DebCamp25: Security Tracker Sprint, issue list

Please consult the public announcement regarding the Security Tracker Sprint for details about interacting with this issue and the issues linked from this description.

Directly affecting the security tracker:

• Support for vulnerabilities that don't affect the binaries (only in the sources) [MR]
  • Will also probably end up taking care of this:
    • ignored issue should not be tagged vulnerable red (Also references https://bugs.debian.org/1039606) [MR]
• Extend lts-cve-triage.py to identify CVEs covered by a DLA and not a DSA [MR] [MR-tests] [MR-dedup]
• Implement script to identify <no-dsa> CVEs that should be fixed [MR] [DONE]
• Implement syntax check for dla-needed.txt
  • Could depend on changes to Xla-needed.txt which may be driven by other issues under consideration
• Detect missing package assignments for embedded code copies
• Tool to check CVE database for triage re-considerations [MR]
• Check the CVE list consistency in data/DLA/list and data/ELA/list [MR]
• Implement downstream data/embedded-code-copies [TBC]
• htmlspecialchars in the description column of CVEs [CLOSED]
• JSON Bug Data inconsistent [MR]
• JSON data does not contain DSA metadata
• Return 404 for non-existent source packages [MR] [DONE]
• Display "not-affected" in addition to or instead of "fixed" and Don't show Status "fixed" for CVEs that never affected that release [MR]

Tools and services which utilize the security tracker:

• Make Beuc's git-blame helper available in a convenient way [DONE]
• Implement a PoC to export security-tracker data in CSAF/VEX format
  • Probably should be done before the Sprint, feedback gathered, and then the feedback can inform the work done during the Sprint
  • Sub-issue: Study the formats and the map their fields to security tracker data
  • Sub-issue: Make sure all the required libraries and tools are available

Documentation and miscellany:

• Harmonize the definition of 'triage' between LTS and Debian Security team [CLOSED]
  • This might be more about LTS Team processes, but there may be a security tracker-related aspect; more investigation is needed
  • The existing issues (which are being worked on as part of the sprint, #69 (closed), #11, and security-tracker-team/security-tracker#31) will help to bring the LTS Team's triage more in line with that of the Security Team and will identify opportunities for the LTS Team to assist the Security Team
• a lot of entries in data/DSA/list are missing the -1 after the DSA number [MR]
  • Maybe is not especially valuable, but would be a win for overall data consistency
• What fixed version "0" means? [MR]
  • Could be low hanging fruit (documentation update)
• Assorted BTS items: https://bugs.debian.org/cgi-bin/pkgreport.cgi?package=security-tracker
  • track uploads to proposed-updates [MR]
    • may also cover Show packages from next-point-release.txt in source package overview
    • subissue Rename PU file to use code name
  • Still need to scan the other open bugs and review those which might appear to be good candidates
  • Specific bugs which might be newcomer-friendly:
    • turning text URL to link includes extraneous character [MR] [DONE]
    • tracker_data.py: not-affected returned as resolved
    • Issue with merge-cve-files when entry contains as well en experimental tagged upper suite entry
    • Accept more variants of standard CVE identifier format
    • link to package's changelog entry of fixed version
    • include more information in page titles
• debian-security-support: Add a supported package status [DONE]
• Update Ubuntu CVE status URL MR [DONE]