Stop debian importer from collecting temp vulnerabilities #285
Conversation
pombredanne
left a comment
pombredanne
left a comment
There was a problem hiding this comment.
I think it makes sense, but I would prefer to have a function flag that's called ignore_temporary_vulnerabilities=True added so what we are doing is very explicit
|
|
||
| for cve_id, record in records.items(): | ||
| impacted_purls, resolved_purls = set(), set() | ||
| if not cve_id.startswith("CVE"): |
There was a problem hiding this comment.
| if not cve_id.startswith("CVE"): | |
| if not cve_id.startswith("CVE"): | |
| # vulnerabilities starting with something may not be public yet | |
| # see for instance https://web.archive.org/web/20201215213725/https://security-tracker.debian.org/tracker/TEMP-0000000-A2EB44 | |
| # TODO: this would need to be revisited though to ensure we are not missing out on anything |
There was a problem hiding this comment.
Shouldn't that be with something else may not be public ?
|
@pombredanne re: ignore_temporary_vulnerabilities=True We can add a config like that at https://github.com/nexB/vulnerablecode/blob/5e551675152b5dea32a50b6f2348a1fbff7c58b6/vulnerabilities/importer_yielder.py#L61 . |
The thing with a config flag like that is that nobody will know what to do with it. You could add this but a TODO code comment is simpler and add a ticket so we can revisit the issue latest |
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
sbs2001
force-pushed
the
165-debian-ignore-temp-vulns
branch
from
3639a67 to
bf4adff
Compare
|
@pombredanne re: a ticket so we can revisit the issue latest Yeah this makes sense. In fact RustSecDb too has temp advisories so this is not limited to debian |
|
I have added a comment to revisit this. I'm merging this for now . |
2 participants
Fixes #165