On Wed, 12 Jan 2022 12:44:14 +0800 Paul Wise <p...@debian.org> wrote:
> On Tue, 2022-01-11 at 11:20 +0000, Neil Williams wrote: > > > I might need to brush up on my Perl and make a patch for lintian > > which downloads the sec tracker JSON and checks the CVE list in the > > .changes file - warnings from lintian are more likely to get fixed > > prior to upload. Depends if you think this happens sufficiently > > often that it is a problem worth solving. (Considering how long > > it's been since I did that amount of code in Perl, maybe I'm better > > filing the bug against lintian and seeing if someone else can come > > up with a patch... - again, only if it happens sufficiently often.) > > > > FTR, lintian does not do any network requests, so this approach won't > be accepted. The best option you can get is a script to do the > download at the lintian release time. Unfortunately this means the > data will get outdated quickly and make the check less useful. > > This check could be added to devscripts, debsecan or duck. debsecan looks promising. It already has support for reporting a list of CVEs by source_package name, directly from https://security-tracker.debian.org/tracker/ and it's Python3. I'll have a look at a patch which accepts a .changes file or d.changelog entry and verifies if all listed CVEs actually exist for the source package of that change. > > The sectracker JSON is very large, so I think that a new API will be > needed for any tool that implements such a check. :-) -- Neil Williams ============= https://linux.codehelp.co.uk/
pgprFFmbUYNSx.pgp
Description: OpenPGP digital signature