-
Notifications
You must be signed in to change notification settings - Fork 202
MeetingMinutes2023
We meet online on Tuesdays at 16:00 UTC as a reference. See https://www.timeanddate.com/worldclock/meeting.html to get the time in your timezone.
Join us at https://meet.jit.si/VulnerableCode
The current meeting notes is at:
Here are the running meeting notes:
Agenda:
- John: Issue of duplicate PackageURLs
- Ziyad: Feedback on CVSS vector attribute presentation and PurlSync logo for package ecosystem
- Philippe: Feedback from visit to hack.lu conference
Participants:
- Ayan (@AyanSinhaMahapatra)
- Dennis (@DennisClark)
- John (@johnmhoran)
- Keshav (@keshav-space)
- Philippe (@pombredanne)
- Tushar (@TG1999)
- Ziyad (@ziadhany)
Discussions:
-
John found the issue of duplicate PackageURLs, arising due to use of JSONField for purl qualifiers https://github.com/nexB/vulnerablecode/issues/1278#issuecomment-1775922964. Philip: We aren't gonna use the qualifier 99% of the time, We should revert to using string for qualifier instead of JSONField We will implement this in 4 steps - Plain data migration where we construct a complete qualifier from existing JSONField and keep the qualifier string in the JSONField itself. - Create a new CharField
qualifier2and populate the value from step 1. - Delete the originalqualifierfield and renamequalifier2toqualifier. - Relax the unique together constrain and fix the data quality (identify the fix based on pattern). Once the data quality is fixed, re-enable the unique together.John: When using PURL with a qualifier for query, we also get bunch of unrelated results.
Philip: These are two separate issues, and we'll handle them independently. We need to differentiate the use case - When I do
lookupI want the exact result or no result but when I dosearchI want to get the best possible result. At the UI level, we want to have the advanced search capability like we have in ScanCode.io, and We need to figure out how we can incorporate the lookup/search behavior in API. The advanced search capability enables the user to:- enter =string to get results with an exact match on a field
- enter :string to get results where the field contains the string
- enter ^string to get results where the field starts with the string
-
CVSS vector attributes are looking good, we should use Black color instead of Red.
-
Ziyad has added the logos to the package ecosystem in PurlSync, and it's looking great already. Philip: Maybe we can have a better name for PurlSync.
Ziyad: Will try to come up with some suggestions on this in our next meet.
Philip: We can separately sync up on how to go about the Pilot deployment of PurlSync and along with the campaign for the same, so folks from the community can give feedback.
-
Philip delivered 3 presentations at
hack.lu <https://hack.lu/>_ conference.- SBOMs: are they a threat or a menace? https://pretalx.com/hack-lu-2023/talk/PUXBQ8/
- Non vulnerable package dependency resolution https://pretalx.com/hack-lu-2023/talk/Z7UP7B/
- The composition analysis of binary Java, ELF, Go, and JavaScript apps https://pretalx.com/hack-lu-2023/talk/MNCC3H/
Philip: Most of the folks were from Threat Intelligence (CTI) and Incidence Response (CERT) and there seems to be consensus among the folks that SBOM/PURL if better leveraged at an early stage can save a lot of effort that goes into firefighting when thing hits the fan.
Agenda:
- Ziyad: Feedback on CVSS vector color coding.
- Hritik: VCIO data quality issue.
Participants:
- Ayan (@AyanSinhaMahapatra)
- Dennis (@DennisClark)
- Hritik (@Hritik14)
- John (@johnmhoran)
- Keshav (@keshav-space)
- Ziyad (@ziadhany)
Discussions:
-
Color coded CVSS vector attributes looking good. Ziyad will complete the implementation for displaying attributes in appropriate color.
-
Hritik found that VCIO is not displaying all the affected versions for given vulnerability. For example https://github.com/advisories/GHSA-fpcf-qr79-hjqp CVE-2023-43667 is affecting
>= 1.4.0, < 1.8.0but VCIO is only showingpkg:maven/org.apache.inlong/[email protected]in affected packages. Hritik will add an issue to track this bug.
Dennis:
- CSAF format and Vulnerability reachability issues
Keshav:
- Detaching CWE Fork
Ziad:
- Adding support to CVSS vector to UI
- Merging PRs for GSoC project
Philippe:
- Features and setups in test suite
- VulnTotal like approach for Vulnerablecode
Tushar:
- Statuses on vulnerabilities
Hritik:
- VulnTotal like structure https://github.com/nexB/vulnerablecode/issues/1316
Ziad:
- CVSS Vector - presentation in the UI
- CWE
Tushar:
- New releases in VCIO
- Milestone review
John:
- "Fixed By/Fixing" package issue https://github.com/nexB/vulnerablecode/issues/1301
Ziad:
- CWE exception in API
- CVSS vector in OSV
Dennis:
- Terminology in https://github.com/nexB/vulnerablecode/issues/1301
Tushar:
- Vulnerability status https://github.com/nexB/vulnerablecode/issues/1281
Agenda:
- History/ Changelog
- Vulnerability status
- CWE in API
Tushar:
- Shown his progress regarding history/changelog for packages and vulnerabilities
- Discussed the rejected status on NVD
Philippe:
- We should use DISPUTED and other statuses as well on a vulnerability.
Ziad:
- Discussed review comments on his PR for adding CWE support in API.
Agenda:
- How to express empty values
- Bug in univers
- Milestone review
- Ziad's GSoC project
Ziad:
- Talked about the problems in testing and logical changes needed for his GSoC project
John:
- Asked how we can express empty values, the solution that we got was to use
Noneas value instead of nothing
Philippe:
- Milestone review
Keshav:
- https://github.com/nexB/univers/issues/117 bug in univers
Agenda:
- Apache Tomcat failing test
Ziad:
- Due to change in tomcat advisory HTML page the apache tomcat tests were failing
- Discussed review comment on his PR
Philippe:
- The current data in VCIO is not current.
Agenda:
- Vers in purldb
Keshav:
- Adding univers vers support in purlDB
Agenda:
- Planning
Tushar:
- Planning for the next milestone
Agenda:
- UI for comparing and showing closest fix
- YAML file changing format and pushing events from VCIO to activity pub server
- purl.fyi and vulnerablecode insights
- Vulnerability status
John:
- Shown his progress on the closest and non-vulnerable fix, also got some feedback
Ziad:
- Discussed the structure of YAML format for pushing events from VCIO to activity pub server
Dennis:
- https://nvd.nist.gov/vuln/vulnerability-status discussed about vulnerability status in NVD
Agenda:
- CVSS vector to scores
- Allow searching by CVSS vectors and show CVSS vectors in UI
- Passing package context while going from package to vulnerability
Ziad:
- Pointed out the discrepancies in converting CVSS vector to score mapping
Philippe:
- We should allow search by CVSS vectors and also show vectors in UI for a vulnerability.
Tushar:
- Going from a package to vuln, we should pass package context to show only matching packages in the vulnerability view
Agenda:
- API endpoint discussion for purl-sync project
- Issues reported by Tom in VCIO
Ziad:
- Discussed https://schema.org/Organization and his PR https://github.com/nexB/vulnerablecode/pull/1179
Philippe:
- Currently we store a single package with many qualifiers and subpath that pollutes vulnerablecode data https://github.com/nexB/vulnerablecode/issues/1219
Agenda:
- Insights on Vulnerablecode data
Hritik:
- presented insights of VCIO data and discussed the other data sources that we should consider.
Agenda:
- report feature in VCIO
- discuss CVSS score transformation
Philippe:
- Consider adding reporting feature in VCIO to submit a list of purls and getting vulnerabilities in those PURLs
Ziad:
- Metrics to convert CVSSv2 to CVSSv3.
Agenda:
- CVSS
Ziad:
- Conversion of CVSSv2 to CVSSv3 scores.
Agenda:
- Issues with Improver and importers
- GoLang PackageURLs
Ziad:
- Sorting of the affected version range in merge function in problematic
Philippe:
- We should store name as is for GoLang purls and should not have namespaces for them.
Agenda:
- Ruby Improver
Ziad:
- Discussed the approach for ruby improver.
Agenda:
- Severity Range
- Ziad's PRs
- Dropping CVSSv2
- version 32
Ziad:
- Discussed his PR for severity range https://github.com/nexB/vulnerablecode/pull/1179 and also asked review of his several importer PRs.
Dennis:
- Discussed that we should drop the CVSSv2 score from vulnerablecode https://github.com/nexB/vulnerablecode/issues/1187.
Tushar:
- Talked about the release of version 32 of vulnerablecode.
Agenda:
- Changelog on packages and vulnerabilities
- Severity Range
Tushar:
- Presented the current progress on the changelog structure of packages and vulnerabilities.
Ziad:
- Presented screenshots and his work on severity range.
Agenda:
- Cargo Version
- Status on version 32
- Refactor gem and make nuget hashable in univers
- Dark mode in documentation
Ziad:
- Discussed this issue https://github.com/nexB/univers/issues/111.
Dennis:
- Asked about the status of v32 of vulnerablecode.
Philippe and Keshav:
- Discussed this PR https://github.com/nexB/univers/pull/75 for refactoring gem and making nuget hashable in univers.
Swastik:
- Discussed the usage of dark mode in vulnerablecode documentation https://github.com/nexB/vulnerablecode/pull/1178.
Tushar:
- On version 32 status described that we are very close to release, we just need to merge https://github.com/nexB/vulnerablecode/pull/1169 and https://github.com/nexB/vulnerablecode/pull/1176.
Agenda:
- Severity normalizer
- Design a policy for vulnerabilities
- Cargo Version Range
- Release for CWE-2
- Golang PURLs
- Pending PRs
Dennis:
- Discussed how we can normalize different severity scoring.
Ziad:
- Talked about CargoVersionRange implementation in univers and release for CWE-2.
Tushar:
- Discussed the removal of namespace for Golang purls and vulnerablecode pending PRs.
Agenda:
- CWE imports
- ActivityPub GSoC project idea
- Univers release
Ziad:
- Discussed how different vulnerability advisories store CWE data.
- Discussed his approach for ActivityPub GSoC project idea.
Tushar:
- Explained what's new in the univers release v30.10.0.
Agenda:
- Pypi improver
- CWE
- ActivityPub
- Improver Structure
John:
- Where should we have the improver for pypi validation improver?
- Decided that we will have all improvers in improvers directory
Ziad:
- Discussed the release of CWE v3.0.0
- Shared his proposal regarding ActivityPub.
Tushar:
- Changes needed in improver structure to accomodate othe entities than advisories.
Agenda:
- PypI API vulnerability data
- GSOC ideas for vulnerablecode
- State of Ziad PRs
- Normalization and Comparison
- Misbehaving Versions
- More data sources
John:
- Discussed limitations of PypI API to be an importer it should be an improver, which will collect additional data from the API for existing packages in vulnerablecode.
Ziad:
- Presented states of his open PRs and also his approach for "Decentralized vulnerability data peer-review"
Keshav:
- Shown the normalized vers and discrepancies in the PypiVersion and vulnerablecode data.
Hritik:
- Discussed the condition of current data sources we have in vulnerablecode and which new data source we should consider to collect data.
Agenda:
- normalizing the version ranges using spans
- Conan version
- extracting vulnerabilities from nuget API
Keshav:
- Discussed approach to normalize version ranges using Span and also discusses how we can convert these spans into vers.
John:
- Discussed the conan support in univers.
Philippe:
- Nuget API now provide vulnerability data we should store that data in vulnerablecode.
Agenda:
- Vulnerablecode Data
- Goals and planning
- CWE
Hritik:
- Presented the report of the data and told various data sources which we can include in vulnerablecode.
Philippe:
- Presented future ideas and future goals for vulnerablecode https://github.com/nexB/vulnerablecode/issues/1129.
Tushar:
- Collect data from dependabot https://github.com/nexB/vulnerablecode/issues/1130.
Ziad:
- Discusses the CWE PR
Agenda:
- OSV
- GSD
- CWE API
- Improvers
- Vulnerablecode Token
- Status
Ziad:
- Will research how he can get the list of categories for CWE.
- What to provide in data when name and description are not present for a CWE.
- GSD data format.
- Bug in univers gem version.
Hritik:
- https://github.com/nexB/vulnerablecode/issues/701 improving improvers
Tushar:
- Status on milestone v32.0.0
Philippe:
- Discussed talking about Vulnerablecode and vulntotal in https://www.openchainproject.org/news/2023/01/16/openchain-automation-case-study-7-2023-02-07
Agenda:
- OVAL XML
- GSOC Ideas
Participants:
- Philippe (@pombredanne)
- Hritik (@hritik14)
- Tushar (@tg1999)
- Ziad (@ziadhany)
- Keshav (@keshav-space)
- John M. Horan (@johnmhoran)
- Dennis M. Clark (@DennisClark)
John:
- Discussing the data format of OVAL.
Dennis:
- https://oval.cisecurity.org/repository/download an OVAL catalog of sorts
Tushar:
- Discussion of GSoC Ideas.
- Adding heuristics to do static vulnerability scans.
Philippe:
- Using something like this to get versions of packages to do static vulnerability scanning.
$ openssl version
OpenSSL 1.0.2g 1 Mar 2016
$ strings `which openssl` | grep "OpenSSL 1.0.2g 1 Mar 2016"
OpenSSL 1.0.2g 1 Mar 2016
Agenda:
- Questions on SUSE
- Tests and Confidence in improvers
- CWE
Participants:
- Philippe (@pombredanne)
- Hritik (@hritik14)
- Tushar (@tg1999)
- Ziad (@ziadhany)
- Keshav (@keshav-space)
- John M. Horan (@johnmhoran)
- Dennis M. Clark (@DennisClark)
Ziad:
- Discussed the PR opened in CWE https://github.com/nexB/cwe2/pull/5.
John:
- Discussed how SUSE OVAL data is different from pre-existing OVAL data that vulnerablecode parse at the moment and changes needed in code to accommodate the changes in data.
Hritik:
- Added a PR to add tests for improvers https://github.com/nexB/vulnerablecode/pull/1081.
Agenda:
- Deduping constraints in version range
- VulnTotal
- Defensive publication using ActivityPub
Participants:
- Philippe (@pombredanne)
- Hritik (@hritik14)
- Tushar (@tg1999)
- Ziad (@ziadhany)
- Keshav (@keshav-space)
- John M. Horan (@johnmhoran)
- Dennis M. Clark (@DennisClark)
Philippe:
- Planning to publish a defensive publication using activity-pub with vulnerablecode data.
John:
- We should have support for deduping version constraints in univers.
Keshav:
- Discrepancy in redhat data discovered through vulntotal.
Agenda:
- Apache Tomcat
- Status on current progress
Participants:
- Philippe (@pombredanne)
- Hritik (@hritik14)
- Tushar (@tg1999)
- Ziad (@ziadhany)
- Keshav (@keshav-space)
- John M. Horan (@johnmhoran)
- Dennis M. Clark (@DennisClark)
Tushar:
- Reviewed status on #597.
John
- Follow-up questions by John on Apache Tomcat importer.