Jump to: navigation, search

FLOP:CVE Monitoring

1,664 bytes added, 1 year ago
no edit summary
== Algorithm ==
=== cvedb.cves Collection Schema ===
The cvedb.cves collection provided by [ cve-search] has the following ''estimated'' schema (see [ variety], a schema estimator for mongodb):
An important key in the collection is that of <tt>vulnerable_product</tt>. It contains the ''Common Platform Enumeration'' of the affected piece of software, and can potentially be matched (along with the affected product's version(s)) to packages in the Funtoo portage meta-repo.
This is the bird's eye view of what a [ CPE] is:
CPE is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name.
Thus, filtering packages by CVE requires a map between package names and CPE. The current algorithm is the simplest possible: if a CVE has a list of CPEs, each CPE is interpreted to yield a single token and an exact match with package name is attempted for the whole meta-repo using {{Package|app-portage/eix}}. If there is a match, then a <tt>jira</tt> issue can be constructed and reported. Even this simple algorithm produces quite a few matches, but it also misses very significant issues if the CPEs are not added properly to the CVE database for the issue. [ FL-6938] is a case in point: it was not filed with a CPE for {{package|sys-apps/portage}} (does it exist?) so the algorithm skipped right over it. A more sophisticated algorithm would have done regular expression matching on the <tt>summary</tt> key of the issue, perhaps matching on the string 'Gentoo Portage,' and producing a report for ''discussion'', and eventual posting to <tt>jira</tt>.

Navigation menu