Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add csv with missing #1445

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add csv with missing #1445

wants to merge 1 commit into from
+354 −7

Conversation

marco-ippolito
Copy link
Member

Created a CSV with every CVE in our list, and the missing EOL lines
@nodejs/security-wg

@marco-ippolito marco-ippolito mentioned this pull request Mar 11, 2025
Open
4 tasks
@RafaelGSS RafaelGSS self-requested a review March 11, 2025 13:42
RafaelGSS
RafaelGSS requested changes Mar 11, 2025
View reviewed changes
Copy link
Member

@RafaelGSS RafaelGSS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first line I reviewed points exactly to why I told you that this process isn't that simple as it seems.

To make it work we'll need to find exactly which versions were End-of-Life in the moment the patched version came out. For instance, if the CVE is being patched to v8.x and v6.x line is not EOL yet, it implies that version is not affected by that vulnerability, on the other hand, v7.x was EOL and should be included. We'll need to correlate the version date using @pkgjs/nv and https://github.com/nodejs/Release/blob/main/schedule.json to make it correct.

mcollina
mcollina approved these changes Mar 11, 2025
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mhdawson
Copy link
Member

@marco-ippolito to help me understand, does this just mark all EOL version as vulnerable to all CVEs that we have not checked for applicability or is it based on research you have done?

@marco-ippolito
Copy link
Member Author

@marco-ippolito to help me understand, does this just mark all EOL version as vulnerable to all CVEs that we have not checked for applicability or is it based on research you have done?

This marks as vulnerable every version that wad EOL when the cve was assigned. Its not based on research

@ljharb
Copy link
Member

ljharb commented Mar 12, 2025

… we're not planning on adding those to the CVE, though, right? especially given MITRE's response, an affected version needs to be one that's been explicitly validated as affected, not just "maybe/probably? we haven't checked"

@mhdawson
Copy link
Member

@marco-ippolito thanks for confirming

@mhdawson
Copy link
Member

@ljharb other projects (I think spring was the one mentioned) tag all EOL versions as vulnerable to all new CVE's without checking. I believe that was the pattern we are planning to follow.

@ljharb
Copy link
Member

ljharb commented Mar 12, 2025

oof, ok. that's really unfortunate, but i guess it's better than nothing.

@RafaelGSS
Copy link
Member

oof, ok. that's really unfortunate, but i guess it's better than nothing.

Yeah, that's exactly what I tried to bring to the OpenSSF discussion. We don't have the capacity to assess all EOL lines against CVEs, but still, we want to inform users they shouldn't be using an EOL. As Michael mentioned, this is the only viable option we found -- although sometimes imprecise.

RafaelGSS
RafaelGSS requested changes Mar 13, 2025
View reviewed changes
RafaelGSS
RafaelGSS approved these changes Mar 19, 2025
View reviewed changes
Copy link
Member

@RafaelGSS RafaelGSS left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. We should update the vuln database too. Use a new field on this instead.

@marco-ippolito
Copy link
Member Author

Should we create an issue to track next steps?

@RafaelGSS
Copy link
Member

Should we create an issue to track next steps?

I'd merge this PR only when H1 updates the CVE, then we can create the issue to update the vuln DB.

In theory, we already have: #1443

@marco-ippolito
Copy link
Member Author

All right so we should create a ticket on H1 and send them the csv.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mcollina mcollina mcollina approved these changes

@RafaelGSS RafaelGSS RafaelGSS approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@marco-ippolito @mhdawson @ljharb @RafaelGSS @mcollina