Changes

Jump to: navigation, search

FLOP:CVE Monitoring

1,664 bytes added, 1 year ago
no edit summary
== Algorithm ==
=== cvedb.cves Collection Schema ===
The cvedb.cves collection provided by [https://github.com/cve-search/cve-search cve-search] has the following ''estimated'' schema (see [https://github.com/variety/variety variety], a schema estimator for mongodb):
+--------------------------------------------------------------------------------+
</syntaxhighlight>
 
An important key in the collection is that of <tt>vulnerable_product</tt>. It contains the ''Common Platform Enumeration'' of the affected piece of software, and can potentially be matched (along with the affected product's version(s)) to packages in the Funtoo portage meta-repo.
 
This is the bird's eye view of what a [https://nvd.nist.gov/products/cpe CPE] is:
<blockquote>
CPE is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name.
</blockquote>
 
Thus, filtering packages by CVE requires a map between package names and CPE. The current algorithm is the simplest possible: if a CVE has a list of CPEs, each CPE is interpreted to yield a single token and an exact match with package name is attempted for the whole meta-repo using {{Package|app-portage/eix}}. If there is a match, then a <tt>jira</tt> issue can be constructed and reported. Even this simple algorithm produces quite a few matches, but it also misses very significant issues if the CPEs are not added properly to the CVE database for the issue. [https://bugs.funtoo.org/browse/FL-6938 FL-6938] is a case in point: it was not filed with a CPE for {{package|sys-apps/portage}} (does it exist?) so the algorithm skipped right over it. A more sophisticated algorithm would have done regular expression matching on the <tt>summary</tt> key of the issue, perhaps matching on the string 'Gentoo Portage,' and producing a report for ''discussion'', and eventual posting to <tt>jira</tt>.
 
{{FLOPFooter}}
wiki-users
780
edits

Navigation menu