Skip to content

Automate CVE assignment for renamed/branched/forked packages

Automate CVEs assignment for renamed/branched/forked packages.

Examples package sets:

  • gnutls26 gnutls28
  • golang golang-1.7 golang-1.8 golang-1.11 [golang is the jessie full package, not the newer meta-package]
  • lynx lynx-cur
  • php5 php7.0 php7.3 php7.4 php8.0
  • python2.7 python3.4 python3.5 python3.7 python3.9
  • unbound unbound-1.9

E.g., if a CVE is assigned to python3.4, it likely affects python2.7 too, so the script should mark it so e.g. in data/CVE/list. One way to track such package sets is to maintain a renamed-packages file.

History:

Do not confuse with #2 (tracking embedded code copies) which warrants a different workflow, has much more false positives, and tends to stale efforts on this task.

Edited by Sylvain Beucler