NVD bug rules require a release to edit #25233
Comments
iansltx
added
#g-software
|
|
Yeah, was on the fence between bug and feature on this. Recategorize as you see fit. And yeah, I saw the NVD bugs list front and center as we've had to modify that recently, but we can throw all (or most, if we have some complex IgnoreIfs that need to stay in code) rules into one bucket when we switch to JSON. Just might need to categorize them within that document, and we'll want to add a humans-only description field per rule since we'll otherwise lose comments. |
|
Hey team! Please add your planning poker estimate with Zenhub @ksykulev @iansltx @jahzielv |
mostlikelee
added
story
|
@iansltx Thanks for filing, great idea! Reminder to use the engineering-initiated story process and tag me before bringing on to the release board so that I can prioritize. cc @mostlikelee |
|
To note, this is related to a new feature request: #25688 Re-labeling this to move it through the eng initiated process |
mostlikelee
removed
:release
lukeheath
added
the
:release
|
@mostlikelee Thanks! Normally I'd put it on the drafting board first for estimation, but since it's already estimated I'm moving straight to the release board. Process β |
Fleet version: <= 4.62.0
π₯ Β Actual behavior
NVD bug rules for ignoring false positives are hard-coded per-release in
cpe_matching_rules.go, so simple false positives have to wait a (patch or minor) release cycle to fix.π οΈ To fix
Switch the bug rules to read from a file published by the vulnerabilities repo build action, similar to
cpe_translations.json. Given a year and a half of false-positive data, we have enough information on the shape of IgnoreIf functions that we can redeclare them as a rule data format rather than logic, and can still keep the existing CPEMatchingRule format under the hood in case we need to add more complex one-offs.The text was updated successfully, but these errors were encountered: