Dealing with junk CVEs #1281
Comments
|
We need to design a status with multiple values such as rejected or disputed or else. |
|
https://lwn.net/Articles/944209/ <-- currently subscribers only, but will be public in a few weeks. Well worth the read. |
|
Consider. Security Status values include:
Note that these proposed status values do not attempt to address the reconciliation of different Severity levels suggested/reported by various sources. If that is a requirement also, we may need to refine these status values further. But the primary goal is to identify real Vulnerabilities that I need to care about and investigate vs reported Vulnerabilities that are not substantiated. |
|
@DennisClark what should be the criteria for a vulnerability status to be published? As I understand once we import a VCID from an advisory source we add a status |
|
After further thought: instead of
If it's not possible to determine that kind of state change from the advisories, then I guess we really don't need Confirmed, and the other 3 should be sufficient. |
|
As discussed in today's VCIO call taking reference from https://nvd.nist.gov/vuln/vulnerability-status, we will use |
|
We are considering |
|
Let's use use Published, Disputed and Invalid please. |
See https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/
We need to find a way to ensure we can filter and tag junk CVEs like this quickly, especially on popular packages like cURL where the junk will be a cause of major churn.
The text was updated successfully, but these errors were encountered: