nluedtke / linux_kernel_cves Goto Github PK
View Code? Open in Web Editor NEWTracking CVEs for the linux Kernel
License: Apache License 2.0
Tracking CVEs for the linux Kernel
License: Apache License 2.0
Hi,
I would very much like to replicate the web frontend on a local site as well as be able to include additional remotes/branches (mostly downstream kernel forks) to the list of kernels affected/fixed. Do you have any plans to make the web frontend as well as the tools used to produce the json files available in the near future?
Thanks a lot for doing this!
Add Links to distros on web frontend
Is your feature request related to a problem? Please describe.
Stream navigation uses top level hierarchy (by folders), but as data is added, additional folders appear as streams (like .github, ui).
Describe the solution you'd like
Use provided /kern.json
Describe alternatives you've considered
Explicit filtering. Not scalable.
Upgrade webpack-dev-server to version 3.1.11 or later to fix vulnerable dependency.
Streams should be reverse sorted, with the newest version on top. We should provide an alternate or different view to the card view as well. this might be linked to #72
I am holding off to update CVEs.txt until I get the stream reporting up and running. Its working now, but just ensuring accuracy and stability across all streams ....
Change the sitemap to xml and add it to robots.txt
Describe the bug
The Contact Us button goes to the donate page.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Expected a Form or Email mailto to pop up.
Desktop (please complete the following information):
Describe the bug
The favicon.ico is not the correct one.
Additional context
It was discovered upon implementing the ci/cd pipeling the favicon.ico in the source control is not the correct one.
Several CVEs (mostly early ones) were caused by backporting commits. How will we handle these? Do we created a separate flag for this type of thing. For instance commit B was back ported to streams X,Y where they caused a security issue in X,Y but not in the stream that the commit was originally applied for. This will require some thought.
Change Type Requested
Add
CVE id number
CVE-2017-9725
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9725
https://bugzilla.novell.com/show_bug.cgi?id=CVE-2017-9725
Additional context
Contacted Debian about updating their stuff.
Describe the bug
New fixes in streams are not shown as a change in CHANGES.md
Expected behavior
Expected changes to appear as Updated CVEs.
Additional context
This was caught by looking at commit 165997b
Is your feature request related to a problem? Please describe.
Current testing requires manual changes to code for branch changes and/or url changes.
Describe the solution you'd like
Need a solution that will easily allow for test instances to be hosted in the test bucket and pull from a test branch without manual code changes.
This will be the staging branch to use, from which master will pull for UI/Major changes. in the CI infrastructure this should deploy to the test instance.
We need to make sure that there are not missing CVEs in the CVEs.txt. If there are we need to understand why, and where we can pull these CVEs from. This must be done in an automated fashion otherwise the amount of work is push effort/reward threshold.
This is also going to take removing it from the sitemap generator and the change file generator.
Because this tracker is concerned with upstream kernels, the CVEs introduced by vendor patches should be ignored. This will likely require some sort of flag to be carried with the CVE in the json. I am not prepared to make this decision yet so filing this as a placeholder and a reminder it needs to be done. This will clear up several CVEs across all streams that appear as "Unknown fix"
Describe the solution you'd like
Visualization of the life of a vulnerabilities. Important dates/points for a vulnerability can be mapped given the data we have. It would be nice to visualize that in a time line or graph of some sort.
Is your feature request related to a problem? Please describe.
Its hard to tell when and what has change recently.
Describe the solution you'd like
Add a "Recent Update" page that essentially displays key information from the last update. This could be done in RSS format as well if desired. I see the back-end auto compiling a summary of updates and then front-end essentially just feeding that summary to the/recent_updates page.
Describe alternatives you've considered
The only place this information exists is the github commit section but it requires heavy parsing on the user to read.
This should just be "outstanding".
Describe the bug
CVE input suggestions drop down is blocked by the CHANGES window on some scales.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Expected the suggestion drop down to be on top of the CHANGES window
Desktop (please complete the following information):
Is your feature request related to a problem? Please describe.
We need more options to determine when things have changed, for the git illiterate.
Describe the solution you'd like
An Atom feed could hold each CVE, tracking when it was created and last updated. That way users could subscribe to the feed and link back to the site.
Describe alternatives you've considered
Describe the bug
CHANGES no longer appears on web frontend
Additional context
This was caused by a deploy issue.
Describe the solution you'd like
Add the NVD text to the CVE report.
Describe alternatives you've considered
Also possibly add option to submit missing CVE's if the user think we are missing it instead of it not existing.
Describe the bug
Rather that redirecting to 404, bad /stream/NNN urls will display a blank page.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
404 redirect
Desktop (please complete the following information):
Add tracking and data for named CVE's ie DirtyCOW, Spectre, Meltdown ...etc.
Quick research yielded no known fix for this issue. It is unclear if this CVE was fixed via patch or if it was left to be handled by other mitigations.
The breaks/fixes for this is not immediately clear. Clearly mitigations are readily available however in order to be accurate the commits would be nice if the CVE was fixed via code.
Is your feature request related to a problem? Please describe.
Navigating to different versions within a stream is clunky. Basically currently have to rely on the find feature or just scrolling through the stream
Describe the solution you'd like
All versions in the stream should be anchored so that we can use local links to a specific versions in the stream. Ideally, this will be used in three ways.
Describe the bug
If a CVE is fixed differently in the streams than in mainline, only the mainline commit is show and scanned.
Expected behavior
I expect a stream fix to be tracked separately and displayed correctly.
Additional context
Right now it is possible to manually add a fix for an individual stream but when printed the cmt_msg will incorrectly show the mainline cmt_msg. (the cmt_hash and versions will be correct however.)
Since the first commit on github is v2.6.12-rc2 anything prior to this will appear wonky or will need a different solution. This is non-blocking, and can be pushed down the road.
Implement deploy pipeline for:
This could just be text string or cool/modern boxes. Probably both....
Change Type Requested
Add
CVE id number
CVE-2019-3701
References
https://bugzilla.suse.com/show_bug.cgi?id=1120386
Additional context
Contacted Debian.
I am thinking of moving the stream folders down one level into a "data" folder. What (if any) issues would this cause for the web frontend. There are some thing I know that will have to change on the backend.
@quietcorey
this patches are same and referenced two times.
linux_kernel_cves/4.9/4.9_security.txt
Line 129 in a65213e
linux_kernel_cves/4.9/4.9_security.txt
Line 128 in a65213e
We could in theory deliver vulnerability information on request via an API.
I see this is as long term option as an API service would raise our costs (not an option) at the moment. But the idea is worth noting for now.
We maintain a number of downstream kernels that typically contain vendor changes on top of a stable kernel branch (e.g: 4.9.135 etc.). Those kernel trees are managed with git, so we can scan those trees the same way the upstream and linux-stable trees are scanned.
Could you publish the scripts that do the scanning of Linux kernel trees such that it is possible to add "vendor" streams to the stream list?
Thank you very much!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.