There are many CVEs against EPEL branches, especially for older EPEL releases like epel7.
epel7
We should probably start paying closer attention to them, at least those with priority/severity higher than the default medium.
Metadata Update from @salimma: - Issue assigned to salimma
Metadata Update from @tdawson: - Assignee reset - Issue tagged with: meeting
Initial data for today's meeting:
<img alt="report-20220223.json" src="/epel/issue/raw/files/4c1153eca1c905c1ce0b389325f91b821640b27a857f18d6f1812ec4cdb3578c-report-20220223.json" />
(components, assignee, versions, sorted by frequency)
The raw data I pulled also has the creation date, so we can do things like computing average age later, and we can also do this regularly and compute the difference to see if we're making progress.
TL;DR - epel7 as expected has many more CVEs - the most common assignee is orphan, which is rather worrying
This was looked at in the weekly EPEL Steering Committee meeting. After looking at the various CVE bugzilla's, it looked like many of them had been addressed, but the CVE bugs were not closed. Various members of the committee were going to look at packages they were familiar with and try to clean up the already fixed CVE bugs. We will look at this again in a month (March 23) and see where we are at.
latest report: https://pagure.io/michel-slm/fedora-cve-analyzer/blob/main/f/data/epel-cves-report-20220323.json
I've modified the scripts to also track bug status, and generate age statistics (bug status was not initially tracked before this week's snapshot, so it's hard to generate that data)
What's concerning is... bugs that are ASSIGNED have a significantly higher p50 age than bugs that are NEW, so... people assigned the bugs and then sit on them?
delta from last month:
"version": { - "epel7": 200, - "epel8": 11 + "epel7": 168, + "epel8": 14 }, "stats": { + "status": { + "NEW": { + "p50": 480.0, + "p90": 1437.1999999999998, + "p99": 2170.94 + }, + "ASSIGNED": { + "p50": 948.0, + "p90": 1324.8, + "p99": 1409.58 + } + }, "version": { "epel7": { - "p50": 579.0, - "p90": 1400.8, - "p99": 2140.14 + "p50": 499.5, + "p90": 1450.1000000000001, + "p99": 2172.6200000000003 }, "epel8": { - "p50": 436.0, - "p90": 778.0, - "p99": 806.8 + "p50": 303.5, + "p90": 803.0, + "p99": 833.8399999999999 } } }
What does p50, p90, p99 mean?
50th, 90th and 99th percentile of time elapsed since the bug was created
PR for vulnerability management policy: https://pagure.io/epel/pull-request/167
Will-It now lists bugs, and has a CVE page for each release. The pages simply list bugs with the CVE in the subject. It does not look at priority or important.
EPEL7 - https://tdawson.fedorapeople.org/epel/willit/epel7/status-bugz-cve.html EPEL8 - https://tdawson.fedorapeople.org/epel/willit/epel8/status-bugz-cve.html EPEL9 - https://tdawson.fedorapeople.org/epel/willit/epel9/status-bugz-cve.html
One interesting thing to note is that in the Will-It page that shows bugs not assigned to any package, shows that there are 43 CVE bugs not assigned to anything. Might be an easy way to close some CVE bugs.
Metadata Update from @carlwgeorge: - Issue untagged with: meeting
Untagging from meeting until it's ready to be discussed again.
Login to comment on this ticket.