Skip to content

Check the CVE list consistency in DSAs/DLAs

In past advisories, we (LTS) had cases where the CVE list was incorrect:

  • CVE typos: not existing, or assigned to another package,
  • not-affected CVEs: typically in advisories targeting multiple dists but were the CVE only affected one.

It would be nice to get a warning in such cases, before the DSA/DLA is reserved.

@pochu suggested we implement this in gen-DSA with a Python helper (as opposed to: bin/check-syntax / make check-syntax), that would display the warning and ask for confirmation before proceeding.