: Noah Meyerhans <no...@debian.org> Date: Mon, 8 Nov 2021 09:53:00 -0800 Subject: [PATCH] security: OVAL: Only include CVEs that impact the given release We generate per-release oval feeds, e.g. oval-definitions-bullseye.xml. If a given release was never impacted by a given CVE, that CVE should not be included in the release's feed. Reasons why this might be the case include situations where a given release never contained a vulnerable version of a given package, e.g. a CVE impacts only versions 1.5 and earlier of the package, but the release contains version 2.0. --- english/security/oval/generate.py | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/english/security/oval/generate.py b/english/security/oval/generate.py index 41c9ce55618..d329fc0af3a 100755 --- a/english/security/oval/generate.py +++ b/english/security/oval/generate.py @@ -161,13 +161,21 @@ def parseJSON(json_data, debian_release): logging.log(logging.DEBUG, "Getting releases for %s" % cve) release = {} for rel in json_data[package][cve]['releases']: - if json_data[package][cve]['releases'][rel]['status'] != \ - 'resolved': - fixed_v = '0' - f_str = 'no' - else: + status = json_data[package][cve]['releases'][rel]['status'] + f_str = 'no' + + if status == 'resolved': fixed_v = json_data[package][cve]['releases'][rel]['fixed_version'] f_str = 'yes' + else: + fixed_v = '0' + f_str = 'no' + + if status == 'resolved' and fixed_v == '0': + # This CVE never impacted the given release + logging.log(logging.DEBUG, "Release %s not affected by %s" % (rel, cve)) + continue + if debian_release == rel: release.update({DEBIAN_VERSION[rel]: {u'all': { package: fixed_v}}}) -- 2.30.2 1. https://salsa.debian.org/webmaster-team/webwml/-/merge_requests/737#note_274035
