Re: "Version less than 0.0" in OVAL definitions
On Mon, 17 May 2021 at 19:58, Serkan Özkan wrote: > Hello Seb, > For some reason I didn't receive your email but saw it on the mailing list > archive page. > OVAL definitions are important for us and we would like to fix them if > possible. Can you please let me know where the code is? > > Hi Serkan, I believe the latest version of the code for the OVAL definitions generation is in the source code of the website, more specifically in this directory: https://salsa.debian.org/webmaster-team/webwml/-/blob/master/english/security/oval/generate.py. An older version was the Perl script I developed (at https://salsa.debian.org/webmaster-team/webwml/-/blob/master/english/security/parse-wml-oval.pl) which is not functional anymore. To generate the definitions, you need to have a copy of all the Debian Security Advisories, which is available in the web source repository (at https://salsa.debian.org/webmaster-team/webwml/-/tree/master/english/security ). Hope the above helps. Javier >
Re: "Version less than 0.0" in OVAL definitions
Hello Seb, For some reason I didn't receive your email but saw it on the mailing list archive page. OVAL definitions are important for us and we would like to fix them if possible. Can you please let me know where the code is? Thank you, Serkan On Mon, 17 May 2021 at 12:22, Serkan Özkan wrote: > Hello, > Thanks for the information Javier. Not promising anything, but I can try > to fix the script if you can point me to the script + setup. > > Thank you, > Serkan > > On Mon, 17 May 2021 at 12:14, Javier Fernandez-Sanguino > wrote: > >> >> On Mon, 17 May 2021 at 09:58, Serkan Özkan wrote: >> >>> Hello, >>> In theory, from version number numbering point of view only, yes less >>> than 0.0 is valid. But in practice, as they are used in Debian OVAL >>> definitions, I don't think they are. I think these state values might be >>> incorrect, probably unintentionally. And there are many, thousands, of >>> these less than 0.0 versions, I don't think they are actually intended to >>> test for pre version 0 releases. >>> >> >> Dear Serkan, >> >> There is a problem with the OVAL definitions published in the website. >> The definitions are generated from the information available (in webwml >> files) in the source code of the website but this is missing version >> information in a way that can be properly interpreted by the scripts. >> >> As a consequence, the output (the definitions) does not include an >> accurate value for the version. To implement this properly we would need to >> re-engineer the script that was created in 2010. Help here would be >> appreciated, I can point you to the script + setup if you could help. >> >> Hope above clarifies. Best regards, >> >> Javier >> >
Re: "Version less than 0.0" in OVAL definitions
Hi, the Debian Security team periodically gets requests and/or bug reports about the OVAL exports, and our general stance is that although we can't provide support for them, I'll gladly review and accept PRs on the OVAL generation code if people are interested in fixing whatever issues they find on their end. Cheers, -- Seb
Re: "Version less than 0.0" in OVAL definitions
On Mon, 17 May 2021 at 09:58, Serkan Özkan wrote: > Hello, > In theory, from version number numbering point of view only, yes less than > 0.0 is valid. But in practice, as they are used in Debian OVAL definitions, > I don't think they are. I think these state values might be incorrect, > probably unintentionally. And there are many, thousands, of these less than > 0.0 versions, I don't think they are actually intended to test for pre > version 0 releases. > Dear Serkan, There is a problem with the OVAL definitions published in the website. The definitions are generated from the information available (in webwml files) in the source code of the website but this is missing version information in a way that can be properly interpreted by the scripts. As a consequence, the output (the definitions) does not include an accurate value for the version. To implement this properly we would need to re-engineer the script that was created in 2010. Help here would be appreciated, I can point you to the script + setup if you could help. Hope above clarifies. Best regards, Javier
Re: "Version less than 0.0" in OVAL definitions
Hello, In theory, from version number numbering point of view only, yes less than 0.0 is valid. But in practice, as they are used in Debian OVAL definitions, I don't think they are. I think these state values might be incorrect, probably unintentionally. And there are many, thousands, of these less than 0.0 versions, I don't think they are actually intended to test for pre version 0 releases. For example, who could be using a pre version 0 release of glibc? http://oval.mitre.org/XMLSchema/oval-definitions-5#linux;> ... http://oval.mitre.org/XMLSchema/oval-definitions-5#linux;> ... http://oval.mitre.org/XMLSchema/oval-definitions-5#linux;> ... http://oval.mitre.org/XMLSchema/oval-definitions-5#linux;> On Mon, 17 May 2021 at 09:40, Holger Levsen wrote: > On Sun, May 16, 2021 at 05:21:50PM +0300, Serkan Özkan wrote: > > We are using Debian OVAL definitions but there are many tests, and > states, > > that test for dpkg versions being less than 0.0 which is impossible in > > practice (right?). > > no, it's possible: > > 0~1 is a valid version. It's smaller than zero, yet it's not a negative > number. > > It's usually used for versions like 1.0~0alpha1-1 to allow the next > version to be 1.0-1... but 0~1 is a legal and valid version too. > > > -- > cheers, > Holger > > ⢀⣴⠾⠻⢶⣦⠀ > ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org > ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C > ⠈⠳⣄ > > I'm looking forward to Corona being a beer again and Donald a duck. >
Re: "Version less than 0.0" in OVAL definitions
On Sun, May 16, 2021 at 05:21:50PM +0300, Serkan Özkan wrote: > We are using Debian OVAL definitions but there are many tests, and states, > that test for dpkg versions being less than 0.0 which is impossible in > practice (right?). no, it's possible: 0~1 is a valid version. It's smaller than zero, yet it's not a negative number. It's usually used for versions like 1.0~0alpha1-1 to allow the next version to be 1.0-1... but 0~1 is a legal and valid version too. -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ I'm looking forward to Corona being a beer again and Donald a duck. signature.asc Description: PGP signature
"Version less than 0.0" in OVAL definitions
Hello, We are using Debian OVAL definitions but there are many tests, and states, that test for dpkg versions being less than 0.0 which is impossible in practice (right?). How should we handle these tests/definitions? Should we ignore them or does 0.0 have a special meaning in this case? http://oval.mitre.org/XMLSchema/oval-definitions-5#linux;> http://oval.mitre.org/XMLSchema/oval-definitions-5#linux;> ... http://oval.mitre.org/XMLSchema/oval-definitions-5#linux;> 0:0 http://oval.mitre.org/XMLSchema/oval-definitions-5#linux;> 0:1.14.4-1+deb10u1 http://oval.mitre.org/XMLSchema/oval-definitions-5#linux;> 0:0 Thanks in advance, Serkan Özkan