Skip to content

WeeklyMeetings

Jump to bottom
Tushar Goel edited this page Feb 7, 2023 · 172 revisions

We are meeting online using Jitsi once a week. Everyone is welcomed! The time is every Tuesday at 15:00 UTC See https://www.timeanddate.com/worldclock/meeting.html to get the time in your timezone.

Join us at https://gitter.im/aboutcode-org/vulnerablecode And https://meet.jit.si/VulnerableCode

Upcoming Meeting on Tuesday 2023-02-14 at 16:00 UTC

Agenda:
  • (Post your agenda in gitter and we'll add it here)

Meeting on Tuesday 2023-02-07 at 16:00 UTC

Agenda:
  • OSV
  • GSD
  • CWE API
  • Improvers
  • Vulnerablecode Token
  • Status
Ziad:
  • Will research how he can get the list of categories for CWE.
  • What to provide in data when name and description are not present for a CWE.
  • GSD data format.
  • Bug in univers gem version.
Hritik:
Tushar:
  • Status on milestone v32.0.0
Philippe:

Meeting on Tuesday 2023-01-24 at 16:00 UTC

Agenda:
  • OVAL XML
  • GSOC Ideas
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)
John:
  • Discussing the data format of OVAL.
Dennis:
Tushar:
  • Discussion of GSoC Ideas.
  • Adding heuristics to do static vulnerability scans.
Philippe:
  • Using something like this to get versions of packages to do static vulnerability scanning.
$ openssl version
OpenSSL 1.0.2g  1 Mar 2016
$ strings `which openssl` | grep "OpenSSL 1.0.2g  1 Mar 2016"
OpenSSL 1.0.2g  1 Mar 2016

Meeting on Tuesday 2023-01-17 at 16:00 UTC

Agenda:
  • Questions on SUSE
  • Tests and Confidence in improvers
  • CWE
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)
Ziad:
John:
  • Discussed how SUSE OVAL data is different from pre-existing OVAL data that vulnerablecode parse at the moment and changes needed in code to accommodate the changes in data.
Hritik:

Meeting on Tuesday 2023-01-10 at 16:00 UTC

Agenda:
  • Deduping constraints in version range
  • VulnTotal
  • Defensive publication using ActivityPub
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)
Philippe:
  • Planning to publish a defensive publication using activity-pub with vulnerablecode data.
John:
  • We should have support for deduping version constraints in univers.
Keshav:
  • Discrepancy in redhat data discovered through vulntotal.

Meeting on Tuesday 2023-01-03 at 16:00 UTC

Agenda:
  • Apache Tomcat
  • Status on current progress
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)
Tushar:
  • Reviewed status on #597.
John
  • Follow-up questions by John on Apache Tomcat importer.

Meeting on Tuesday 2022-12-27 at 16:00 UTC

Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)

Agenda:

Ziad:
  • question on cwe2 issue #4 wrt. cwe 399 which does not exists in the download from MITRE. The upstream page even states that this is deprecated and should not be used.
  • importlib.resources usage for cwe2 data file loading
Hritik
  • There is new PR to validate link typos in the CI that needs approval
Tushar
  • licensing issues with importer for "suse scores", and "ubuntu: need to reach out to respective security teams
  • suse license was changed for CVRF to CC-BY
  • ubuntu license may be GPL which is not practical for data
Keshav:
  • nothing special to bring up.
John:
  • working on the Tomcat importer migration, wrestling with the HTML structure of Tomcat data
Philippe
  • The "packaging" library issue (that led to packvers creation) may mean that we need to vendor some libraries to avoid these issues.

Meeting on Tuesday 2022-12-20 at 16:00 UTC

Agenda:
  • Apache Tomcat and CVE entries
  • CWE
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)
John:
  • Discussing the structure of apache tomcat data.
Ziad:
  • Discussing his progress and follow-up question on CWE.

Meeting on Tuesday 2022-12-13 at 16:00 UTC

Agenda:
  • Apache HTTPD and Kafka
  • CWE
  • Conflicting advisories
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)
Philippe:
  • We have two advisories from different sources that tell different ranges for a package, we should add advisory scoring.
Ziad:
  • Discussing progress in CWE.
John:
  • Follow up questions on apache kafka and httpd.

Meeting on Tuesday 2022-12-06 at 16:00 UTC

Agenda:
  • Apache Kafka follow-up questions
  • UI for CWE
  • Ingesting CWEs
  • Problem of conflicting advisories
  • Ingesting advisories that don't have identifiable purls
Participants:
  • Philippe (@pombredanne)
  • Tushar (@tg1999)
  • Ziad (@ziadhany)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)

Philippe

  • We found 2 datasources NVD and Github which were reporting different affected version ranges for same vulnerability
  • Solution: store the source of advisory with the package-vulnerability relation, add some vulnerability clarity scoring.

John

  • Discussing different type of version ranges found in Apache Kafka

Ziad

  • Ingesting CWE data through NVD importer and modify improver to store CWEs.

Tushar

Meeting on Tuesday 2022-11-29 at 16:00 UTC

Agenda:
  • Follow up issues on Apache HTTPD importer
  • Review on 597
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)

Discussions:

John

Philippe

Meeting on Tuesday 2022-11-22 at 16:00 UTC

Agenda:
  • Model changes to accomodate CWE
  • Status on PRs
  • Questions related to Apache HTTPD
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)

Discussions:

John

  • Suggested his approach to add fixed version from the Apache HTTPD advisory data and asked some clarifying questions regarding the comparators used.

Ziad

  • Asked how can we add CWE field in the VCIO models.

Philippe

  • Quick status on pending PRs.

Meeting on Tuesday 2022-11-15 at 16:00 UTC

Agenda:
  • Apache Httpd importer
  • Releasing CWE 2 library
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)

Discussions:

John

  • Continuing his work on migrating the Apache HTTPD importer.

Ziad

Meeting on Tuesday 2022-11-08 at 16:00 UTC

Agenda:
  • Update on public vulnerablecode instance
  • Forever vulnerable packages
  • Ruby Importer
  • Milestone 31 review
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)
  • Michael Herzog (@mjherzog)

Discussions:

Philippe

  • Public instance may be released by today
  • Manually enter forever vulnerable packages wherever we can collect it from.
  • Collect advisories that have inaccurate data and store them manually.

Ziad

Meeting on Tuesday 2022-11-01 at 15:00 UTC

Agenda:
  • Namespace for postgres importer
  • Improve swap function for CVSS
  • A comment over current progress
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)
  • Michael Herzog (@mjherzog)

Discussions:

John

Dennis

  • Needed a comment from Philippe over current status of VCIO.
  • Comment from Philippe: We are very near to a public release.

Ziad

  • Discussed CVSS swap function, will have a session with Philippe to discuss it further.

Meeting on Tuesday 2022-10-25 at 15:00 UTC

Agenda:
  • Fireeye Importer
  • Comment over performance of VCIO
  • Support for generic versions univers
  • Documentation issues
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)
  • Michael Herzog (@mjherzog)

Discussions:

Michael

Dennis

  • Needed a comment from Philippe over current performance of VCIO.
  • Comment from Philippe: Issues still persist on search, we take 10-20 seconds for a search, we don't use index right now, we should have a full text search index.

Philippe

  • Went through how we can develop generic version ranges using libversion.

Ziad

Meeting on Tuesday 2022-10-18 at 15:00 UTC

Agenda:
  • Discussed all PRs
  • Fix vulnerability lookup
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)

Discussions:

Tushar

  • Reviewed all open PRs and marked the status Draft wherever it was required and closed some redundant PRs and also merged some PRs.

Philippe

Meeting on Tuesday 2022-10-11 at 15:00 UTC

Agenda:
  • Importers with no declared license
  • Milestone v31
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)

Discussions:

John

  • Will be using "LicenseRef-scancode-unknown" as spdx license expression, when there is no declared license associated with any importer.

Philippe

Meeting on Tuesday 2022-10-04 at 15:00 UTC

Agenda:
  • Testing Git Importer
  • CWE and CVSS
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)

Discussions:

Tushar

John

Ziad

Meeting on Tuesday 2022-09-27 at 15:00 UTC

Agenda:
  • v30.0.0
  • ArchLinux Importer
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)

Discussions:

Tushar

John

  • John picked up migration of ArchLinux Importer.

Meeting on Tuesday 2022-09-20 at 15:00 UTC

Agenda:
  • Ziad pending PRs
  • Python2JS
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)

Discussions:

Ziad

Keshav

  • Discussed how we can add VulnTotal in browser using Python2JS.

Meeting on Tuesday 2022-09-13 at 15:00 UTC

Agenda:
  • CWE and CVSS
  • Re-discussed Vulnerability Severity
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)

Discussions:

Ziad

Dennis

Tushar

Meeting on Tuesday 2022-09-06 at 15:00 UTC

Agenda:
  • UI Review
  • Release Status
  • VCID
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)

Discussions:

Philippe

Tushar

Meeting on Tuesday 2022-08-30 at 15:00 UTC

Agenda:
  • Changes in VulnTotal CLI
  • Threading in VulnTotal
  • Next steps and priority for UI
  • Release Status
  • Better way to represent Vulnerability Severity
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)

Discussions:

Philippe

Keshav

Dennis

Meeting on Tuesday 2022-08-23 at 15:00 UTC

Agenda:
  • Alias URL
  • Running profiling for all importers
  • Rust Importer
  • Review on status
  • Issue on affected vs fixed package
  • Staging Instance
  • Status on release
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Hritik (@hritik14)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Michael Herzog (@mjherzog)

Discussions:

Philippe

Ziad

  • Working on profiling all importers
  • Started work on Rust Importer

Keshav

Meeting on Tuesday 2022-08-16 at 15:00 UTC

Agenda:
  • Snyk.io and follow-up questions
  • GitImporter and parallel run importer
  • Status on release
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Hritik (@hritik14)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Michael Herzog (@mjherzog)

Discussions:

Philippe

Ziad

Keshav

Meeting on Tuesday 2022-08-09 at 15:00 UTC

Agenda:
  • UI
  • VulnTotal Planning
  • Status on release
  • PR for shared Importer
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Hritik (@hritik14)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Michael Herzog (@mjherzog)

Discussions:

Philippe

Ziad

Keshav

John

Meeting on Tuesday 2022-08-02 at 15:00 UTC

Agenda:
  • UI
  • Git Importer
  • Status on public release
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Hritik (@hritik14)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Michael Herzog (@mjherzog)

Discussions:

Philippe & Michael

Ziad

  • Discussed refactoring of Git Importer

Keshav

John

  • Working on UI
  • Questions on UI
  • Review on UI

Meeting on Tuesday 2022-07-26 at 15:00 UTC

Agenda:
  • Tag Release
  • API Design
  • Categorize Version
  • VulnTotal
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Hritik (@hritik14)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Thomas Druez (@tdruez)
  • Michael Herzog (@mjherzog)

Discussions:

Philippe

Ziad

  • Categorize Versions in NPM Importer

Thomas

API Design Changes

Meeting on Tuesday 2022-07-19 at 15:00 UTC

Agenda:
  • Release Candidate
  • VulnTotal Status
  • Ruby Importer PR
  • New UI
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)
  • Hritik (@hritik14)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Dennis Clark (@DennisClark)

Discussions:

Philippe

  • Discussed Release Candidate
  • Put DB Dump and change documentation
  • Philippe will refresh the DB and put a weekly scheduler for this

Ziad

Hritik

  • Status on VulnTotal project

Keshav

  • Will work on GHSA
  • OSV - problems in deps and osv to convert into purl, will push tests for deps
  • CLI - Need a raw dump
  • GitHub Validator - Need to query by version - Reuse the existing GraphQL query and try to modify the existing query

Dennis

John Horan

  • Exploring VC and VCIO
  • Worked on a seperate django project
  • Creating a new branch and adapt to current UI, and made a new UI

Meeting on Tuesday 2022-07-12 at 10:00 UTC

Agenda:
  • Release and Status
  • CWE
  • GSD Importer
  • Change of timing for weekly sync
Participants:
  • Tushar (@tg1999)
  • Philippe Ombredanne (@pombredanne)
  • Ziad (@ziadhany)

Discussions:

Philippe

Ziad

Tushar

  • Change weekly sync time to 15:00 GMT every Tuesday

Meeting on Tuesday 2022-07-05 at 10:00 UTC

Agenda:
  • Keshav's GSoC status
  • Ziad's GSoC status
Participants:
  • Tushar (@tg1999)
  • Keshav (@keshav-space)
  • Ziad (@ziadhany)

Discussions:

Ziad

Keshav

  • Added OSV Importer Test
  • Added Deps dev validator
  • Merged the Initial Vulntotal PR
  • Add tests for deps and github validator
  • Discussed parsing of Maven Purl

Meeting on Tuesday 2022-06-28 at 10:00 UTC

Agenda:
  • Keshav's GSoC status
  • Ziad's GSoC status
  • Fixed Packages filter in API
  • Adding URLs for CPEs
Participants:
  • Tushar (@tg1999)
  • Keshav (@keshav-space)
  • Ziad (@ziadhany)

Discussions:

Ziad

  • Worked on Pypa Importer and Shared OSV and added support for CWE
  • Will be working on UVI database Importer

Keshav

  • Worked on CLI support for VulnTotal and adding tests for OSV
  • Will be working on deps.dev

Tushar

  • Added fixed Packages filter in API and URLs for CPEs

Meeting on Tuesday 2022-06-21 at 10:00 UTC

Agenda:
  • Keshav's PR
  • Vulnerablecode Release
  • Importing Android Advisories
Participants:
  • Tushar (@tg1999)
  • Keshav (@keshav-space)

Discussions:

Keshav

Tushar

Meeting on Tuesday 2022-06-14 at 10:00 UTC

Agenda:
  • Univers PR on semver (Keshav)
  • Code orgaznition for osv importer (Ziad)
  • Upcoming release and licensing (Philippe)
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)

Discussions:

Keshav

  • There is a PR pending in univers, not yet merged
  • we discussed a possible bug in the current PR as the composer version should sort correctly and does not
  • Ziad offered help for setting up a debugger
  • we discussed possible forking of our own semantic version library and a possible generic version implementation

Ziad

  • OSV advisory uses same OSV schema as used in Pysec
  • we discussed how to possibly organize the code using a shared osv.py module and specific importers (like pysec) that use this code. Ziad plans to move existing pysec code there.

Philippe

  • Working on release
  • Discussing license of the data: CC-BY-SA option

Meeting on Tuesday 2022-06-07 at 10:00 UTC

Agenda:
  • VulnerableCode release
  • CSV Report
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • lf32 (@lf32)

VulnerableCode release

Philippe is working on the 0.9.0 release.

CSV Report

Tushar prepared a CSV file to help improve our findings https://github.com/nexB/vulnerablecode/issues/755#issuecomment-1147901429

Meeting on Tuesday 2022-05-31 at 10:00 UTC

Agenda:
  • VulnerableCode Release
  • SyliusResourceBundle versioning issues
  • scoring systems
  • VulnTotal
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Keshav (@keshav-space)
  • Ziad (@ziadhany)

VulnerableCode Release

Planning a release 0.9.0 by the end of this week.

SyliusResourceBundle versioning issues

Tracking at https://github.com/Sylius/SyliusResourceBundle/issues/455

scoring systems

We could adopt something like the following for our scoring systems:

scoring_elements = models.CharField(
    max_length=100,
    help_text="Supporting scoring elements as a string. "
              "For example a CVSS vector or Important, High, Medium, Low. "
              "Typically used to compute the value.
)

def save(self, *args, **kwargs):
    if not self.value and self.scoring_elements:
         self.value = SCORING_SYSTEMS[self.scoring_system].as_score(self.scoring_elements)
    super().save(*args, **kwargs)

VulnTotal

Need to schedule a VulnTotal specific meet sometime following week.

Meeting on Tuesday 2022-05-24 at 10:00 UTC

Agenda:
  • Welcome GSoC selected students
  • OSV Importer
  • Strange GitLab version ranges
  • VulnerableCode security issues
  • Need for VulnTotal (rant)
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Keshav (@keshav-space)
  • Ziad (@ziadhany)

Welcome GSoC selected students

We congratulate and welcome this year's Google Summer of Code students - Keshav (@keshav-space) and Ziad (@ziadhany). We will be working towards the respective proposals and set the next milestone for VulnerableCode.

OSV Importer

Tushar is working on importing OSV for github (via https://github.com/github/advisory-database). Ziad will be working on PyPa advisory database (https://github.com/pypa/advisory-database/). It's is expected to be exactly the same db as OSV. We will find out more as we implement. We also need support for different ecosystems.

Strange GitLab version ranges

Keshav observed some test cases failing against this composer test data.

Gitlab is making up version ranges, the following range supplied by gitlab in the aforementioned data makes no sense:

"gitlab_native": "<1.3||>=1.3.0

Gitlab also converts these ranges to English text which is more painful than helpful. For the above range, we have the following advisory: https://advisories.gitlab.com/advisory/advpackagist_sylius_resource_bundle_CVE_2020_5220.html

Upon further investigation, we find that upstream itself is not making any sense with their version range and the representation used https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-8vp7-j5cj-vvm2

The NVD Entry (https://nvd.nist.gov/vuln/detail/CVE-2020-5220) points us to other sources:

Friendsofphp is parsing the advisory in a different way that appears to be inconsistent with the upstream itself. This could make it a potential candidate for VulnTotal.

As the upstream data is not clear by itself, following interpretations were suggested by Philippe:

<=1.3.12||>=1.4.0,<=1.4.5||=1.5.0||>=1.6.0,<=1.6.2
vers:composer/<=1.3.12|>=1.4.0|<=1.4.5|1.5.0|>=1.6.0|<=1.6.2

They might want to say this:
<=1.3.12||>=1.4.0 <=1.4.5||=1.5.0||>=1.6.0 <=1.6.2

Though, we cannot be totally certain before confirming. Keshav will be creating a ticket about this on the upstream and will follow up regarding the same.

PS: The semver specs does not consider 1.3 as a valid semver. It needs to be coerced using Version.coerce and then Version.coerce(1.3) == Version.coerce(1.3.0)

VulnerableCode security issues

We need to plan for a private tracker for VulnerableCode security issues. In order to protect downstream from possible threats, security issues will be first taken care of in the private tracker and made public at a later date.

Need for VulnTotal (rant)

Of all the datasoures, there's one that's good: The question is which one is the good one ? Everyone is making something up. Each of them makes something up slightly differently, you have as many ranges as there are downstream interpretations. None of them is faithful to the upstream. We have to ensure - at some point of time - not so much notion of confidence but notion of upsteram and downstream. If everyone interprets version ranges at their whim, there's this game in France - it's called The Arab Telephone aka Chinese Whispers - it's a game for kids - you start in circle and you have to say somethitng to the person next to you and repeat what was said to you when it gets back. The end result is very different than the original sentence. Imagine the problem with large s/w team with 100s of false positives. You have to redo everything, thus we need VulnerableCode and VulnTotal.

Meeting on Tuesday 2022-05-17 at 10:00 UTC

Agenda:
  • Severity score and CVSS vector
  • Reference model
  • OSS Summit
  • Unstable sort
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Keshav (@keshav-space)
  • Ziad (@ziadhany)

Severity score and CVSS vector

If a CVSS vector is available, we should calculate score from there and store it. If not, then store the score only. The following library could come handy while dealing with cvss vectors and scores https://github.com/skontar/cvss

Reference model

Our reference model needs to be self standing. Also, the severity needs to be detached from reference and should be treated as its own entity. A structure like the following is possible:

vuln -- Refencce
    |----Severity --> reference

OSS Summit

We need to schedule a meet for preparing VulnerableCode's presentation for the summit

Unstable sort

unstable sort in case where versions only differ in their build was addressed. More details in the following tickets:

Meeting on Tuesday 2022-05-10 at 10:00 UTC

Agenda:
  • Release design
  • Gitlab version ranges
  • Findings on CWE
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Keshav (@keshav-space)
  • Ziad (@ziadhany)

Release Design

We need better storage of version ranges. Confidence for github and osv are low, for now we may assign 9 (a discount, we'll need to come up with a proper method of assigning confidence). See ticket: https://github.com/nexB/vulnerablecode/issues/733

Deadline: End of may for release and make public.

Targets:

  • Fix ziad's PR
  • Run cron job / systemd timer to run importers and improvers.
  • 632, 719, 723 are good to go for the release

Gitlab Version ranges

https://github.com/nexB/univers/issues/67 - semver is the way to go, debain and redhat are good to go

Findings on CWE

We can use the list of all CWEs for populating our CWE database. See ticket comment: https://github.com/nexB/vulnerablecode/issues/651#issuecomment-1122211176

Meeting on Tuesday 2022-05-03 at 10:00 UTC

Agenda:
  • UI Changes
  • Openssl univers PR
  • AffectedPackage as a model
  • PyPI OSV Importer references
  • Next release
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Keshav (@keshav-space)
  • Ziad (@ziadhany)

API Structure

Issue: https://github.com/nexB/vulnerablecode/issues/714 was discussed briefly. We used to have something simiar in the past. Need to look that up and see the improvements we can make.

Openssl univers PR

PR: https://github.com/nexB/univers/pull/61 The __post_init__ usage for major, minor versions were discussed. (See PR for more)

AffectedPackage as a model

We are missing crucial information contained inside AffectedPackage in Advisory model. We might need a model specifically for AffectedPackage so that we may create relations to vulnerabilities and possibly packages based on version ranges. Being tracked in: https://github.com/nexB/vulnerablecode/issues/727

PyPI OSV Importer references

Meaningless severities in OSV PyPI references were discovered. We don't want to import anything that does not start with PYSEC in the PyPI OSV importer for now, we'll address rest in OSV and GitHub importer. Do not do random assignments for severites (as done by OSV). See: https://github.com/nexB/vulnerablecode/pull/632#discussion_r863331941

Next release

We need the following fixed before the next release: - endpoints to consume our data - sufficient data - UI (Can be postponed until next release as well)

Meeting on Tuesday 2022-04-26 at 10:00 UTC

Agenda:
  • UI Changes
  • PR Reviews on univers: quick reminder
  • Scoring system docs
  • Reference urls
  • CWE
  • Improvers redesign
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Keshav (@keshav-space)
  • Ziad (@ziadhany)

UI Changes

UI Changes to accomodate the new model were addressed and agreed upon. We want to get a release after the fresh UI, also merging in-flight PRs for importers and improvers in the release could be a plus if possible.

PR Reviews on univers: quick reminder

Quick reminder to reviem in flight PRs in univers.

Scoring System docs

What's the difference between cvss3.1 with vector or without. See https://www.first.org/cvss/calculator/3.0 and the ticket for more: https://github.com/nexB/vulnerablecode/issues/713

References url

Should we add type for refernence urls? Should it be a list of choices or just a charField. It might help us better categorize references and not leave the upstream data about reference types. Philippe suggests having a JSONField with elements nvd:customer-entitlement, osv:fix, osv:web might be helpful. For more, see: https://github.com/nexB/vulnerablecode/issues/712

CWE

To implement CWE (categorization) support a system similar to currently implemented ScoringSystem could be used. We are considering CWE, OWASP top 10 and many more categorization/scoring techniques. See ticket comment for more: https://github.com/nexB/vulnerablecode/issues/651#issuecomment-1111549674

Improvers Redesign

Discussed the current problems with the improver design and a possible solution. There exists TOCTOU problems and non-scalability. Possibility of should_run() method was also discussed but was not preferred over the other solution. Refer the ticket for more details: https://github.com/nexB/vulnerablecode/issues/701#issuecomment-1111546652

Meeting on Tuesday 2022-04-19 at 10:00 UTC

Agenda:
  • VULCOID
  • Design for Improver
  • LF Submission
  • OpenSSL PR
  • Commit Reviews
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Keshav (@keshav-space)

VULCOID

See: https://github.com/nexB/vulnerablecode/issues/695

Design for Improver

Improvers are constraining. For eg: Improving reference id to reference URL, improving gity data (not an advisory). The problem is with both interesting_advisories and get_inferences where both of them expect AdvisoryData A condition which checks if this improver runs or not then a handling thing. We should receive a QuerySet and do our stuff with this QuerySet. TOCTOU conditions are also present, you check at interesting_advisories and use the value at get_inferences. Could do https://docs.djangoproject.com/en/4.0/ref/models/querysets/#select-for-update to avoid TOCTOU but not in interesting_advisories but closer where things are going to change Current implementation will become a subclass which is a advisory based improver. See: https://github.com/nexB/vulnerablecode/issues/701

OpenSSL PR

Need to review: https://github.com/nexB/univers/pull/61

Commit Reviews

https://github.com/nexB/vulnerablecode/pull/693/files#r852942085

Remove or [] from https://github.com/nexB/vulnerablecode/blob/47f6ae62d919fff5094b960c1f56bc0c6b8b4be3/vulnerabilities/improver.py#L69-L74

Meeting on Tuesday 2022-04-12 at 10:00 UTC

Agenda:
  • Review of Nginx Test PR
  • Default Improver
  • Status on Migrations
  • UI issues
  • Public Deployment
  • OpenSSL Issue
Participants:
  • Philippe (@pombredanne)
  • Tushar (@tg1999)
  • Keshav (@keshav-space)

Review of Nginx Test PR

  • Using Testing Env variables like this VULNERABLECODE_REGEN_TEST_FIXTURES=yes pytest -vvs
  • Add License for Nginx Importer
TBD:

Default Improver

Status on Migrations

UI issues and public deployment

OpenSSL Issue

  • Beta comes before Official Release but when sorting Beta is coming after Official Release ( need to add tests for this )

Meeting on Tuesday 2022-04-05 at 10:00 UTC

Agenda:
  • Regen
  • NVD Licence
  • Map cpe to packageurl
  • GSoC Proposal Review
Participants:
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Keshav (@keshav-space)
  • Ziad (@ziadhany)

Regen

What is regen in test cases ? Where is the docs ? Need to talk to Philippe

Map cpe to packageurl

We have vulnerablecode/vulnerabilities/management/commands/create_cpe_to_purl_map as of now. Need to discover more.

NVD Licence

Issue: https://github.com/nexB/vulnerablecode/issues/665 It was not present earlier as well: https://github.com/nexB/vulnerablecode/blob/ed2131656b1b3030c2f9eb28e25c10dbbedc8e1d/vulnerabilities/importer_yielder.py#L129-L133

GSoC Proposal Review

Share your proposals at Gitter

Meeting on Tuesday 2022-03-29 at 10:00 UTC

Agenda:
  • GitLab importing
  • Nix tests failing
  • Postgres index issue
  • Server Deployment
  • VulnTotal project idea
  • Univers
  • GSoC Video
  • OSV ecosystem
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Keshav (@keshav-space)
  • Ziad (@ziadhany)

OSV ecosystem

There is need to have a special common way to generate a range from OSV. Normally, ecosystems in OSV should map 1-1 with versioning scheme in univers and package type in PackageURLs. The reason being, when OSV was being developed, PackageURL was a part of the discussion.

GSoC Video

Philippe will follow up on that and will write a blog post. Also, YouTube channel and the logo.

Black broke Univers

Made changes by Keshav. There was a bug in black, which broke all CIs they have issued a fix. Thus, updated black.

A periodic CI run of all projects in AboutCode will be a good idea.

In Scancode Toolkit, we have gen_requirements.py and scripts to download wheels of all requirements packages, these can be shipped along with our projects.

In Scancode Toolkit, we have open ranges on setup.cfg direct dependencies and then in the requirements, everything is pinned to single version. There is a configure script that provides pip install --editable` and use requirement files as a constraint. So, all dependencies are fetched from setup.cfg and constrained to requirements.txt See here

VulnTotal project idea

One at a time or as batch scanning: One at a time. A few providers are giving limits, so we will have restrictions. There are a few commercial projects that we could compare against eg: copilot.blackducksoftware.com, snyk, https://ossindex.sonatype.org/, gitlab, github, osv

Server Deployment

Philippe is working on server deployment by 1st week of April for demonstration. We don't want to ever drop the database (again) and redo the whole thing.

Postgres Index issue

Added failing test here and added a workaround for postgres index issue

Nix tests failing

Have a fast test on nix. We want to have nix.

GitLab imports

We're using FetchCode for git imports

Meeting on Tuesday 2022-03-22 at 10:00 UTC

Agenda:
Participants:
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Keshav (@keshav-space)
  • Naashit (@naashit10)

Gitlab Importers

Just write importer, no improver for now because univers requires a lot of work. Slowly, improver will be written.

Example proposals

Old proposals after the GSoC Video. Meanwhile a project template can be found at: https://github.com/nexB/aboutcode/wiki/GSOC-2022#about-your-project-application

Trimming gourl path

Needs to be tested and reviewed in the PR.

Postgres Issue

We need to look into more alternatives

Meeting on Tuesday 2022-03-15 at 09:00 UTC

Agenda:
  • Test cases
  • Univers: Multiple unimplemented version ranges
  • GSoC Event Status
  • GSoC Questions
  • Fixed version ranges
  • Status updates of migrations
  • LFX Event
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Keshav (@keshav-space)
  • Chaitanya

LFX Event

Presentation: Remote + In Person, Pre-recorded
Q&A With LFX chat
Time: June
Promotion: Will begin with time
Waiting for acceptance

Status updates of migrations

  • Npm importer: Working on mutliple fix versions like >=3.5.1 <4.0.0 || >=4.1.3 <5.0.0 || >=5.6.1 <6.0.0 || >=6.1.2
  • GitHub importer: Importer improver are done. In testing phase right now. Doctests for small tests.
  • Issue: Severeal references could be treated as an aliases. There should be improvers which would take references, verify them as valid unique aliases and add them. Ticket: https://github.com/nexB/vulnerablecode/issues/646

Fixed version ranges

  • fix_version and fix_version_range both
  • have one fix_version_range
  • have advisory_raw_data and improve from there SELECTED

GSoC

Can participants work on multiple projects within the same organization?

Yes, feel free to have the draft proposal so that we may provide a feedback

GSoC Event Status

  • 30 mins presentation
  • slides on introduction
  • record presentation
  • decide dates
  • Blog post with recorded session
  • Different presenters for each project
  • Create event for the event demo

Philippe will be providing the templates today.

Univers: Multiple unimplemented version ranges

Does anyone want to join the unimplemented version ranges ?

Test Cases

We're lacking a lot of test cases, trying to cover them up. We won't be using async in our codebase.

Meeting on Tuesday 2022-03-08 at 10:00 UTC

Agenda:
  • Importers update
  • Univers
  • YouTube Channel
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Keshav (@keshav-space)

Importers update

We want asserts in importers to make it helpful for mypi and log loudly. GitHub importer is on the way by Tushar and Npm Importer by Hritik.

Univers: Openssl

Openssl License: found Apache license, @keshav-space will create a ticket and add reference to the license
PR for Openssl version is on the way at https://github.com/nexB/univers/pull/42
Overriding __new__ method is generally not a good idea in univers (in context of the above PR).

YouTube Channel

Pinged @nspsjsu

Meeting on Tuesday 2022-03-01 at 10:00 UTC

Agenda:
  • GSoC idea list sorting
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Keshav (@keshav-space)

GSoC idea list sorting

Idea list sorted by priority has been made available at https://github.com/nexB/aboutcode/wiki/GSOC-2022#vulnerablecode-project-ideas-by-priority

Meeting on Tuesday 2022-02-22 at 10:00 UTC

Agenda:
  • License for improvers
  • PR Reviews
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Keshav (@keshav-space)

Misc

Tushar: Review VulnerableCode PR
Keshav: Openssl PR, VersionConstraint Class bug, GSoC Proposal
Philippe - Principles for ignore and done data, hosting a public instance, sharing vulnerabilities, gsoc project
Hritik
- License improvers: Not required to have a license, as they augment data bits
- Migrate to attrs as discussed: Shouldn't be complex. We should wait until everything is back in shape ie vast majority of importers

Principles for ignoring data

We have been ignoring a lot of data. It is a catastrophe. Log all failing records. Provide verbose functionality. Fail loudly and avoid being smart in importers. We would want to keep the raw data for importers stored in our database as well. We need to figure out a proper way to store raw data without duplicates. Ticket: Until then, we need to have log``model with key fields: importer, date, data, error message, type. The type could also be ``unprocessed_imports, success_imports etc. This could be used in a future-dashboard where we can show the errors, success logs etc. Ticket: Also, clean and clean migrations from now on should be done.

Hosting a public instance

After v30.0

GSoC project Ideas

All of them aggregated and will be published on AboutCode page by Philippe.

VersionConstraint Class

A version constraint with a star (*) range does not make sense. Other than that, we want to have no constraint (thus VersionConstraint) if all versions are accepted.

GSoC Proposal

A list of GSoC proposal possibly in our AbouCode Wiki. To be created by Philippe.

Meeting on Tuesday 2022-02-15 at 10:00 UTC

Agenda:
  • License in VulnerableCode
  • Documentation
  • Management commands
  • GSoC Idea list
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@TG1999)
  • Keshav (@keshav-space)

License in VulnerableCode

Documentation

  • Add tl;dr in project README

Management commands

Hritik:

Having ./manage.py import --list does not make a lot of sense

Philippe:

Let's use ./manage.py import --list-importers to be more explicit

GSoC Idea list

  • Decentralized vulnerability upload and share
  • vers implementation in many programming languages
  • Build test suites and fix them for all the versions in univers and vers implementations
  • Ideas from last meet and 2021 Idea list

Meeting on Tuesday 2022-02-08 at 10:00 UTC

Agenda:
  • Clean slate for PRs, missing DCO
  • VulnerableCode logo
  • YouTube channel for AboutCode
  • GSoC Idea list
  • Meet timings on gitter
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)

Clean slate for PRs, missing DCO

Others PRs are good to go.

VulnerableCode logo

Under development

YouTube channel for AboutCode

Ping Nusrat and Adam

GSoC Idea list

  • Good coverage of vulnerabilites
  • publishing purl database
  • data synchronization
  • sharding vulnerablecode data on serverless platforms(lambda, functions etc)
  • return spdx or cyclonedx
  • vex: vulnerability exploitability
  • A decent UI
  • previous year idea list

Meet timings on gitter

Updated to Tuesday 10 UTC / 11 CET

Meeting on Saturday 2021-12-04 at 10:30 UTC

Agenda:
  • Improver review
  • Speeding up the importer-improver structure migration
  • GitHub externships
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)

Improver review

Quick reference to review is available at https://gist.github.com/Hritik14/d02a2c24a50e0afcaa219cc4bf8abef9

Speeding up the importer-improver structure migration

Hritik:

With the framework for importers nearly ready in this structure we can move forward with rewriting other importers like nvd, ubuntu etc. We can also, in parallel, start development for OvalDataSource and GitDataSource

GitHub externships

Philippe:

Mail sent to github for inquiry. We'll try to participate as an org.

Meeting on Thursday 2021-10-14 at 12:45 UTC

Agenda:
  • Review improvers
  • Hacktoberfest twitter VulnerableCode logo
  • Univers
  • GSoC guest invite - Why do open source
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)

Review improvers

Do we want OSV Design in the database as well ? How to solve nginx multiple branch problem No, we'll carry on with the current model and use the qualifiers in PackageURL to specify the branches, in that way a package in a different branch will essentially be a different package and be displayed accordingly as a fix for that branch type.

Univers

More detailed info at https://github.com/nexB/univers/blob/386eb32468c75ecac25ec872ea004b3257962946/VERSION-RANGE-SPEC.rst

GSoC guest invite - Why do open source

Invitation accepted: https://www.youtube.com/watch?v=VNL8eO6Phj8

Meeting on Tuesday 2021-10-05 at 07:00 UTC

Agenda:
  • Hacktoberfest
  • VulnerableCode
  • Univers
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)

Hacktoberfest

Hritik and Tushar will be setting up the ground for hacktoberfest. Looking for good-first-issues is mostly the task.

VulnerableCode

Nothing significant has changed since the last call. Hritik will carry on with the importer-improver framework.

Univers

Philippe is refactoring the codebase. Commits yet to be pushed.

Meeting on Wednesday 2021-09-18 at 10:45 UTC

Agenda:
  • Preview RTD before merging (local RTD via docker)
  • Merging new importer-improver model
Participants:
  • Philippe (@pombredanne)
  • Hritik (@hritik14)

Merging new importer-improver model

Hritik is going on a 2 week holiday thus the new model needs to be merged ASAP. We decided to achieve a checkpoint by today and push the latest version for Philippe to improve upon for the time being.

Preview RTD before merging

Pinged Ayan to look into it

Meeting on Friday 2021-09-17 at 09:00 UTC

Agenda:
  • Review improvers
  • Advisory data structure
  • Support http proxies, ticket
  • Preview RTD before merging (local RTD via docker)
Participants:
  • Hritik (@hritik14)
  • Philippe (@pombredanne)

Review improvers / Advisory data structure

Batch processing of advisories needs to be avoided. Philippe:

each Improver has a method to process a single Advisory model instance such as Improver.get_inferences(self, advisory): -> Inference or something like that.

the framework then iterates on an Improver-provided query set such as Improver.get_interesting_advisories(self): -> QuerySet that has the Advisories it is interested in.

in the framework, there is an atomic transaction that updates both the Advisory (e.g. date and later a log of improvements with select for update) and whatever is updated or create from the Inference

More: https://github.com/nexB/vulnerablecode/pull/525#issuecomment-921722348

Also, some basic refactoring was discussed.

Support http proxies

This is not our prime objective right now. We could deal with it after a brief thought. Let's take this up in next session as well.

Meeting on Thursday 2021-09-14 at 14:00 UTC

Agenda:
Participants:
  • Hritik (@hritik14)
  • Philippe (@pombredanne)

Nginx version notations

Hritik contacted Nginx over their mailing list to clarify their version notations like 1.21.0+. We got the following reply:

The 1.21.0+ notation means "1.21.0 and newer", or, more formally, "1.21.0 and derived versions". This includes all future nginx versions on the mainline branch, and all future stable branches (which aren't yet created).

More: https://mailman.nginx.org/pipermail/nginx/2021-September/061039.html

Further, according to Nginx

  • Mainline is the active development branch where the latest features and bug fixes get added. It is denoted by an odd number in the second part of the version number, for example 1.17.
  • Stable receives fixes for high‑severity bugs, but is not updated with new features. It is denoted by an even number in the second part of the version number, for example 1.16.0.

These information need to be accounted for in the nginx importer.

Review improvers - VULCOIDS

The function to check if there is an existing VULCOID for an advisory with an alloted CVE is missing. We need to implement that i.e. effectively move VULCOID to from vulnerability_id to old_vulnerability_id.

Naming: VersionSpecifer and VersionRange

The currently named VersionRange should be renamed to VersionConstraint and a VersionRange should be implemented to represent an actual range with an upper and lower bounds. The canonical string representation for this needs some discussion and an RFC needs to be drafted for the same. The current proposed representations are in the ticket.

Meeting on Tuesday 2021-09-07 at 14:00 UTC

Agenda:
  • Review improvers
  • Preview RTD before merging (local RTD via docker)

Review Improvers

Reviewed at: https://github.com/nexB/vulnerablecode/pull/525#pullrequestreview-745189344

Meeting on Thursday 2021-09-02 at 14:00 UTC

Agenda:

Review improvers

Partial review done, more to come next day

Consider adopting the OSV API as alternative output

Marked as low priority. Let's do it at some later stage.

drf-spectacular vs redoc

redoc licensing is a huge mess due to the webpack (for eg: some licenses are not mentioned or enforced properly, http://tartarus.org/~martin/PorterStemmer/js.txt, feross). A detailed review needs to be done and all licenses should be mentioned and enforced explicitly. We should create a ticket about all unknown/unenforced packges and propagate that to upstream. Ticket: https://github.com/nexB/vulnerablecode/issues/549

Decide on a uniform regular time for meetings

Phlippe is comfortable with - before 3pm CET on Tuesday

Meeting on Tuesday 2021-08-17 at 14:00 UTC

Agenda:
  • Decide on the structure of improvers
Participants:
  • @Hritik14
  • @pombredanne
  • @sbs2001

Decide on the structure of improvers

The importers would now directly insert the Advisories into the database in the following format. Creating database relationships and populating Vulnerability, Packages, PackageRelatedVulnerabiliy etc would be the job of a default improver.

class Advisory(models.Model):
    date_published = models.DateField()
    date_collected = models.DateField()
    source = models.CharField()
    improved_on = models.DateTimeField()
    # data would contain a data_source.Advisory
    data = JSONField()


@dataclasses.dataclass(order=True)
class AdvisoryData:
    summary: str
    vulnerability_id: Optional[str] = None
    fix_packages: List[AffectedPackage] = dataclasses.field(default_factory=list)
    affected_packages: List[AffectedPackage] = dataclasses.field(default_factory=list)
    references: List[Reference] = dataclasses.field(default_factory=list)


@dataclasses.dataclass(order=True, frozen=True)
class AffectedPackage:
    # this package MUST NOT have a version
    package: PackageURL
    # the version specifier contains the version scheme as is: semver:>=1,3,4
    version_specifier: VersionSpecifier
There would be two kinds of improvers
  • Default improver - Populates the tables and creates concrete relationships mentioned above
  • Inference generating improvers - These improvers take metrics like time travel and create new relationships with respective confidence scores.

The Advisory model above must never be written by an improver (as of now). It would be a true upstream data that is populated by the importers and used by the improvers to generate appropriate relationships.

Meeting on Tuesday 2021-08-10 at 14:00 UTC

Agenda:

  • Deployment
  • Importer restructure
  • Hand written migrations (not generated by makemigrations, eg: package)
  • Dumping import_yielder
  • Any update on nix tests?

Deployment

Let's take this next week

Importer restructure

PackageRelatedVulnerability
  • Have data source - could be a text field of one message per line or a JSON field with list of strings showing where it came from
    • if a new information comes, add that information and then change that confidence, if a new advisory comes which is similar to an improvement then overwrite the improvement confidence to max
  • add confidence here
  • Higher confidence overrides lower confidence

Properly comment the fields in a dataclass

Hand written migrations (not generated by makemigrations, eg: package)

Not hand written, find in from packageurl.contrib.django.models import PackageURLMixin

Dumping import_yielder

Any update on nix tests?

No

Meeting on Wednesday 2021-07-28 at 14:15 UTC

Participants:

  • @pombredanne
  • @Hritik14
  • @Divya

Agenda:

  • [x] Refactor / Redesign importers to strictly import
  • [x] Dump set_api from DataSource
    • Knowing all the existing versions is not necessary to collect Advisories
    • Strictly no inference
  • [x] Revisit updated_advisories vs added_advisories
  • [x] Consistent naming for fixed / vulnerable packages. No other package type should exist in a DataSource
  • [x] Should a container be used instead of make postgres in scancodeIO ?
  • [x] Should Dockerfiles create virtualenvs as well ?
  • [x] ScancodeIO uses FROM python:3.9 in Dockerflie
    • Docker upstream says: This is the defacto image. If you are unsure about what your needs are, you probably want to use this one. It is designed to be used both as a throw away container (mount your source code and start the container to start your app), as well as the base to build other images off of.
    • Docker upstream also recommends not to use -slim version unless there are space constraints
    • Docker images are reusable
    • Using a -slim requires to explicitly install build-essential, libpq-dev, git and in future svn
    • Most of the aforementioned packages come preinstalled in buster
    • Drastically increases Docker build time as now our image doesn't reuse already installed PYTHON image

Refactor / Redesign importers to strictly import

Dump set_api from DataSource: Yes. Separate them. We cannot not import a vulnerability when we don't have version info. We need advisories however we get. Clean organization of code in separate modules/functions should be there.

importer_yielder

Dump this. We can have data related to importer inside importers themselves. Problems with import_yielder:
  • Doesn't make sure importer class is actually a class
  • No type checking
  • This is a setting thing. It could appear as a Django setting (perhaps), which would enable/activate importers with fully qualified class names with module prefixes. Let's discuss this later in detail.

Revisit updated_advisories vs added_advisories

  • Do not return sets in both of the functions (TBD at later stage)
  • This should be handled by the framework before doing an update to the advisory. Something that could exist at the insertion time of importer (process_advisory).
  • Incremental update should be attribute of an specific importer which has that capability.
  • Importers have to return via one single function with the Advisory with some marks if they are new updated advisories. Importers with incremental supports will have different frequency of run, different entry points etc

Consistent naming for fixed / vulnerable packages

Inspired from https://tinyurl.com/vuln-json we'll use affects and fixed.

Should a container be used instead of make postgres in scancodeIO

Let's create an issue about control of versions (here postgres version) in both places. Then fix them at a later stage with similar fixes.

Should Dockerfiles create virtualenvs as well ?

Yes. Even ScancodeIO should do that. TODO: Create ticket : https://github.com/nexB/scancode.io/blob/4bebd7ae88ecaa00eb526bd831530c497903faf8/Dockerfile#L52

ScancodeIO uses FROM python:3.9 in Dockerflie

In CI tests: Be explicit- 3.8.11-buster In Docker: Let's support 3.8 A test for docker-build and run

Meeting on Tuesday 2021-07-27 at 13:00 UTC

Participants:

  • @pombredanne
  • @Hritik14

Minutes:

Next Meeting agenda Wednesday 2021-07-21 at 13:00 UTC

Meeting on Wednesday 2021-07-21 at 13:00 UTC

Participants:

  • @pombredanne
  • @Hritik14
  • @sbs2001
  • @Divya

The proposed agenda is:

security review status

  • All tickets are entered

Server / infrastructure

  • Delayed for now, will deploy on provisioned server. Philippe to work on it sometimes between this and next week
  • No more Django migration reset

SVN for git tags: which approach or dep using

  • using `svn --xml ls <repo>/tags/ should be enough

Zip file in testcases

These take a lot of space and cannot be diffed. Text files are better. See https://github.com/nexB/vulnerablecode/pull/393#discussion_r668006209 The code in rust and npm importers likely refactoring to use a different approach, but feel free to refactor.

Conclusion: tests and code refactoring may make the zip file usage moot.

Add API rate limiting and auth

Revert time traveling - how to go about it ?

Definition: finding the set of versions that existed for a package at a point in the past when the advisory was published.

  • Advisory without correct/actionable package/version info - goes into a review queue, or error log - especially if we are missing which version of a package the bug is fixed in

  • Advisory with well defined set of impacted and fixed packages - there no problem and we should import this alright

  • Advisory with only one of impacted or fixed packages, both well defined (e.g. no open ranges) - we should import this alright

    • Case1: only fix and no impacted: - do we want to time travel to find the version(s) that were impacted just before this? - there could be version marked as impacted and that's the one prior to the fixed version

      This may be often ambiguous... and this is inferred: should store this stating this is inferred/concluded and not a hard fact and we should have a log or queue entry so this issue can be revisited.

    • Case2: only impacted and no fix: - we should import this alright, this is normal - we should "time travel" and create relationships with the set of versions that matched the impacted closed/well defined range at

    • it is OK to have no fix

    • it is OK to have knowledge of when the bug was introduced: - do we want to time travel to fin

  • Advisory with impacted or fixed packages using open ranges

Conclusion of the likely best approach for version ranges

  • If we have concrete enumerated exact versions, then we can store Vuln<>Package relationship as a fact.
  • Otherwise this is some version range and its resolution is always an inference.
  • With time travel we provide a high degree of confidence in the inference, other the inference is weak.
  • All inferences may need some level of review (guided the confidence of the inference)
  • Each importer should have an explicit separation between the code to import and the code to resolve version ranges (and time travel).

TODO:

  • review usage of def test_foo(self, _) with an underscaore in tests

See https://github.com/nexB/vulnerablecode/blob/05fcc64f2b48b186b7f742a2adf869b82293b024/vulnerabilities/tests/test_npm.py#L88

  • review #nopep8 and #NOQA tags
  • the npm importer design could be improved
  • we should add template for Github issues

Meeting on Thursday 2021-07-15 at 12:00 UTC

Participants:

  • @pombredanne
  • @Hritik14

The proposed agenda is:

  • documentation of new importers
  • alpine package versions
  • sorting imports
  • issue #494

These two items were not discussed: - security review status - server and infra

Documentation of new importers

  • we should progressively adopt the same documentation structure as scancode.io Docker files: we should progressively copy the same structure and approach as in scancode.io
  • Also README.rst needs to be beefed up and

Alpine package versions: notes and TODO

TODO

  • create ticket to refactor importer_yielder.py
  • revisit time travel. It should not be part of importer but something that is about data improvement, inference and refinements
  • and something that is about data improvement, inference and refinements should be a separate tool

Pending PRs

Let's close the ones that are not from Hritik14

We pinged: - https://github.com/nexB/vulnerablecode/pull/391 : will need to be closed or finished by us - https://github.com/nexB/vulnerablecode/pull/408 : pinged - https://github.com/nexB/vulnerablecode/pull/400 : pinged - https://github.com/nexB/vulnerablecode/pull/464 : pinged

494 https://github.com/nexB/vulnerablecode/issues/494

This is also related to https://github.com/nexB/vulnerablecode/pull/436 Eventually we need a common way to obtain a range of version for a given importer (or rather for job that's fixing data after imports)

Other topics:

  • Isn't it a standard linux convention to have local configs take precedence over ones in /etc ?

https://github.com/nexB/scancode.io/blob/a249402fbbdebd84e0f298d15cb4c3702bf41e63/scancodeio/settings/base.py#L33-L35 appears to do it in reverse

  • sorting imports should be done only when we have no or few in flight PRs
  • commit messages are not informative at all and we should make this explicit

Possibly we should use the same approach as the kernel and reject commits without a message body There may be a bot for this

license is not clear
  • updated_advisories should be the same API for every importer and it is a mess now

Meeting on Monday 2021-06-14 at 09:00 UTC

Participants:

  • Shivam @sbs2001
  • Philippe @pombredanne

Agenda:

  1. Code review of https://github.com/nexB/vulnerablecode/pulls/467 (Shivam)
  2. Integration for significant volume of vulnerability lookups (Shivam)
  3. Getting to clean slate to avoid upcoming merge conflicts (Philippe)

code review of https://github.com/nexB/vulnerablecode/pulls/467

"Time travel" is to find about the range of affected package versions "at the time" of publication of an advisory.

Follow ups:

integration for significant volume of vulnerability lookups

To integrate VulnerableCode (VC) in ScanCode.io and other tools that can make intensive lookups on may packages, we would need to have a way to efficiently partially mirror VC data though API and reuse the VC models on the client application side (when based on the same stack like it is the case with ScanCode.io). Other things to consider:

  • using pub/sub or webhooks?

We need an issue for this. Design is needed

  1. was not discussed.

***

## Meeting online @ 11:30AM CET on 2020-01-14

### Participants:

  • Haiko @haikoschol
  • Shivam @sbs2001
  • Philippe @pombredanne

### Discussion:

***

Clone this wiki locally