Linux Kernel official feed #27
Comments
|
This repository is not clear on what it contains.
We absolutely do not want to load the repository recursively as it contains the cvelistv5 repo too. |
|
Yep it's not very clear. We can keep the issue and close it for historical purpose. |
|
FWIW, maybe playing Captain Obvious: For some historical reasons, kernel OSV Id are "GSD", just like GitHub Id are "GHSA" for GitHub Security Advisory). GSD stands for "Global Security Database", formely UVI. Search "GSD" in OpenSSF Open Source Vulnerability schema, https://ossf.github.io/osv-schema/, this will lead to https://github.com/cloudsecurityalliance/gsd-database. See also https://github.com/ossf/osv-schema. UVI was for "Universal Vulnerability Identifier". These kernel GSD from the kernel sub-ecosystem of OSV can be seen here: As for what could be an "official" kernel CVE feed, for practical human readable purposes I monitor: In my understanding the git repo you point at: This podcast with GreKH has some interesting details about the why and how, and this script tooling: |
|
The main question for this project is if there are more contextual information to attach automatically to a kernel vuln when someone search for it on vulnerability lookup. And I'm not sure it is the case. |
|
I think it is for https://lore.kernel.org/linux-cve-announce/ Example with: https://nvd.nist.gov/vuln/detail/CVE-2024-27437 Not much info / metadata, as usual. But on linux-cve-announce: We also have a list of the source code files impacted, here only 1, drivers/vfio/pci/vfio_pci_intrs.c. All this is machine readable (but there's better, see below). Working on embedded devices I have to deal with 800+ CVE per kernels, each kernel build from sources, with one or more custom configuration, these information's are extremely valuable to filter the 95% of false positives I get from the NVD. The kernel did a fantastic job as a CNA. Better yet, as of today CVE.org already support these metadata send by Greg KH and his colleagues: ...but they are lost in the transfer to the NVD (not mentioning current NVD problems...) |
|
Alright, I'm reopening this one and will figure out how I can get the email content as a contextual information for the CVE |
|
So the valuable source it's then in https://git.kernel.org/pub/scm/linux/security/vulns.git/tree/cve/published which also content the message-id reference along with the CVE and the raw data of the mbox file. So then it makes sense to have it in vulnerability-lookup. |
|
(Note that as for me, I don't use cve-search. I used it between 2016 and 2019, and then switched to another system. I'm just here as part as my regular technology watch.) |
|
@jbmaillet In any case, thanks for the feedback. |
|
https://git.kernel.org/pub/scm/linux/security/vulns.git/tree/cve/published/2024/CVE-2024-26581.json it seems the vulnerability is structured in JSON |
|
As far as I can tell, that's the same content as what we have in the cvelistv5 (with less details). Same entry: https://vulnerability.circl.lu/cve/CVE-2024-26581 |
https://git.kernel.org/pub/scm/linux/security/vulns.git/
The text was updated successfully, but these errors were encountered: