nluedtke / linux_kernel_cves Goto Github PK

Hi,

I would very much like to replicate the web frontend on a local site as well as be able to include additional remotes/branches (mostly downstream kernel forks) to the list of kernels affected/fixed. Do you have any plans to make the web frontend as well as the tools used to produce the json files available in the near future?

Thanks a lot for doing this!

Add Links to distros on web frontend

Is your feature request related to a problem? Please describe.
Stream navigation uses top level hierarchy (by folders), but as data is added, additional folders appear as streams (like .github, ui).

Describe the solution you'd like
Use provided /kern.json

Describe alternatives you've considered
Explicit filtering. Not scalable.

Upgrade webpack-dev-server to version 3.1.11 or later to fix vulnerable dependency.

Streams should be reverse sorted, with the newest version on top. We should provide an alternate or different view to the card view as well. this might be linked to #72

I am holding off to update CVEs.txt until I get the stream reporting up and running. Its working now, but just ensuring accuracy and stability across all streams ....

Change the sitemap to xml and add it to robots.txt

Describe the bug
The Contact Us button goes to the donate page.

To Reproduce
Steps to reproduce the behavior:

1. Go to www.linuxkernelcves.com
2. Click on 'Contact US'

Expected behavior
Expected a Form or Email mailto to pop up.

Desktop (please complete the following information):

• OS: Debian 9
• Browser: Firefox 58

Describe the bug
The favicon.ico is not the correct one.

Additional context
It was discovered upon implementing the ci/cd pipeling the favicon.ico in the source control is not the correct one.

Several CVEs (mostly early ones) were caused by backporting commits. How will we handle these? Do we created a separate flag for this type of thing. For instance commit B was back ported to streams X,Y where they caused a security issue in X,Y but not in the stream that the commit was originally applied for. This will require some thought.

Change Type Requested
Add

CVE id number
CVE-2017-9725

References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9725
https://bugzilla.novell.com/show_bug.cgi?id=CVE-2017-9725

Additional context
Contacted Debian about updating their stuff.

Describe the bug
New fixes in streams are not shown as a change in CHANGES.md

Expected behavior
Expected changes to appear as Updated CVEs.

Additional context
This was caught by looking at commit 165997b

Is your feature request related to a problem? Please describe.
Current testing requires manual changes to code for branch changes and/or url changes.

Describe the solution you'd like
Need a solution that will easily allow for test instances to be hosted in the test bucket and pull from a test branch without manual code changes.

This will be the staging branch to use, from which master will pull for UI/Major changes. in the CI infrastructure this should deploy to the test instance.

We need to make sure that there are not missing CVEs in the CVEs.txt. If there are we need to understand why, and where we can pull these CVEs from. This must be done in an automated fashion otherwise the amount of work is push effort/reward threshold.

This is also going to take removing it from the sitemap generator and the change file generator.

Because this tracker is concerned with upstream kernels, the CVEs introduced by vendor patches should be ignored. This will likely require some sort of flag to be carried with the CVE in the json. I am not prepared to make this decision yet so filing this as a placeholder and a reminder it needs to be done. This will clear up several CVEs across all streams that appear as "Unknown fix"

Describe the solution you'd like
Visualization of the life of a vulnerabilities. Important dates/points for a vulnerability can be mapped given the data we have. It would be nice to visualize that in a time line or graph of some sort.

Is your feature request related to a problem? Please describe.
Its hard to tell when and what has change recently.

Describe the solution you'd like
Add a "Recent Update" page that essentially displays key information from the last update. This could be done in RSS format as well if desired. I see the back-end auto compiling a summary of updates and then front-end essentially just feeding that summary to the/recent_updates page.

Describe alternatives you've considered
The only place this information exists is the github commit section but it requires heavy parsing on the user to read.

This should just be "outstanding".

Describe the bug
CVE input suggestions drop down is blocked by the CHANGES window on some scales.

To Reproduce
Steps to reproduce the behavior:

1. Size the Window so that the CVE input bar overlaps with the CHANGES window
2. Start typing a CVE id

Expected behavior
Expected the suggestion drop down to be on top of the CHANGES window

Screenshots

Desktop (please complete the following information):

• OS: MacOS High Sierra
• chrome
• Version 71.0.3578.98

Is your feature request related to a problem? Please describe.
We need more options to determine when things have changed, for the git illiterate.

Describe the solution you'd like
An Atom feed could hold each CVE, tracking when it was created and last updated. That way users could subscribe to the feed and link back to the site.

Describe alternatives you've considered

1. RSS feed - I don't know that I like the idea of having to change GUID on each update. Even though its not that hard to do. I could be convinced otherwise.

Describe the bug
CHANGES no longer appears on web frontend

Additional context
This was caused by a deploy issue.

Describe the solution you'd like
Add the NVD text to the CVE report.

Describe alternatives you've considered

1. No text - Seems like we could use more context for people in a rush and not wanting to search down the commits.
2. Our own summary - Not enough resources to write up a summary for each kernel vuln.

Also possibly add option to submit missing CVE's if the user think we are missing it instead of it not existing.

Describe the bug
Rather that redirecting to 404, bad /stream/NNN urls will display a blank page.

To Reproduce
Steps to reproduce the behavior:

1. Navigate to https://linuxkernelcves.com/#/streams/4.55
2. See error

Expected behavior
404 redirect

Desktop (please complete the following information):

• OS: Windows 10
• Browser: Chrome

Add tracking and data for named CVE's ie DirtyCOW, Spectre, Meltdown ...etc.

Quick research yielded no known fix for this issue. It is unclear if this CVE was fixed via patch or if it was left to be handled by other mitigations.

The breaks/fixes for this is not immediately clear. Clearly mitigations are readily available however in order to be accurate the commits would be nice if the CVE was fixed via code.

Is your feature request related to a problem? Please describe.
Navigating to different versions within a stream is clunky. Basically currently have to rely on the find feature or just scrolling through the stream

Describe the solution you'd like
All versions in the stream should be anchored so that we can use local links to a specific versions in the stream. Ideally, this will be used in three ways.

• the CHANGES page can link right to a new version when a new version is seen.
• There can be an in page navigation bar to help navigate while on the stream page.
• External links that want to reference a version not a stream.

Describe the bug
If a CVE is fixed differently in the streams than in mainline, only the mainline commit is show and scanned.

Expected behavior
I expect a stream fix to be tracked separately and displayed correctly.

Additional context
Right now it is possible to manually add a fix for an individual stream but when printed the cmt_msg will incorrectly show the mainline cmt_msg. (the cmt_hash and versions will be correct however.)

Since the first commit on github is v2.6.12-rc2 anything prior to this will appear wonky or will need a different solution. This is non-blocking, and can be pushed down the road.

Implement deploy pipeline for:

• WebUI
• Sitemaps

This could just be text string or cool/modern boxes. Probably both....

Change Type Requested
Add

CVE id number
CVE-2019-3701

References
https://bugzilla.suse.com/show_bug.cgi?id=1120386

Additional context
Contacted Debian.

I am thinking of moving the stream folders down one level into a "data" folder. What (if any) issues would this cause for the web frontend. There are some thing I know that will have to change on the backend.
@quietcorey

this patches are same and referenced two times.

We could in theory deliver vulnerability information on request via an API.

I see this is as long term option as an API service would raise our costs (not an option) at the moment. But the idea is worth noting for now.

We maintain a number of downstream kernels that typically contain vendor changes on top of a stable kernel branch (e.g: 4.9.135 etc.). Those kernel trees are managed with git, so we can scan those trees the same way the upstream and linux-stable trees are scanned.

Could you publish the scripts that do the scanning of Linux kernel trees such that it is possible to add "vendor" streams to the stream list?

Thank you very much!