Fix #4671 #4688
Fix #4671 #4688
Conversation
|
Anything missing here? I'd like to wait with rebasing until it's its turn to get merged to avoid having to do that over and over again. |
|
Rather than suppressing every individual CVE (including future ones), wouldn't it be better to suppress the CPE? |
There's as many CPEs as CVEs involved here. AFAIU suppressing one isn't better than the other but I'd happy to hear arguments that prove me wrong. With github/securitylab#669 (comment) @skavanagh went to great length to document that pretty much every one of those CVEs is pointless. |
Ah, my mistake. I though they had more in common than just |
|
I am interested in finding out whether the maintainers @jeremylong and @aikebah are planning on eventually merging this or whether I should close it. |
|
Yes - I will likely be merging this before the next release. I haven't had as much time to focus on ODC as I have in the past due to a new job and needing to ramp up on a new platform, etc. I've been considering several things with this event and will likely add some stories for the 8.0.0 release. Possibly creating a suppression file hosted on GitHub that will be able to be updated faster then the packaged release - so we can add suppressions to the hosted file and suppress things like this for a broader community in-between full releases. This would also including improving the issue-ops around false positives to assist in updating the hosted suppression file... |
I can imagine this would certainly be very welcome by this community. |
Fixes Issue
#4670, #4671, #4677, #4690
Description of Change
Suppress all CVEs filed against those Python pet projects as per github/securitylab#669 (comment). As the discussion in #4671 showed we will likely not succeed suppressing the CVEs surgically i.e. only those that really really cause conflict -> suppress'em all.