Difference between revisions of "FLOP:CVE Monitoring"

From Funtoo
Jump to: navigation, search
Line 7: Line 7:
 
}}
 
}}
  
== About the Code ==
+
== Before You Start ==
This is currently pre-release code. README.md is coming.
+
You need to get [https://github.com/cve-search/cve-search cve-search] going.
 
+
You can find help in the funcve README.md. Maybe it will be an ebuild at some point.
You need to get this going:
 
https://github.com/cve-search/cve-search
 
 
{{FLOPFooter}}
 
{{FLOPFooter}}
  

Revision as of 04:14, January 23, 2020

Created on
2020/01/21
Original Author(s)
d4g33z
Git sources (for cloning)
Link
Status
Reference Bug
FL-6938

Funtoo Linux Optimization Proposal: CVE Monitoring

Let's monitor the Common Vulnerabilities and Exposures (CVE) list and flag packages in the current portage tree accordingly. Posting bugs on jira.funtoo.org for affected packages could be automated to a significant extent.

Before You Start

You need to get cve-search going. You can find help in the funcve README.md. Maybe it will be an ebuild at some point.



Summary

Ultimately, not all ebuilds are created equal. Hence they are updated at different rates according to their popularity in the tree of available packages and this is generally fine: packages with a lot of use get updated frequently, and vulnerabilities are generally dealt with. Unpopular ebuilds can languish, and no one really cares. However, unpopular ebuilds with a significant vulnerability should be updated, popular or not, as they represent a potential vector for attack, if they can be installed.

Identifying ebuilds with an associated CVE will bring them to 'head of the queue' for pull requests and updates, which should often be trivial, as the vulnerability is dealt with upstream and released as a new hotfix version. Or, we can fork and provide our own mitigation, merging with upstream again when a new release comes out (if at all).