Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.security > #6407

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

From Samuel Henrique <samueloph@debian.org>
Newsgroups linux.debian.security
Subject Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)
Date 2025-04-13 18:10 +0200
Message-ID <KB849-dg6F-3@gated-at.bofh.it> (permalink)
References <KlYq6-390b-5@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

Hello Salvatore,

On Sun, 13 Apr 2025 at 16:32, Salvatore Bonaccorso <carnil@debian.org> wrote:
> I have not gone to all details of your proposal, but the high level
> view is IMHO as described in short above. For instance for the zlib
> isues that would then move the entries from the ignored (which is a
> substate of a no-dsa and apparently comercial security scanner are not
> willing to parse or adapt to) to the more narrowed down and specified
> substate of nonissue. In particular such a vunerability state could
> exactly reflect as well per suite entry in case the state changes
> between them.

You mentioned this previously, which is a fair point. I believe one of the
alternatives would work, what do you think?

Quoting from that email:
On Sat, 2 Nov 2024 at 20:02, Samuel Henrique <samueloph@debian.org> wrote:
> On Tue, 29 Oct 2024 at 19:43, Salvatore Bonaccorso <carnil@debian.org> wrote:
> > As mentioned in an earlier message: What I would love to see is to
> > actually have a substate which makes the situation clear, and still
> > beeing technically correct. I was envisioning something which would be
> > a substate like we have for the substate of no-dsa (ignored,
> > postponed).
>
> This sounds like the solution proposal A2, quoting it:
> > ## A2) Add a new mutually exclusive state to the set:
> "not-affected-build-artifacts"
>
> Would this be aligned to what you're looking for?

I think there wasn't a confirmation after this email.

> Hope this clarifies that you are not beeing ignored (heh ;-) no punt
> intended here :)), which is as well quite important to me to let you
> know.

Definitely, I didn't mean to suggest that it's not as important to you as well,
and thank you for replying!

Regards,

--
Samuel Henrique <samueloph>

Back to linux.debian.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Samuel Henrique <samueloph@debian.org> - 2024-11-28 00:50 +0100
  Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Salvatore Bonaccorso <carnil@debian.org> - 2024-12-01 15:10 +0100
    Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Samuel Henrique <samueloph@debian.org> - 2025-03-02 21:50 +0100
      Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Samuel Henrique <samueloph@debian.org> - 2025-04-13 17:30 +0200
        Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Salvatore Bonaccorso <carnil@debian.org> - 2025-04-13 17:40 +0200
      Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Samuel Henrique <samueloph@debian.org> - 2025-04-13 18:10 +0200
        Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Salvatore Bonaccorso <carnil@debian.org> - 2025-05-01 11:30 +0200
          Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Samuel Henrique <samueloph@debian.org> - 2025-05-10 21:40 +0200
            Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Santiago Ruano Rincón <santiagorr@riseup.net> - 2025-05-16 20:30 +0200
              Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Salvatore Bonaccorso <carnil@debian.org> - 2025-05-18 18:50 +0200
                Re: security-tracker: A proposal to significantly reduce reported  false-positives (no affected-code shipped) Roberto C. Sánchez <roberto@debian.org> - 2025-06-03 23:30 +0200

csiph-web