pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: acknowledging package audit results



On Sun, May 27, 2012 at 10:16:36AM +1000, Malcolm Herbert wrote:
|On Fri, May 25, 2012 at 09:02:36AM +0200, Thomas Klausner wrote:
||On Fri, May 25, 2012 at 03:14:54PM +1000, Malcolm Herbert wrote:
||> Is there an established method for acknowledging and suppressing
||> warnings about a particular vulnerability as output by the package
||> audit tool?

I looked through the messages that the audit tool produced but there is
still a problem here. It's not the fault of the audit too per se, but
more the speed with which information on these is released.

A number of the packages that are raised by the alert tool mention CVE
links which are still under review and do not yet contain details of the
issue. This makes them less than useless for the reporting of the audit.

I'm regularly regenerating the audit which means that at the moment
there are around 10 of these URLs contain alerts in this state. Rather
than blindly accept the URL and add it to the list of ignored URLs, I
would prefer to keep it in the list as a reminder.

Now because I'm doing this audit nightly (and I recognise that this is
way too often), these alerts will continue to be raised by the tool,
potentially masking other alerts that might crop up in the meantime.

I'd like to request an enhancement to this mechanism. I'd like to be
able to indicate that have I looked at a URL, but I want it to be ignored
only while it contains web content that has an associated md5 or sha1
digest (for example, last-modify time may also be more appropriate).

This means that I can remove alerts from the output of the audit where
they have pending detail, but as soon as that is added to the link and
the digest changes, they will become visible again. This may also be
useful in cases where alert details change after they have already been
read and marked to be ignored which would prompt a further review.

I understand that this will mean the audit tool will require the ability
to fetch URLs which may not be appropriate in some circumstances but I
think it a worthwhile addition.

Regards,
Malcolm

-- 
Malcolm Herbert                                This brain intentionally
mjch%mjch.net@localhost                                                left 
blank

Attachment: pgpbYiMEWgf6y.pgp
Description: PGP signature



Home | Main Index | Thread Index | Old Index